Do you ever feel that your non-IT co-workers are trying to thwart your security protocols – ignoring software update alerts, opening suspicious emails or not following password best practices? If it seems that way, it might be “security fatigue.”
A study from the National Institute of Standards and Technology (NIST) found that 63 percent of participants have experienced “security fatigue,” defined as “a weariness or reluctance to deal with computer security.” It’s not that hard to understand.
Technology users get tired and stressed out from the efforts of remembering multiple login credentials, PIN numbers and ever-changing security protocols. The result? Making poor decisions that could result in an intrusion, exposure of sensitive data, loss of reputation or even huge financial losses.
5 “Security Fatigue” Symptoms and Tips to Relieve Them
- Reusing passwords. According to a BBC report, people need to remember an average of 22 separate passwords and change them periodically. Yet, 81% of users reuse the same password for different accounts and 36% reuse the password in more than 25% of their online accounts.
Suggestion: Install a password manager that generates strong passwords, remembers them and stores them in a safe location. The user only needs to remember one set of master credentials, rather than dozens.
- Falling prey to phishing. According to Dark Reading, 91% of cyberattacks start with a phishing email. Employees may not know the damage they can cause just by opening an email, downloading an attachment or clicking on a link.
Suggestion: Proactive companies build a “cybersecurity culture,” in which every single technology user takes personal responsibility for his or her role in guarding against cyber intruders. The necessary ingredients – clear rules and expectations, regular training (and testing) and solid leadership from the C-suite.
- Not using secure connections. It happens all the time. More and more, people work from home or from a coffee shop, maybe using a personal laptop or another device. Unfortunately, they think it’s a nuisance to log into the VPN and connect over unsecured Wi-Fi (on an unsecured device).
Suggestion: The fix may be as simple as putting a reminder on the device’s startup screen or setting electronic reminders, or possibly simplifying the procedure for users.
- Not updating devices and software. Pop-ups about updating software are annoying, disturb workflow and can create anxiety. Time-crunched employees may also put off what they see as a “mundane” task (while you think of WannaCry).
Suggestion: Security and IT staff should take control of updating as many devices and software as possible, including implementing patches, downloading malware databases and other risk-reducing tasks.
- Not reporting suspicious activities. What if an employee realizes that they have just been tricked by a phishing scam? They may fail to report the incident for fear they will be blamed or be disciplined.
Suggestion: Employees should be encouraged to flag behaviors immediately, without fear of a punitive response. The organization should view human-error incidents as learning opportunities to educate users and to point IT toward potential procedural improvements.
- Outsourcing cybersecurity functions. Given today’s increasingly complex and perilous threat landscape, limited resources and shortage of expertise, keeping up with cybersecurity needs can overwhelm the IT group.
Suggestion: Consider partnering with a managed services providers (MSP) that specializes in cybersecurity. A security-focused MSP can successfully reduce security fatigue so that both IT and business employees will make better decisions when cybercriminals come to call.
Want to learn more about building a cybersecurity framework that will keep your business safe?
Download our white paper: A Framework for Cybersecurity and Compliance: What You Can Learn from NIST SP-800-171.