13 November, 2023

Combating security fatigue

From the Zoom meetings that kick off our day to our daily tasks and workflows, the internet has become our second home. It’s almost impossible to remember a time when we weren’t continually plugged in every hour of the workday immersed in the digital universe.

This connectivity has given us endless benefits, supercharging our work lives to be more efficient and making collaboration seamless. Yet, it’s easy to get overwhelmed and complacent when it comes to our online security. This phenomenon, known as Security Fatigue, is increasingly common in both our work lives and personal ones. 

Security fatigue is not just about the exhaustion of remembering passwords or the irritation of constant security alerts (we’ve all clicked ‘remind me later’ to our computer updates); it’s an overwhelming weariness that comes from the continuous demand to stay vigilant to ever-evolving security threats. But what causes security fatigue? And, given its high priority for both your work and personal lives, what can we do to combat it from wreaking havoc on our cybersecurity posture? 

 

What contributes to security fatigue?

 

1. Password overload:

The average person juggles dozens of online accounts (some of us: hundreds), each demanding a unique and complex password. The sheer volume of passwords to remember is a significant contributor to security fatigue. As users, we often resort to unsafe password practices, such as using the same password across multiple accounts or opting for easily memorable but weak passwords. 

2. Constant alerts and updates:

Security alerts and updates flood our devices daily. While these are necessary to protect against emerging threats, the relentless stream of notifications can overwhelm users. Often the alert to update your device comes at an inconvenient time, whether in the middle of an important task or when we’re out doing other things. Ignoring alerts becomes a tempting option, and while initially it’s not the end of the world, continuing to ignore these alerts can lead to genuine security concerns.

 

3. Technological jargon:

The language of cybersecurity can often be complex and filled with jargon that is unclear to the average user. Perhaps you’ve had a conversation with an IT tech where some of the language went over your head. This alienation can create a gap between users and the security measures designed to protect them and, at its worst, can bring about a sense of helplessness for the average worker.

 

4. Repetitive training:

Most employees in corporate settings are subjected to regular security training sessions. While education is vital, repetitive and monotonous training can contribute to security fatigue, with employees tuning out important information. Whether the training is repeating the same phishing awareness course year after year or your IT department is sending out the same cybersecurity reminders, eventually, people begin to stop paying full attention.

 

Strategies for combating security fatigue

 

Knowing that security fatigue is common and sometimes even inevitable, what can you do as an organization to prevent security fatigue from spreading throughout your whole company or leading to a massive security breach somewhere down the line?

 

1. Password management and streamlined authentication:

It’s a good idea to have a separate password for every account we have, and that doesn’t just mean throwing an extra number on the end of the same password you’ve had since sixth grade (we’ve all done this at least once in our lives). But as we mentioned earlier, employees often have dozens of different accounts they’re using on a daily basis, and memorizing dozens of unique passwords, each with upper and lowercase letters, numbers, and symbols, is just unrealistic. This is where password managers become essential to your daily workflows. Not only can a password manager create and store all of your passwords for you, it can be set to remind you to update your passwords, creating unique and complex passwords for you each time. 

Good security means layered defenses. Even if you have unique passwords for each account, managed by a good password manager, you’re not immune to a security breach. This is where MFA comes in. Multi-factor authentication adds an extra step to your login process, requiring you to grab a code from a text message, an app on your phone, or some form of biometric input (a fingerprint, FaceID). While MFA can prevent 99% of brute force attacks on your account, the extra step for logging in can cause security fatigue on its own. Thankfully, most password managers have MFA tools built in, reducing the strain of logging in to your most used accounts. 

 

2. Include everyone in cybersecurity

At its core, cybersecurity is a human issue. And your organization’s security is only as strong as its weakest link. You can have 99% of a company buying into security protocols, but all it takes is one careless employee to cause a massive data breach. But by including everyone in cybersecurity, from HR to marketing, you can instill a sense of responsibility and accountability throughout the company. This doesn’t necessarily mean including other departments in decision-making or the specific details of everything going on in IT. But keeping everyone aware of the current trends in phishing, sharing details of high-profile breaches in the news, and sharing tips on keeping secure can go a long way to keeping everyone safe.

 

3. Review wins and misses

While you’re including everyone in cybersecurity, take it to the next level and make reviewing wins and misses a regular thing. Maybe an employee of yours recognized a particularly sneaky phishing attempt and let everyone know to be on the lookout for similar attempts. Or maybe someone was fooled and clicked on a link they shouldn’t have. Reviewing these wins and misses in an open space keeps everyone on the same page. One thing we’ve found to be helpful is to have a dedicated Slack channel where our team members can share phishing attempts they’ve come across. 

It’s also important not to berate, but educate. If someone fell for a phishing scam, or didn’t use MFA which led to a stolen account, treat this as an opportunity to teach, rather than removing their responsibilities. Cybersecurity can be daunting, but the more you can educate yourself and your team, the better prepared you will be.

 

4. Review access

The more access people have, the more your systems could be at risk. We’re firm believers in the idea that not everyone needs to be an admin. The more unnecessary permissions people are given, the higher the chance they have of inadvertently causing a breach. When setting up new accounts or reviewing existing ones, it’s important to ask yourself, “What do they need this for?” Maybe marketing only needs insight into your ticketing software for customer feedback and not the ability to edit tickets. Or accounting might only need view-only permissions to see the cost of your SaaS plans rather than the ability to change settings. Giving everyone the appropriate level of access sounds simple, but you’d be surprised how many organizations we run into where everyone is given full access to everything.

 

5. Healthy skepticism

With cybersecurity, an attitude of healthy skepticism can go a long way. Get an email you’re not expecting? Call the person. Get a request that seems out of the ordinary? Take the extra to check with a coworker that it’s legitimate. Many employees fall for phishing scams not just because they’re being careless, but because they want to be helpful. And this is exactly what hackers rely on. Their attempts instill a sense of urgency in you so you quickly click on a link or share a password without thinking. But by encouraging healthy skepticism throughout your business, and reminding employees that it’s ok to wait for approval or confirmation on suspicious requests, you can prevent a lot of damage from being done. 

 

The road ahead

With security fatigue, there’s no easy fix. But by taking a holistic approach that includes collaboration between technology providers, organizations, and individual users you can eliminate much of the risk. 

Finally, it’s important to remember that, at its core, cybersecurity is a human issue. A well-informed, engaged, and empowered user is your strongest defense against the ever-evolving threat landscape. Knowing this, you can navigate security fatigue and turn your organization’s cybersecurity profile from a weakness to a strength. 

 

You might like this too.