Categories
Security

Combat fear fatigue with these security tips

Nearly two years ago, companies around the globe scrambled to support entire workforces strong-armed into remote work practically overnight. For far too many, security was an afterthought — until it was too late. Now, as remote work transforms from novelty to the new normal, organizations must double-down on security efforts. But what if those efforts alienate employees and increase stress instead of alleviating it?

While many employees have expressed a desire to be more secure, as our recent Still Enduring From Home report found, fear fatigue has set in after years of constant concern and change. And that is a vulnerability likely keeping IT and security leaders awake at night.

Why can increasing security cause increased stress and fear fatigue?

How to fight fear fatigue while keeping remote workers secure 

Hybrid and remote work are on their way to becoming permanent fixtures. Yet the digital infrastructure so hastily thrown up two years ago to support the remote workforce now needs a serious security overhaul.

Multiple new access points — many of them weak on or lacking cybersecurity protections altogether — have introduced additional vulnerabilities to an already-taxed system. Users connecting from unsecured home networks, personal computers and mobile phones using shadow IT, haphazard physical environments exposing proprietary data, and unchecked identity and access management policies have left organizations at increased risk of compromise.

As such, it’s time for businesses to sharpen security processes, beef up technical protections, and, most importantly, roll out new forms and frequencies of security training. Security awareness has never been more important.

In fact, many organizations have already taken steps to reduce risk and plug security vulnerabilities introduced by remote work. In Malwarebytes’ recent report, Still Enduring From Home, researchers surveyed 200 IT decision makers to see how organizations fared with remote security measures over an 18-month period.

The results paint an optimistic picture: 74 percent of IT teams have implemented new tools, such as antivirus software, password managers, virtual private networks (VPNs), and two-factor authentication (2FA); 71 percent have introduced new forms of training; and 48 percent have updated their crisis management protocols. Overall, 56 percent of respondents said their organizations have become slightly or significantly more secure since they began working from home.

That’s good news, right? Organizations making moves to boost security is cause for celebration, to be sure. However, the outlook is murkier when examining how employees feel about this increased security. According to the report, they’re fairly well-invested: 83 percent care to some degree about security practices, with 51 percent caring deeply.

However, caring doesn’t always translate to awareness, nor does awareness always result in action. While 62 percent of respondents said their employees are either “very” or “acutely” aware of security best practices, nearly 40 percent range from “aware but not a priority” to “oblivious and risky.”

And while employees care about getting security right, many are also suffering from “fear fatigue.” Nearly 80 percent of the Still Enduring From Home respondents reported some level of fear fatigue or jadedness in their organization. Adrenaline-fueled anxiety and adaptation have left them feeling jaded or overwhelmed, making them vulnerable to simple security mistakes.

Fear fatigue (otherwise known as security fatigue) inspires complacency, and complacency leads to risky cybersecurity behavior, like opening an email attachment without properly scrutinizing the sender or neglecting to turn on a VPN while using public WiFi. Scammers are primed and ready to take advantage of this reduced focus. In fact, organizations should consider “human-proofing” an essential layer of their cybersecurity approach.

According to the Verizon 2021 Data Breach Investigations Report, 85 percent of breaches are caused by people. Employees are an organization’s biggest asset, but they also break the rules and make mistakes — sometimes, costly ones. Mistakes can happen due to distractions (57 percent), stress (52 percent), and general fatigue (44 percent), and employees need protecting, supporting, and keeping safe.

Now, there’s a need to keep remote employees appraised of the increased cyberthreats they face and informed about how to deal with them. This requires an increase in training frequency, and confirmation employees are absorbing that training. However, alarmingly, 27 percent of IT leaders said their employees seem “particularly overwhelmed” by threats and jaded by security procedures.

That’s why organizations need to tread a fine line between equipping their employees and overwhelming them. They must learn to balance cybersecurity education while avoiding fear fatigue.

Easier said than done, I know.

To implement an effective fear fatigue mitigation program, it’s important to first address the generalized stress brought on by nearly two years of living in a deadly pandemic.   

