3 steps to Beating Cybersecurity Fatigue

The US National Institute of Standards and Technology (the organisation responsible for the NIST Cyber Security Framework, that is the standard in the USA and being adopted by a number of regulatory bodies around the world), recently performed an online survey asking a broad range of people (based in the US) about their security habits and concerns. The survey interviewed people about their personal security habits as well as their work security habits. One of the things that the survey revealed that wasn’t something that they were expecting or indeed looking for, was that people are suffering from cybersecurity fatigue.

What is Cybersecurity Fatigue?

The survey results suggested that people are tired of trying to keep themselves safe online. They feel that their efforts are likely in vain and that only luck will save them and their employer from being hacked, and that it is inevitable that it will happen eventually.

What is Leading to this Sense of Fatigue?

Some of the contributing factors are the different security policies that are used by different online systems (passwords must be of a certain length, and must contain varying combinations of upper and lowercase letters, numbers and punctuation for example) mean that people have to remember far more passwords, and I suspect means that most people are no longer able to use the same password for all sites as they may have done in the past. These rules can or course be applied to business systems as well as those used outside of the office.

The number of passwords people have to remember was cited as a direct pressure point, the report says that on average people have to remember 25-30 passwords, and reminds us of the time when people only had the 1 password that they needed to maintain for work. According to the UK National Cyber Security Centre, UK citizens have an average of 22 separate passwords that they have to remember.

Researchers found that the result of weariness leads to feelings of resignation and loss of control. These feelings can lead to avoiding decisions relating to security, choosing the easiest option among alternatives, making decisions influenced by immediate motivations, behaving impulsively, and failing to follow security rules.

What Should your CISO and CIO be Doing?

Importantly the survey interviewed people not just about their online security habits in their personal life, but also in their work life. The obvious implication being that if people are looking to take the easiest option and to work around the inconvenient rules that have been put in place to protect them, then the companies continue to be at risk from the actions of their employees. Demonstrating that:

People are the Perimeter

So what actions can your CISO and CIO take to overcome some of the Cybersecurity Fatigue?

  1. Help people understand the security rules and how they protect them and their organisation. Do this by demonstrating the effectiveness of the protections that are in place, by regularly talking about the attacks that have been repelled by the security measures that are in place
  2. Make security invisible and just part of the regular processes, not another thing that has to be considered
  3. Help people understand the measures and technology that they can use outside of in their personal life to make good security invisible, such as using password manager software to increase security through using different and strong passwords, whilst reducing the pressure on people to remember those passwords

Overall the goal must be to show that the connection between the actions being taken and the fact that the organisation hasn’t been one of those that have suffered from a major breach are linked, and that it isn’t just down to blind luck.

Read more about the NIST survey here.

Darren Wray
Tags: cyber awareness, cyber security, Cyber Strategy, IT Strategy