Have you heard about the latest cybersecurity threat? If your heart sank a little when you read that sentence, then you’ve probably already been infected by it: it’s called security fatigue.
Long gone are the days when cybersecurity was a term understand only by IT security professionals, discussed only in niche publications. Now, it regularly appears in mainstream news articles, warning consumers about the dangers in their phone operating system, the data breaches affecting their social media accounts and the enormous sums of money stolen by audacious cybercriminals.
This is, in many ways, a positive shift. It means that CEOs and other business decision-makers are far more likely to understand the importance of robust information security, and to invest the necessary time and money in achieving it. It means that end users are more likely to follow good information security practices themselves. But it also means that every day it is possible to be bombarded with warnings about the latest threats and good security practices – so much so that they risk blurring into one, and in turn, being ignored.
That’s the stark warning of a new study by the US National Institute of Standards and Technology (NIST). Relentless warnings about cyber threats and instructions about how to behave safely online are, the researchers argue, generating ‘security fatigue’ and causing ‘computer users to feel helpless and act recklessly’. Whether it’s exhaustion at having to remember multiple passwords and PIN numbers, feeling overwhelmed by seemingly endless software updates and patches, or annoyance at the number of verification stages they have to go through to access, say, their online banking, users’ frustration is leading to insecure, risky behaviour that might in turn make them more susceptible to cyberattacks.
This is not just a consumer issue. The Institute for Critical Infrastructure Technology has reported similar findings among heads of information security – the very people who are supposed to live and breathe cybersecurity. Here, a similar combination of proliferating cyber threats, rising numbers of security solutions and communication roadblocks are said to be to blame. The Institute has recorded an average turnover rate of just 17 months among chief information security officers, in spite of it being a well-paid and growing profession, because of this frustration and exhaustion.
But businesses cannot afford to suffer from security fatigue – they must address it, for the sake of both their security posture, and their security personnel. How, then, can you fight security fatigue in your organization?
The key is to make security simpler, taking away the multiplicity and complexity that leads to exhaustion. From an end user perspective, this might involve tools like two-factor or multi-factor authentication rather than demanding that they change their password every few weeks. From a head of security’s point of view, this might involve consolidating some of your IT security tools and systems, so that you retain granular control over security, from a single centralized point.
Automation is key – a great many cybersecurity functions can now be performed intelligently and automatically, taking pain away from both end users and managers. With continuous, automatic monitoring, security teams have the peace of mind of knowing that any anomalies will be immediately highlighted, but that when things are running normally, they don’t have additional workload.
It might seem counterintuitive, but as the cyber threat landscape gets ever more complex, it is vital that cybersecurity becomes more streamlined and simpler to manage. Fatigue can only be countered by giving end users and IT teams some respite from the constant security noise – and it’s our responsibility as vendors and cybersecurity professionals to help deliver that.