Connect with us

Expert Speak

Security Fatigue is Real: Here’s How to Overcome it



Written by Phil Muncaster, the guest writer at ESET

IT security is often regarded as the “Department of No” and sometimes it’s easy to see why. In a world of escalating cyber risk, expanding attack surfaces, and a fast-growing cybercrime economy, security teams are understandably keen to limit the damage their employees could cause. After all, it takes just one misplaced click to unleash a potentially devastating ransomware compromise. But when the burden on employees becomes too high, they may react in unexpected ways, which actually increases cyber risk in the organization.

This is known as “security fatigue” and it in a worst-case scenario it can lead to reckless and impulsive behavior – quite the opposite of what IT teams want. To tackle it, security needs to work more seamlessly, limiting the number of decisions users need to make and rebalancing protection and productivity for a world of hybrid working.

What is security fatigue and how bad is it?
Humans are often thought of as the weakest link in the corporate security chain. That’s why IT security departments are so keen to mitigate the risk from (not just) negligent insiders. On the one hand, they’re right. An estimated 67% of companies experienced between 21 and over 40 insider incidents in 2021, up from 60% in 2020 and costing them an average of over US$15m to remediate.

However, when staff feel bombarded by security warnings, policy rules and procedures at work, and media stories of breaches and threats in their spare time, a state of exhaustion may set in. This security fatigue is characterized by a feeling of helplessness and loss of control. Individuals may find it all so overwhelming that they retreat from corporate policy and go their own way. There may also be a sense of resignation: that breaches are going to happen whatever they do, so they might as well ignore all those stressful security alerts.

It’s more common than you might think. A 2018 study revealed that over half (55%) of EMEA employees are not regularly thinking about cybersecurity, and nearly a fifth (17%) aren’t concerned about it at all. Evidence suggests that younger staff are even more prone to become fatigued by excessive security demands.

What are the top symptoms of security fatigue?
Unfortunately, this could have a seriously destabilizing impact on corporate security. Among the tell-tale signs of security, fatigue is employees who:

  1. Take more risks with phishing emails, perhaps deciding to click through on links or open attachments out of interest.
  2. Practice poor password management, such as reusing weak credentials across multiple accounts. According to one recent study, 43% of employees admit to sharing logins and even avoiding their work altogether to reduce the stress of logging in.
  3. Log-in to corporate networks without a VPN, although this may be restricted in some organizations.
  4. Use unsecured public Wi-Fi hotspots when out and about to log in to sensitive corporate accounts.
  5. Fail to update their devices and machines regularly. A new EY study claims Gen Z and Gen Y employees are far more likely than older colleagues to disregard mandatory patches for as long as possible.
  6. Fail to report incidents immediately to superiors or the IT department. The same EY study reveals that nearly a fifth (16%) of employees would try to handle a suspected breach by themselves, rather than notify someone else.
  7. Use work devices for personal use, including risky activities such as internet downloads, gaming and online shopping. One study claims that half of the employees now see their work devices as their personal property.
  8. Circumvent security in other ways: Another report reveals that 31% of office workers aged 18-24 have tried to bypass policy.

How to tackle security fatigue
The rapid shift to mass home working in 2020 triggered a knee-jerk response in many organizations as IT teams sought to limit their risk exposure by placing onerous new rules on their employees. Now the hybrid workplace is beginning to emerge from the ashes of the pandemic, there’s an opportunity to revisit these restrictions, with an eye on reducing the risk of security fatigue.

Consider the following:

  1. Listen to your end-users to better understand how security impacts workflows and disrupts productivity. Try to design policies that better balance the needs of employees with the need to minimize cyber risk.
  2. Limit the number of security decisions users need to make. That could mean automatic software patching, remote security software installation, and management of laptops and devices. And running detection and response services in the background to catch and contain threats when they breach network defenses.
  3. Support enhanced log-in security while minimizing effort, with password managers, biometric-based two-factor authentication, and single sign-on (SSO).
  4. Limit the number of security-related messages you bombard users with. Less is more.
  5. Make security awareness training more fun, via shorter sessions (10-15 minutes) that use real-world simulations and gamification, to change behavior.

