Why Security Fatigue Is a Huge Cybersecurity Risk
Companies can save an average of $2.66 million by testing their cybersecurity incident response plan, but many choose not to. Whether this is out of necessity or negligence, it may cost businesses their reputation and revenue in the long run. Failing to keep up with cybersecurity can have compounding effects.
However, overcomplicating security can be just as damaging. Security fatigue is a major risk for businesses. Find out how to mitigate it in your organization to protect your digital assets.
What is security fatigue?
Security fatigue describes the feeling of exhaustion users experience when they are inundated with too many security measures. Particularly in the workplace, staff can become overwhelmed with security warnings, IT alerts, cybersecurity policy documents, password change requests, or even media consumption of stories about data breaches at other companies.
Overworked admins, who may be managing many thousands of identities and privileges, are often forced to give blanket permissions, which can lead to over-privileged or unauthorized access – an enormous risk in any organization.
Symptoms of security fatigue
To combat security fatigue, you must understand how it presents itself – in yourself and your employees. These so-called symptoms of security fatigue are signs that you should rethink the way you handle cybersecurity for your company. Look out for:
- Reduced attention during security training or processes
- Frequent password reset requests from the user
- Unsafe password practices, such as weak passwords or sharing them with coworkers, family, or friends
- A sense of frustration with security measures
- Ignoring software updates
- Bypassing security by connecting to your server without a VPN or on public Wi-Fi
- Demonstrating risky online behavior
Risky online behavior in the context of security fatigue doesn't necessarily include gambling or anything nefarious or inappropriate for the workplace. However, it can be just as damaging in different ways. When users are faced with cybersecurity fatigue, they tend to forgo the recommended security measures and may not be as vigilant about avoiding online threats.
If you notice employees opening, responding to, or clicking through links in suspicious emails, it's a clear sign that they aren't as engaged in cybersecurity best practices as they should be. You can test this by sending out planned phishing emails and tracking users who click through, and use that information to adjust or expand your cybersecurity training.
MFA prompt bombing complacency
Multi-factor authentication (MFA) is a common cybersecurity measure taken by companies, but it can also reveal a security fatigue issue. Bad actors are well aware that organizations use MFA and are actively trying to fight their way through these security walls. One of these ways is MFA prompt bombing.
If employees aren't careful, they can fall for this social engineering tactic. Typical MFA includes an authentication request sent to a user's device, such as a phone or tablet, after which the user taps the screen to "accept" that the authentication is legitimate. Attackers are, in turn, sending out fake MFA notifications, sometimes multiple times, to trick a frustrated or fatigued user into "accepting" the notification simply to make it go away. Once accepted, the attacker can gain unbridled access to user accounts.
The impact of security fatigue
Cybersecurity fatigue has clear negative impacts on businesses. Employees become tired of security measures and complacent, allowing these same measures to even work against the company's security. This cybersecurity-prompted syndrome has far-reaching risks that can't be ignored.
The financial risk
According to IBM, the average cost of a data breach in the U.S. is $9.44 million.
The financial risks of overwhelming employees — and consumers — with cybersecurity measures are palpable. Customer-targeted cybercrime is on the rise as security measures become more commonplace and attackers become more aware of how to bypass them. Data breaches due to security fatigue can result in:
- Resources spent identifying and thwarting the attack
- Legal fees and penalties for improper security
- Loss of revenue due to damaged reputation and loss of trust
- Allocation of budget to increase identity theft protection
Expending resources to identify and mitigate cyberattacks inevitably leads organizations to see decreases in productivity. IT and security teams are forced to spend less time on business operations that can improve the user experience and give the company a competitive edge.
The security risk
Many people get tired of logging into a VPN only to have a slow connection or one that drops frequently. So they connect directly to apps and data – sometimes using unsecured networks.
But these practices can leave your organization open to attack. Protecting your digital assets has become an ever-present need in modern businesses. Particularly during a business breakup, digital assets – like financial data, internal documents, and intellectual property – require tight security controls that prevent them from falling into the wrong hands.
The compliance risk
Security fatigue can lead to significant fines and penalties due to regulatory noncompliance and violations of industrial regulations. In addition, such violations can result in legal problems and damage to an organization's reputation. Harvard Business Review studied employees over a 10-day period and found that about 67% of staff violated cybersecurity policies at least once during the study period. In most cases, the employees were simply trying to get something done and security would have slowed them down. That is a clear case of security fatigue.
Managing security fatigue
Businesses can help reduce or eliminate security fatigue in several ways:
- Implementing passwordless authentication methods to improve security and simplify the user experience
- Streamlining identity governance and access controls
- Managing the business's digital identity on secure platforms
- Setting up alerts for suspicious activities
- Using AI-driven tools to identify potentially fraudulent access, requiring additional authorization when user behavior is unusual
Above all, make it clear to employees and customers that cybersecurity must be a priority, for their protection and that of the business, but it can't be too onerous. That's because user experience is also a priority for acquiring and retaining customers and to avoid security fatigue amongst employees. Be transparent about your efforts to enhance security without causing fatigue, and ask for feedback directly from staff about how to improve processes. Keep an eye on employee data and track symptoms of security fatigue to ensure your mitigation efforts are working. You can't afford not to.