When employees become insensitive to safety advice, IT teams must be able to be reactive and find solutions to continue to protect the company from cyberattacks. Benoit Grunemwald, cybersecurity expert at Eset France, recalls the telltale signs of cybersecurity fatigue and how to combat this phenomenon.
With increasing cyber risks, expanding attacks and growing cybercrime, security teams are naturally keen to limit the damage their colleagues might cause. Indeed, all it takes is one unintentional click to trigger the infiltration of potentially devastating malware. When the burden on employees becomes too heavy, they may react in unexpected ways, which increases cyber risk in the company. This phenomenon of “safety fatigue” can lead in the worst cases to reckless and impulsive behavior. To deal with it, security needs to be more transparent, by limiting the number of decisions users must make, and rebalancing protection and productivity for the new world of hybrid work.
THE REVEALING SIGNS
• Greater risk taking with phishing emails : for example by opening attachments or clicking on links that look interesting.
• Poor password management, for example by reusing weak identifiers across multiple accounts (according to a recent study, 43% of employees admit to sharing their login details.
• Connecting to corporate networks without using a VPN, although this may not always be possible in some companies.
• Using unsecured public WiFi hotspots while on the go to log into sensitive corporate accounts.
• Poor regular updating of their devices (a study by the EY firm [ex-Ernst & Young] says Gen Z and millennial employees are much more likely than their older colleagues to ignore the need for fixes).
• Non-immediate reporting of incidents to their managers or the IT department : the same EY study reveals that almost a fifth (16 %) employees would try to address a suspected breach on their own, rather than warning someone else.
•Use of professional devices for personal purposes, including for risky activities such as downloading from the Internet, online games and shopping (another study claims that half of employees now consider their work device as their personal property).
• Circumventing security by other means : another report finds that 31% of office workers aged 18 to 24 have tried to circumvent security policy.
How to combat security fatigue
The rapid and large-scale shift to remote working in 2020 triggered a knee-jerk reaction in many companies. IT teams sought to limit their exposure to risks by imposing new restrictive rules on their employees. Now is the time to review these restrictions, to reduce the risk of security fatigue. Comment ? By listening to end users to better understand how security affects workflows and disrupts productivity. By trying to design policies that better balance the needs of employees and the need to minimize cyber risks. By limiting the number of security decisions users must make : this may involve automatic patching, security software installation and remote administration of laptops and devices, plus the use of background detection and processing services to contain threats as they breach network defenses. It is also possible to strengthen the security of identification mechanisms while reducing efforts, using password managers, second-factor biometric authentication and single sign-on (SSO).
Create a corporate safety culture
In all cases, avoid bombarding users with too many security-related messages. Finally, we can make security awareness training more fun, using short (ten to fifteen minutes) sessions with simulations in real conditions to modify behaviors. For security to be effective, it is necessary to create a culture in which each employee understands the crucial role they play in protecting the company and actively wants to play their role. This kind of culture can take time to build, but invariably begins with understanding the causes of security fatigue and remediating them.
