Do your employees take more risks with valuable data because they’ve become desensitized to security guidance? Spot the symptoms before it’s too late.
IT security is often regarded as the “Department of No” and sometimes it’s easy to see why. In a world of escalating cyber-risk, expanding attack surfaces and a fast-growing cybercrime economy, security teams are understandably keen to limit the damage their employees could cause. After all, it takes just one misplaced click to unleash a potentially devastating ransomware compromise. But when the burden on employees becomes too high, they may react in unexpected ways, which actually increases cyber-risk in the organization.
This is known as “security fatigue” and it in a worst-case scenario it can lead to reckless and impulsive behavior – quite the opposite of what IT teams want. To tackle it, security needs to work more seamlessly, limiting the number of decisions users need to make and rebalancing protection and productivity for a world of hybrid working.
Humans are often thought of as the weakest link in the corporate security chain. That’s why IT security departments are so keen to mitigate the risk from (not just) negligent insiders. On the one hand, they’re right to. An estimated 67% of companies experienced between 21 and over 40 insider incidents in 2021, up from 60% in 2020 and costing them an average of over US$15m to remediate.
However, when staff feel bombarded by security warnings, policy rules and procedures at work, and media stories of breaches and threats in their spare time, a state of exhaustion may set in. This security fatigue is characterized by a feeling of helplessness and loss of control. Individuals may find it all so overwhelming that they retreat from corporate policy and go their own way. There may also be a sense of resignation: that breaches are going to happen whatever they do, so they might as well ignore all those stressful security alerts.
It’s more common than you might think. A 2018 study revealed that over half (55%) of EMEA employees are not regularly thinking about cybersecurity, and nearly a fifth (17%) aren’t concerned about it at all. Evidence suggests that younger staff are even more prone to become fatigued by excessive security demands.
Unfortunately, this could have a seriously destabilizing impact on corporate security. Among the tell-tale signs of security fatigue are employees who:
The rapid shift to mass home working in 2020 triggered a knee-jerk response in many organizations as IT teams sought to limit their risk exposure by placing onerous new rules on their employees. Now the hybrid workplace is beginning to emerge from the ashes of the pandemic, there’s an opportunity to revisit these restrictions, with an eye on reducing the risk of security fatigue.
Consider the following:
For security to work effectively, you need to create a culture where every employee understands the crucial role they play in keeping the organization safe, and proactively wants to play their part. That kind of culture can take time to build. But it starts with understanding and tackling the causes of security fatigue.