4 Ways Your Users Can Overcome Cyber Security Fatigue
17 August 2017 14:40
Enforcing cyber security education and awareness doesn't always mean that your defence is stronger - in fact, it can potentially mean the opposite. Cyber security fatigue can render user awareness useless. That's why now is the time to educate smart, not just often.
Nowadays, you don't have to work within IT security, HR or the C-suite to feel the burden of data breaches. Of course, the boardroom and higher management are being bombarded with all types of security warnings and budgetary requests. But what about lower-level employees?
Most end users are now expected to act as an effective line of defence against cyber criminals. Compliance, policies and security information are often thrown in their direction, in the hope that most of it sticks.
But how these steps are taken is just as important for a business as taking these steps at all.
Simple fact is, the average user is feeling the burden of IT security. Combining a constant flow of security messages with a high level of tech jargon, means users are becoming desensitised to cyber security.
Clearly, the old "watch out for this and that" isn't cutting it anymore - security awareness needs to be smarter. So, let's dig into some of these fatigue-related issues and look at how your users can overcome them...
1. Make authentication life a little easier (and more secure)
On average, we have 22 separate passwords in both our personal and professional life (although we've probably forgotten half of these). That might sound like a lot of passwords, but 91% of us still the same password across multiple sites.
Cyber security fatigue has ultimately encouraged many users to choose the shortcut. Rather than remembering a bunch of character-sensitive passwords, employees are choosing the easy option of reusing the same credentials - weakening the security process.
So instead of relying on our rusty memory or, even worse, post-it notes (*shudders *), arguably the best solution is to encourage the use of a password manager. Modern password managers allow you to synchronise all of your accounts between laptops and mobile devices. It is also one of the easiest ways to create unique and difficult to guess passwords, and also helps avoid those headache-prone reset procedures.
(Take a look at the best password managers of 2017)
2. Less time updating, more time automating
We all get a host of notifications from all types of apps. There's always the need to approve an update, enter a new password, run a virus scan, ensure that your files are backed up. The list can go on and on.
The best way to avoid these constant requests is to encourage users to automate as much as they can. For instance, antivirus applications have an option to automatically download new updates to their virus definitions (it's worth noting that some antivirus apps have this enabled by default, so you might not have to worry about it!).
Scheduling different levels of scans to happen at regular times is also useful, as you don't have to worry about trying to remember the last time you scanned your computer. You can even set this in the middle of the day (if your antivirus isn't a huge resource hog).
Implementing these will ensure that fewer notifications will be sent to yourself or your employees, meaning that productivity isn't hindered by these draining pop-ups.
3. Build a security minded culture
Big breaches make the headlines, so when the average employee comes across regular news of large organisations suffering a data breach, they often struggle to believe that they themselves can help defend against such an attack. Placing this alongside NIST's findings that employees often question why somebody in a perceived non-sensitive position would even be targeted, then there is a big concern.
As a result, not only are users receiving a high number of security notifications, they also fail to see their relevance to these messages. Many end users aren't aware that most attacks are automated and that, ultimately, we're all targets, regardless of our position or sector.
Encouraging a proactive and security-minded culture is important to helping fight this stigma, and to also demonstrate that cybersecurity isn't "just a tech problem", it's the responsibility of all users. Educating the workforce to take ownership of protecting their data, as well as the importance of knowing the threats that face all of us, can replace the mindset of online security being just another email.
That being said, simply throwing the book at employees isn't enough - evaluating and gathering metrics on a user awareness programme is a vital step (the NCSC's "10 Steps" is always a good place to start).
4. Avoid information overload
Perhaps the easiest way to cause security fatigue amongst your users (and maybe even yourself), is to fall into the trap of raising awareness on too many cyber security topics - and much too quickly. A lack of strategy or plan can mean that users are sent random security messages relating to different cyber issues, all over a short period of time.
So instead of diving head first into an ocean of information (such as "99 ways to keep your data secure"), a good way to educate and raise awareness is to focus on perhaps one or two topics per month. Having this clearly defined structure can help users retain information, as well as providing a clearer view of what security topics have/ haven't been covered.