Regular readers of my blog know that I’m a proponent of security education and awareness training. I’m especially so after conversing with friends about the recent Russian hacks on our elections and other security incidents. It concerns me how little the average person knows about cybersecurity in general – what it can do and how cybercriminals are constantly changing things (expect to hear the term “weaponizing data” a lot in the coming year). It’s encouraging to see that organizations are taking steps to combat security incidents, as spending for cybersecurity is expected to rise considerably over the next three years, and there appears to be more interest in understanding about cybersecurity and threats.
That’s why a 2017 prediction from Tom Pendergast, Ph.D., chief strategist of Security, Privacy and Compliance at MediaPro, jumped out at me. Pendergast predicted that security educators will need to develop more creative ways to combat “Security Fatigue.” I was so curious about this that I conducted an email conversation with him about his prediction.
Pendergast explained that security fatigue is the idea that the average person gets so tired of deploying security precautions, and is so unconvinced that their actions matter, that they willingly behave in ways that imperil both themselves and their organization. We’ve all suffered from it, as “symptoms” include things like re-using passwords, connecting to an open network for a quick minute, or even sending sensitive work documents to personal email addresses or storing them on a personal cloud for later use. He continued:
Our culture causes it — from magazines and newspapers promoting the news of the latest data breach (see the Yahoo breach yesterday) and reminding people to use a different password for every site they visit, to public service announcements and posters in public places (think “If you see something, say something,” plastered in subway cars and airport terminals), to corporate training departments issuing regular training and reminders on security. We are simultaneously bombarded with reminders about what to do to stay safe, while also regaled with stories that seem to demonstrate that there is no hope. And we just start to tire of it all and we tune it out. We think, how does practicing good security today help you when the hack happened years ago and is just now being revealed? Do my actions even matter? People are right to suspect that they have always already been hacked!
The last thing we want is for people to start tuning out good security practices, especially now, as every day seems to bring multiple stories of breaches and hacks and DDoS attacks and new vulnerabilities. We need to be more vigilant in 2017, rather than frustrated with the whole process. So perhaps making employees aware of security fatigue is a way to combat. Pendergast said to me:
What’s exciting to me, as a person who is trying to help clients overcome the security fatigue in their employees, is that we can use this concept to make people aware of their own fatigue. The fact of security fatigue is nothing new, I would argue, but our awareness that fatigue itself is a problem can help us as we seek to make improvements. At the risk of sounding kind of academic, I think that surfacing and exposing our implicit biases (like security fatigue) is the first step in changing them. We have to acknowledge that people feel this way, and then give them compelling reasons to overcome that fatigue and do the right thing.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba