"Security fatigue" is emerging as a dangerous threat to effective cybersecurity programs. A new study by National Institute of Standards and Technology (NIST) found that the well-intended drumbeat of cyber security alerts and warnings has led to burnout and a sense of fatalism among ordinary people, including the employees that firms look to as their first line of cyber defense.
Businesses need to take affirmative steps to ensure that a culture of cyber security weariness in our society does not lead to cyber security sloppiness on the job.
Cybercrime gambits like phishing, spear phishing, business email compromise and social engineering all rely on innocent but unwary employees being led to do the cyber criminal's dirty work. For this reason, cyber security experts recognize that the greatest vulnerability in most organizations comes from their own people.
The new NIST research shows that limiting employee-based vulnerabilities may be more difficult than anticipated precisely because cyber vulnerabilities are receiving such a high level of attention. "We weren't even looking for fatigue in our interviews, but we got this overwhelming feeling of weariness throughout all of the data," said study co-author Mary Theofanos.
Effective employee cyber security awareness programs must overcome apathy, motivate changed behavior, and generate clarity out of a barrage of confusing messages. Simply relying on written policies and regular exhortations from IT professionals may not work. In fact, such an approach may exacerbate cyber fatigue and drive cyber risk higher. HR departments and human factor safety experts are emerging as the newest partners in the cyber risk response process because they know how to effectively deliver programs to change employee behavior. Without their expertise, employee-based cyber defense plans may be doomed to ineffectiveness from the start.
To counter security fatigue, effective cyber security programs will focus on simplicity of systems, training that imparts a sense of competency and control to recipients, and monitoring that catches and flags poor employee security habits early. In the current context, the costs of ignoring the human factors are just too great.
Click here to view the original article on Law360.
Click here for the full version of the alert.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.