Cybersecurity teams have a tendency to bombard their users with security notifications to the point where everyone starts to ignore them. Add to this the continuous news of major data breaches by large corporations, and what the world ends up with is cybersecurity fatigue. The criminal hackers know this and start leveraging our complacency against us. As an example, one of the most common types of attacks that prey on fatigue is multi-factor authentication (MFA). Many users get a lot of push notifications to keep logins alive, and users tend to start blindly accepting all the push authentication notifications, thinking they’re all legitimate.
On top of this, a common mindset cybersecurity professionals see from users is the “well, my data is already out in the darknet, and that major hotel/retail store/etc. I do business with just got hit, and if they can’t defend themselves, what chance do I (or my business) have?” It’s a completely understandable position to take regarding the current state of the world. But, if we’re thinking through the issues with that mindset, we start to realize why this is problematic. Also, personal data ages over time. We move and change addresses, for example. We also change phone numbers, email addresses, jobs, titles, positions, credit card numbers and more. The data that makes a person who they are online may not be the same that was stolen years or even days ago.
For businesses that gain fatigue it’s a loss of revenue due to reputation damage. How many customers will still want to do business with a company that got them breached? Will prospective customers, once they hear about this, want to do business together as well? What about proprietary information regarding how the business conducts their operations? If a business understood the “secret sauce” of a competitor, is that advantage still there?
In order to spot fatigue in your users and business, consider some of these visible signs:
- Ignoring updates to software and hardware. We primarily update everything in order to fix known vulnerabilities that can be exploited.
- Poor login practices. Employees who use weak passwords or the same passwords for everything and don’t enable MFA for logins, are also red flags.
- Using insecure remote access methods. Connecting to the corporate infrastructure without using at least a virtual private network or VPN connection is a serious risk.
- Failure to adhere to cybersecurity training. Untrained users open phishing emails and click on links. They also don’t realize pirated software is often infected.
The good news is that cybersecurity fatigue can actually be addressed and even reversed. Savvy cybersecurity teams will take the following steps to ensure their users are more engaged in the cybersecurity process:
- Run drills and tests that involve everyone. This helps to assess weakness in the defensive posture but also can be rather interesting for everyone involved if performed in an energetic way.
- Gamify the training without making it a competition. There a lot of training platforms that have humorous videos and even mini video games designed to challenge users to keep fresh on cybersecurity hygiene.
- Remove needless security choices from your users. They don’t need access to the control panel, for example. Updating systems can be automated without a need for their intervention. Finally, password managers that are both secure and helpful in generating good and unique passwords is also a must.
- Make cyber-hygiene a top-down involvement in the organization. If the CEO isn’t enthusiastic and the biggest cheerleader for cybersecurity, then no one will take it seriously.
It takes effort, but with a streamlined approach and some perseverance, we can turn the tide of fatigue into something that interests everyone. Don’t let your company become the next victim to this correctable situation.
Nick Espinosa is a cybersecurity expert, working with companies to design custom cyberdefense strategies. Learn more at www.securityfanatics.com.