Security Compliance

Data released by the US-based National Institute of Standards and Technology (NIST) discovered that nearly two-thirds of typical computer users show signs of security fatigue, which the Institute explains as “a weariness or reluctance to deal with computer security.” If you have noticed your staff becoming sloppy with their security protocol compliance – ignoring software update alerts, opening suspicious emails, not following password best practices, etc – you may rightly be worried.

What’s more, we can’t just put the blame squarely on the shoulders of end-users who may not be aware of the significance of their (in)action. A recent IT security survey showed that a third of IT security professionals routinely ignore alerts because so many of them are false positives. The main explanation given is the sheer volume of security alerts that have more than doubled in the last 5 years and increased again during the pandemic. “While it may be tempting to disregard alert sources with high false-positive ratios, this could also create significant security blind spots,” warns one cybersecurity blog.

In case it isn’t abundantly clear already, let us take a moment to state the obvious: Poor decision-making by just one team member in any department puts your company at increased risk from an intrusion, exposure of sensitive data, loss of reputation, and financial harm.

According to this article published in October, the number of data breaches in 2021 has already overtaken last year’s total. While the media are quick to report on the latest hacking news affecting our organizations, computer users are flooded with important advice on how to protect sensitive information in more complex and ever-changing iterations that can be hard to keep up with. And with people getting tired of following the protocol, it is surely only a matter of time until your IT security is breached.

Here are 5 typical examples and how to deal with them:

1. Password apathy

The number of passwords required has increased sharply in recent years. The average person now has about 100 passwords that need to be changed periodically. Little wonder, then, that reusing the same password across different online accounts and platforms is a widespread practice, and that pet names, a simple string of numbers, or the name of a favorite TV show are often used – all of which are easily guessed by hackers.

Installing a password manager is the best way to generate strong passwords and store them in a safe location. Best of all, the user only needs to remember one set of master credentials.

2. Phishing prey

Phishing is the most successful and dangerous of all cybersecurity attacks, and over 90% of successful data breaches start with phishing emails. It’s a deceptively simple technique that delivers a high return on investment for hackers. Today’s phishing attacks are highly targeted, sophisticated, and increasingly difficult to spot, even for expert users. Untold damage can inadvertently be done simply by opening an email, downloading an attachment, or clicking on a link.

Education and culture are the watchwords for successfully tackling this behavior. Companies that build an inclusive cybersecurity culture, backed up by effective and ongoing IT security awareness training for key employees within the company. Encourage and empower each technology user to take personal responsibility for their role in protecting against cybercrime. Culture comes from the top of the organization, which means solid leadership, clear rules and expectations, and continual monitoring.

3. Insecure connections

Hybrid working practices have been on the rise for some years, and the pandemic has intensified the shift towards working remotely. In many cases, working from home has become part of the ‘new normal’. But using a personal laptop or other devices at home, in a coffee shop, or elsewhere that isn’t a company-controlled environment often means connecting over unsecured WiFi on an unsecured device.

For IT departments, safeguarding the security of portable devices and providing a safe, easy-to-use VPN connection can be a real headache. In addition to controlling the devices used by employees, the solution may be as simple as putting a reminder on start-up screens, setting electronic reminders, or making log-in procedures more user-friendly.

4. Old software versions

No one is doubting that updating devices, their operating systems, and software installations are key to providing the best security protection. However, in a busy work environment, pop-ups inviting the user to install updates can be disruptive and irritating. Postponing software updates time and again is a user behavior that is all too common.

A more reliable solution would be for internal IT departments to take control of updating devices and software as necessary. This includes installing patches, downloading malware databases and various other tasks to reduce cyber risks.

5. Lack of reporting of suspicious activities

No one wants to get caught out by hackers, so it is perhaps not surprising that many employees who realize they’ve been successfully tricked by a phishing scam may choose not to report the incident. Whether it’s shame or embarrassment, or the fear of being blamed or disciplined for non-compliance by their employer, not addressing the data breach can have more serious consequences.

Companies that rule by fear and discipline are at a clear disadvantage here. Staff should be encouraged to report any suspicious activity immediately, including human error, without the risk of a punitive response. Workplaces with a positive employee culture will reframe human-error incidents as an opportunity for everyone to learn from their mistakes, educating IT users in effective security protocol.

Interestingly, an effective way to achieve behavioral change among IT users to combat cybersecurity fatigue is to use an approach that doesn’t necessarily have technology at its core. Instead, user education and building a positive security culture should be prioritized. “By breaking down the threats, targets, and actions, cybersecurity specialists can help people understand their individual roles and the cybersecurity risks involved in their jobs and interactions with others,” explains this blog on the psychology of cybersecurity. “The ability to improve cybersecurity posture and avoid the slow decay of concern seems to lie in making cybersecurity a digestible, positive experience. If nothing else, individuals and organizations should consider how they think about cybersecurity and about how those thoughts translate into their everyday actions.”

 

About the Author

Mike James is an independent writer based in the UK, Mike writes content for the B2B market. He covers a broad range of topics including technology, cybersecurity, HR, marketing, design, co-working, and business start-ups.