  • Collaborate with employees to figure out strategies, including developing strong social networks and regularly practicing healthy routines.
  • Offer employees mental health days separate from sick or personal days.
  • Provide access to counselors and other mood-boosting activities, such as virtual meditation or yoga classes.

Or take the advice of Tanya Barlow, an IT leader at PROCON, Inc.: “The best approach is to continually practice radical empathy — for others in the workplace and for yourself. You have to be willing to forgive and be flexible. You can’t be too hard on yourself, as we are all still collectively healing. In moments of extreme exhaustion, I think it’s important to take time to reflect and practice mindfulness. Remind yourself of things you’re still grateful for and let go of outdated mindsets, routines, and things that don’t truly matter.”

Organizations must also design cybersecurity programs that take the burden off of employees and counter inadvertent actions that put networks, devices, and data at risk. This can be done in two ways: through security tools designed to protect against human error, and/or more engaging training content and mediums for delivering that training. Organizations should:   

  • Leverage technology to automatically block site visits from users clicking potentially malicious links or to detect and bin spear phishing attempts before the targeted employee sees them.
  • Reinforce security measures often and in a fun way. Phish your own employees. Gamify security trainings.
  • Consider delivering training using different modes of learning, from audio-visual (videos) to kinesthetic (scenario planning).

Employees can feel fatigue from over-communicating, too, so balancing the right amount of communication is key. Remember: There’s no one-size-fits-all approach to managing people, so iterate and check in on employee fatigue regularly. Once you know how to provide folks with the right guardrails, they won’t be so afraid of driving off the road. 

Categories
Security

Covid fatigue causes careless behavior, endangers online safety

Because it’s not bad enough that we’ve had to shelter in place, shut down businesses, and stay away from friends and families for months. Now we learn that our natural response to this stress — a type of emotional exhaustion medical professionals call Covid fatigue — puts us in danger, too. Great. Might as well give up now.

The above paragraph is a meta example of Covid fatigue… or at least the beginnings of it. The defeatist attitude is a telltale symptom of this type of fatigue, which should not be mistaken for the fatigue that can sometimes be a symptom of Covid-19 infection. Covid fatigue is instead defined as feeling overwhelmed and exhausted by the conditions brought on by the pandemic and the ever-changing list of rules to follow in order to stay safe.

Those with Covid fatigue are less likely to follow basic social protocols for protecting against the virus. And that, unfortunately, spills over into their online habits as well.

For many of you in IT and security, a lightbulb may have already flickered on. Covid fatigue sounds awfully similar to security fatigue or alert fatigue. Indeed, it’s the exact same principle. And if you’re catching on to how emotional fatigue can lead to self-destructive behavior online (like reusing passwords or exercising less caution opening emails, for example), then guess who else knows?

The most successful threat actors study user psychology so their social engineering tactics can be believable. And those threat actors have been clued into Covid fatigue for a while now.

It’s most important, then, that IT and security leaders guide their employees in fighting back against possible online attacks, remembering basic security hygiene, and combatting emotional fatigue. The last item may require help from your people operations teams, but will ultimately lead to a happier, healthier workforce with energy in reserves.

There’s so much uncertainty with this virus, and that contributes to Covid fatigue, too. But if there’s one thing we can be sure about, it’s that battling this pandemic — and the one we’re facing online — is a marathon, not a sprint.

Read on to learn how to cope with Covid fatigue and stay safe online: https://blog.malwarebytes.com/malwarebytes-news/2020/10/how-covid-fatigue-puts-your-physical-and-digital-health-in-jeopardy/

For background on security fatigue: https://blog.malwarebytes.com/101/2017/04/how-to-fight-security-fatigue/

To see what Johns Hopkins recommends for fighting Covid fatigue: https://www.hopkinsmedicine.org/health/conditions-and-diseases/coronavirus/how-to-deal-with-coronavirus-burnout-and-pandemic-fatigue

On alert/notification fatigue: https://betanews.com/2020/07/09/security-report-alert-fatigue/