For security to work effectively, you need to create a culture where every employee understands the crucial role they play in keeping the organization safe and proactively wants to play their part. That kind of culture can take time to build. But it starts with understanding and tackling the causes of security fatigue.

Expert Speak

Hidden Champions: Behind These Popular Applications Are Hard Drives



Written by Rainer W. Kaese, Senior Manager of Business Development Storage Products at Toshiba Electronics Europe

Continue Reading

Expert Speak

How to Secure MSP Success Brick by Brick



Written by Roman Cuprik, content writer at ESET (more…)

Continue Reading

Cyber Security

Is Consent the Gateway to Ethical Data Usage Practices?



Every tech company under the sun is grappling with data privacy and protection policies and laws. However, consent is crucial when it comes to data collection and processing. Having the user’s consent to use their data is imperative. While securing the data after collection is also important, using customer data without their consent causes more serious issues. Without obtaining consent from the user, any data that you use for your business falls under the unlawful use of data regulations.

Users of the well-known platform Glassdoor, which allows individuals to anonymously review their employers, allege that the site collected and linked their names to their profiles without their permission. Glassdoor users have expressed alarm, and the issue has been widely featured on social media and news-sharing sites. They fear that their anonymity could be compromised if data about them is collected and added to their profiles.

The issue here boils down to a single word: consent.

The gray area of obtaining consent
Organizations can knowingly or unknowingly exploit users’ personal data without proper knowledge of data privacy. It is not enough just to get consent from users; explicit consent is required. This includes ensuring the user selects checkboxes during the signup process, enters their email address, authorizes receiving marketing emails and newsletters, and grants the app permission to track user data in specific situations.

But when it comes to verbal consent, there is ambiguity. The GDPR accepts verbal consent but requires written or recorded proof of the consent given. The GDPR states that, “when requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means.” Therefore, it is better to record or have written proof of verbal consent; one must not assume or misunderstand that verbal consent only includes oral consent.

Often, there is less visibility of data usage for customers. More often than not, customers do not know what they are giving consent for or how their data will be used. Let’s take the case of location data sharing.

Location data can show if someone visited an abortion clinic or a cancer treatment center. People usually want to keep this type of information private and not share it with companies or third parties. When consent is given without knowing what it is for, the act of giving or obtaining consent becomes meaningless.

Why consent is important in ethical data practices
Although you are legally required to obtain the user’s consent to process their data, there is also such a thing as the ethical use of data. When you take measures to protect your customers’ data beyond what the law requires, it promotes trust among your customers.

People value privacy and appreciate brands that prioritize data privacy. Let’s say a consumer is given the option to choose between two brands: one with no privacy features and another that advocates for privacy with built-in privacy features. Which do you think the customer will choose? Obviously, the latter.

Understanding a company’s data privacy policy is crucial to 85% of consumers—even before they make a purchase, a global study determined. Equally as important, 40% of individuals have changed brands after discovering that a company failed to protect customer data adequately, according to the McKinsey Global Survey on Digital Trust.

This is why tech companies go out of their way to demonstrate the privacy features they offer and how user consent is prioritized in these features.

In a way, customers prioritizing consent compels companies to integrate ethical data privacy policies into their systems. But it’s time companies realize that consent is the backbone of data privacy regulations and take customer consent seriously, not just to avoid hefty fines, but to also value the customer’s choice and their right to privacy.

A final word
Organizations worldwide are facing issues with data privacy. What is important when trying to protect your customers’ data is to realize the role customer consent plays. This helps organizations develop features and draft policies with the customer’s consent in mind and to effectively communicate to the customers why they are seeking consent. Without this step, data privacy becomes compromised. So, both organizations and customers need to grasp why consent matters and advocate for the ethical processing of data.

ManageEngine is a division of Zoho Corporation that provides comprehensive on-premises and cloud-native IT and security operations management solutions for global organizations and managed service providers. ManageEngine strongly believes in privacy by design and continuously advocates for user privacy. Established and emerging enterprises—including nine of every 10 Fortune 100 organizations—rely on ManageEngine’s real-time IT management tools to ensure the optimal performance of their IT infrastructure. Learn more about ManageEngine’s comprehensive suite of IT management solutions here.

Continue Reading

Follow Us


Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.