‘Fear Fatigue’ threatens cybersecurity of employees working from home

‘Fear Fatigue’ threatens cybersecurity of employees working from home

Malwarebytes, a global leader in real-time cyberprotection, has announced the findings from its latest survey examining how the impact of the global pandemic and an increasing hybrid workforce is impacting cybersecurity and changing the face of work environments forever.

In the spring of 2020 as the COVID-19 pandemic was beginning, Malwarebytes surveyed 200 IT decision makers (ITDMs) and C-level executives about how the lockdowns affected their cybersecurity practices. 18 months later, Malwarebytes surveyed ITDMs and C-suite executives again. 

“While organizations showed great versatility in shifting to dispersed work environments during the pandemic, it also brought to light the need for an entirely different and more robust approach to security that offers more education and support to employees,” said Adam Kujawa, Director of Malwarebytes Labs. 

“We have more threats coming through on less secure personal networks and a rise in brute force attacks to reach businesses through remote desktop protocols. We need a holistic approach that secures employees no matter what network they are on or what device they are using.”

The report, Still Enduring From Home, reveals how the ongoing pandemic and resulting remote and hybrid workforce is reshaping how organizations and employees secure data as well as their feelings about cyberthreats.

The new data suggests that complacency brought about by fear fatigue is a growing threat for cybercrime and data loss:

• Malwarebytes’ survey found that 61% acknowledge that employees are experiencing fear fatigue, with 27% feeling particularly overwhelmed by fear.
• Almost 80% of survey respondents reported some level of jadedness or ‘fear fatigue’ within their organization.

Defined as the ‘demotivation to follow recommended protective behaviors, emerging gradually over time and affected by a number of emotions, experiences and perceptions’, fear fatigue can often lead to careless behavior, such as opening an email attachment without properly scrutinizing the sender or neglecting to turn on a VPN while using public WiFi.

Dean Coclin, Senior Director of Business Development at DigiCert 

Dean Coclin, Senior Director of Business Development at DigiCert

Fear fatigue is very similar to ‘warning fatigue’, that is, the ambivalence associated with the constant barrage of warnings which users encounter in apps, websites and operating systems. And not only in IT systems but think of the warning signs you see all over California, informing you that everything causes cancer!  

Hence users can’t tell what is a real threat and what is just satisfying the letter of the law. Since IT warnings are so common, users tend to ‘click-thru’ without reading the message, potentially causing substantial harm. In similar fashion, users are tired of hearing about the threats to their personal computer security and may be ignoring actual threats.  

However, these warnings are important for effectively mitigating attacks. The challenge is false alarms do happen, and over time, even information security pros can become desensitized to the alerts.  

A key challenge facing enterprises is finding the right balance between false alarms and not enough alerts. If alerts are being ignored, filtered or missed, this represents a huge failure.  

One way to combat this is for information security teams to identify the events that cause the alarms to trigger in the first place. By simply tuning the event triggers to more appropriate values or addressing problems on a single system can greatly improve the quality and validity of alerts. 

Including context for users to help determine the importance of an event can also help address warning fatigue. Single events by themselves can seem innocuous but included in the context of other events can be deemed significant.  

But at the end of the day, the best remedy is user education, which can take many forms. But instead of drilling users with rules which tend to go in one ear and out the other, a different approach should be considered.  

Fun videos with actors using a ‘soap opera’ like story to convey the message which engages users, could be more useful and provide optimal results. The viewing of such stories could be staggered, similar to a TV series which keeps users interested and in suspense of what’s coming. At the same time, these stories convey valuable lessons in cybersecurity, making learning fun, engaging and something they can talk about with their colleagues.  

There are several companies that offer such educational products and it’s incumbent upon IT to join with HR to ensure employees undertake the training and complete a short quiz. Results could be posted on a leader board, with prizes awarded to top rankings, creating a corporate competition to exhibit pride in employee results.  

