Security Fatigue End Users

Security Fatigue on End Users

As information security threats are multiplying, security measures are multiplying too.

Employees are regularly informed of more threats to watch out for and more security policies to follow, creating additional workflows and distractions for their already busy days. This is very likely to have an impact on their daily tasks. For instance, just a simple task like reading a new email can take twice as long as the recipient will probably double check if the attachment is safe before opening it.

Consequently, employees can experience reluctance to deal with computer security. Being overwhelmed by security policies can lead to lower levels of security and higher risks for the organizations.

Why is it happening?

People generally agree that security is crucial, but some of them fail to comply for several reasons.

While security is a top priority for security professionals, many employees are focused on productivity and getting their job done. If the security measure is making it harder to complete a task, some employees can perceive the measure negatively, and while balancing between security and productivity, the wrong decision can be made.

However, it can also be unintentional. For example, some people may not be aware of certain security policies, a consequence of having too many policies to keep track of.

Also, the level of self-control decreases when more decisions need to be made in a short interval. If the users are required to make numerous security decisions during their workday, they are more likely to make poor decisions.

The Impact

Security fatigue has a direct impact on the organization’s security and in some cases, it may affect productivity.

Therefore, risk mitigation is less effective, and the organization might be vulnerable to cyberattacks and data breaches. In some unfortunate cases, this may result in:

  • Credentials being stolen because phishing training was skipped.
  • Data being shared with unauthorized individuals because a colleague requested it.
  • Malware installation because a warning was dismissed.
  • Login information being breached after a brute force attack because an easy password was chosen.

The Solutions

Security policies are necessary to secure the organization and to be compliant with security standards and legislation.

  • When it has been decided a security policy is required, make sure it is easy to follow for your employees. It should be crystal clear what is expected of employees.
  • The communication around policies should include less jargon and more clarity.
  • Make sure security policies are based on risk assessment. Acknowledge which risks are acceptable to your organization and which are not.
  • When assessments must be done by an employee, offer support in making these decisions, for instance, provide a guideline to determine if and why an email has clear indicators of phishing or malicious vectors.
  • Security policies should have a clear purpose. Explaining the risk that is mitigated and the possible impact on the organization or individual is crucial.
  • Security teams usually share information around security policies annually via specific awareness sessions. The problem with this approach is that people tend to forget what has been communicated. Therefore, it would be wise to repeat the message frequently.
  • What is even more effective is sharing the policy or guideline in a timely manner, preferably in the moment the employees need to be aware of it. For example, an instant warning informing users they may be visiting a malicious website or that sensitive information was found in an email attachment. This will lower the risk and the burden of having to remember complex rules and regulations, improving the security of your organization.
  • Partner with a trusted IT support provider to ensure that your business stays secure, and your systems are up to date.

Conclusion

Security awareness should be a joint, regular effort. Thinking that what you are doing is simply not interesting for hackers and assuming your organization won’t be targeted is dangerous. No organization is safe from malicious actors.

To overcome the risk of security fatigue, organizations should make sure their security policies are proportional and efficient.