Nearly two years ago, companies around the globe scrambled to support entire workforces strong-armed into remote work practically overnight. For far too many, security was an afterthought — until it was too late. Now, as remote work transforms from novelty to the new normal, organizations must double-down on security efforts. But what if those efforts alienate employees and increase stress instead of alleviating it?
While many employees have expressed a desire to be more secure, as our recent Still Enduring From Home report found, fear fatigue has set in after years of constant concern and change. And that is a vulnerability likely keeping IT and security leaders awake at night.
Why can increasing security cause increased stress and fear fatigue?
How to fight fear fatigue while keeping remote workers secure
Hybrid and remote work are on their way to becoming permanent fixtures. Yet the digital infrastructure so hastily thrown up two years ago to support the remote workforce now needs a serious security overhaul.
Multiple new access points — many of them weak on or lacking cybersecurity protections altogether — have introduced additional vulnerabilities to an already-taxed system. Users connecting from unsecured home networks, personal computers and mobile phones using shadow IT, haphazard physical environments exposing proprietary data, and unchecked identity and access management policies have left organizations at increased risk of compromise.
As such, it’s time for businesses to sharpen security processes, beef up technical protections, and, most importantly, roll out new forms and frequencies of security training. Security awareness has never been more important.
In fact, many organizations have already taken steps to reduce risk and plug security vulnerabilities introduced by remote work. In Malwarebytes’ recent report, Still Enduring From Home, researchers surveyed 200 IT decision makers to see how organizations fared with remote security measures over an 18-month period.
The results paint an optimistic picture: 74 percent of IT teams have implemented new tools, such as antivirus software, password managers, virtual private networks (VPNs), and two-factor authentication (2FA); 71 percent have introduced new forms of training; and 48 percent have updated their crisis management protocols. Overall, 56 percent of respondents said their organizations have become slightly or significantly more secure since they began working from home.
That’s good news, right? Organizations making moves to boost security is cause for celebration, to be sure. However, the outlook is murkier when examining how employees feel about this increased security. According to the report, they’re fairly well-invested: 83 percent care to some degree about security practices, with 51 percent caring deeply.
However, caring doesn’t always translate to awareness, nor does awareness always result in action. While 62 percent of respondents said their employees are either “very” or “acutely” aware of security best practices, nearly 40 percent range from “aware but not a priority” to “oblivious and risky.”
And while employees care about getting security right, many are also suffering from “fear fatigue.” Nearly 80 percent of the Still Enduring From Home respondents reported some level of fear fatigue or jadedness in their organization. Adrenaline-fueled anxiety and adaptation have left them feeling jaded or overwhelmed, making them vulnerable to simple security mistakes.
Fear fatigue (otherwise known as security fatigue) inspires complacency, and complacency leads to risky cybersecurity behavior, like opening an email attachment without properly scrutinizing the sender or neglecting to turn on a VPN while using public WiFi. Scammers are primed and ready to take advantage of this reduced focus. In fact, organizations should consider “human-proofing” an essential layer of their cybersecurity approach.
According to the Verizon 2021 Data Breach Investigations Report, 85 percent of breaches are caused by people. Employees are an organization’s biggest asset, but they also break the rules and make mistakes — sometimes, costly ones. Mistakes can happen due to distractions (57 percent), stress (52 percent), and general fatigue (44 percent), and employees need protecting, supporting, and keeping safe.
Now, there’s a need to keep remote employees appraised of the increased cyberthreats they face and informed about how to deal with them. This requires an increase in training frequency, and confirmation employees are absorbing that training. However, alarmingly, 27 percent of IT leaders said their employees seem “particularly overwhelmed” by threats and jaded by security procedures.
That’s why organizations need to tread a fine line between equipping their employees and overwhelming them. They must learn to balance cybersecurity education while avoiding fear fatigue.
Easier said than done, I know.
To implement an effective fear fatigue mitigation program, it’s important to first address the generalized stress brought on by nearly two years of living in a deadly pandemic.
- Collaborate with employees to figure out strategies, including developing strong social networks and regularly practicing healthy routines.
- Offer employees mental health days separate from sick or personal days.
- Provide access to counselors and other mood-boosting activities, such as virtual meditation or yoga classes.
Or take the advice of Tanya Barlow, an IT leader at PROCON, Inc.: “The best approach is to continually practice radical empathy — for others in the workplace and for yourself. You have to be willing to forgive and be flexible. You can’t be too hard on yourself, as we are all still collectively healing. In moments of extreme exhaustion, I think it’s important to take time to reflect and practice mindfulness. Remind yourself of things you’re still grateful for and let go of outdated mindsets, routines, and things that don’t truly matter.”
Organizations must also design cybersecurity programs that take the burden off of employees and counter inadvertent actions that put networks, devices, and data at risk. This can be done in two ways: through security tools designed to protect against human error, and/or more engaging training content and mediums for delivering that training. Organizations should:
- Leverage technology to automatically block site visits from users clicking potentially malicious links or to detect and bin spear phishing attempts before the targeted employee sees them.
- Reinforce security measures often and in a fun way. Phish your own employees. Gamify security trainings.
- Consider delivering training using different modes of learning, from audio-visual (videos) to kinesthetic (scenario planning).
Employees can feel fatigue from over-communicating, too, so balancing the right amount of communication is key. Remember: There’s no one-size-fits-all approach to managing people, so iterate and check in on employee fatigue regularly. Once you know how to provide folks with the right guardrails, they won’t be so afraid of driving off the road.
- For the Malwarebytes Labs blog summarizing the Still Enduring From Home report
- To learn about other forms of fatigue and how they impact cybersecurity, read this article on COVID fatigue