Christopher Hills, Chief Security Strategist, BeyondTrust

Christopher Hills, Chief Security Strategist, BeyondTrust

I think it’s safe for us to admit that most employees across the world are experiencing some sort of cyber fear fatigue. This combined exhaustion and fear overload can have a negative impact on cybersecurity posture.  

We’ve been immersed in COVID protocol for over two years. Our travel options have been limited, and most of us have endured numerous other restrictions, depending on where we live. Thus, we’ve been even more of a captive audience, watching in dread from our seats at home as some of history’s most significant cybersecurity breaches and compromises have unfolded in seeming continual succession.  

The weight of cyber fear fatigue is probably heaviest for those forced into working remotely since the initial Coronavirus wave – way before the idea of variants had entered the picture. However, C-level executives have lived in fear since day one of shutdowns and the massive, rapid-scaling of remote work.  

In a recent survey from Munich Re, 81% of the C-level respondents said they didn’t feel adequately protected against cyberthreats. There comes a point when you fear something so much you get sick of it, then you get inured to it and maybe even complacent. That’s how fatigue can work to wear down our defenses.  

We are all exhausted with the relentless cyberattacks that continue to cripple businesses, economies and critical supply chains. The pandemic has just exacerbated the exhaustion, while making our jobs harder and attackers’ jobs easier. 

As cybersecurity professionals, we need to do a better job holistically with cybersecurity. Until we can position ourselves and our companies in a way that can be better prepared to deal with cyberthreats, we will continue to live in fear and we will continue to endure the fatigue associated with living in fear.  

We need to break out of this unhealthy cycle. General fatigue and cyber fatigue set employees up to miss things that should pique their interest, while dampening their response times. Fatigued employees make mistakes. No one is immune to this – it’s a human response to persistent fatigue.  

As individuals, each of us has varying levels of tolerance, or resistance, to fatigue. However, as an organization, we are only as secure as our weakest link, which can be our most sensitive employee. If their cyber fatigue induces them to have lapses in cyber hygiene, that employee will end up being the part of your attack surface that gives threat actors a foothold, or a pivot point from which to engage in lateral movement.

Tyler Farrar, CISO, Exabeam  

Tyler Farrar, CISO, Exabeam 

In order to combat ‘fear fatigue’ organizations need to empower their people to take small steps toward the bigger goal of bolstering security defenses.

After all, employees play a key role in a company’s cybersecurity posture.  

Security teams that shake up their password protocols such as never using the same password twice, using password vaults and enabling multi-factor/adaptive authentication are winning against the adversaries.  

A combination of behavioral analytics and smart password practices can help employees, and their employers, stop credential-based attacks and adversarial lateral movement.

Organizations need to ensure they have the right threat detection, investigation and response (TDIR) technologies in place. 

Danny Lopez, CEO, Glasswall 

With a cyberattack occuring every 39 seconds it is a constant reminder that employers need to take action in order to protect their employees from having their critical information stolen.

Danny Lopez, CEO, Glasswall 

The solution to preventing incidents like this is twofold: training and technology. Training plays a vital role in any rounded approach to cybersecurity by arming as many users as possible to be alert to risks and follow best practices.  

The problem is, much of these training efforts are little more than an exercise in box ticking, covering the basics with employers then assuming their staff will remember what they need to do on every single occasion in the future when they are exposed to risk. 
 
People should understand that protecting their organization from the impact of a security breach isn’t just about always applying every element of their training on every single occasion, it’s also about raising the alarm if a breach may have occurred without fear of punishment. Whether they are right or wrong, employees should be encouraged to always raise the alarm if something doesn’t feel right. 
 
On the technology side, taking a proactive, zero trust (never trust/always verify) approach to cybersecurity and having the measures in place to prevent attacks from penetrating your systems is critical. It’s also far more efficient and cost-effective than relying solely on your employees. 

Browse our latest issue

Intelligent CISO

View Magazine Archive