Canadian Cyber Security Journal
Filed under: Featured, Training

‘Fear Fatigue’ threatens cybersecurity of employees working from home

Malwarebytes, a global leader in real-time cyberprotection, has announced the findings from its latest survey examining how the impact of the global pandemic and an increasing hybrid workforce is impacting cybersecurity and changing the face of work environments forever.

In the spring of 2020 as the COVID-19 pandemic was beginning, Malwarebytes surveyed 200 IT decision makers (ITDMs) and C-level executives about how the lockdowns affected their cybersecurity practices. 18 months later, Malwarebytes surveyed ITDMs and C-suite executives again.

“While organizations showed great versatility in shifting to dispersed work environments during the pandemic, it also brought to light the need for an entirely different and more robust approach to security that offers more education and support to employees,” said Adam Kujawa, Director of Malwarebytes Labs.

“We have more threats coming through on less secure personal networks and a rise in brute force attacks to reach businesses through remote desktop protocols. We need a holistic approach that secures employees no matter what network they are on or what device they are using.”

The report, Still Enduring From Home, reveals how the ongoing pandemic and resulting remote and hybrid workforce is reshaping how organizations and employees secure data as well as their feelings about cyberthreats.

The report, Still Enduring From Home, reveals how the ongoing pandemic and resulting remote and hybrid workforce is reshaping how organizations and employees secure data as well as their feelings about cyberthreats.

The new data suggests that complacency brought about by fear fatigue is a growing threat for cybercrime and data loss:

• Malwarebytes’ survey found that 61% acknowledge that employees are experiencing fear fatigue, with 27% feeling particularly overwhelmed by fear.
• Almost 80% of survey respondents reported some level of jadedness or ‘fear fatigue’ within their organization.

Defined as the ‘demotivation to follow recommended protective behaviors, emerging gradually over time and affected by a number of emotions, experiences and perceptions’, fear fatigue can often lead to careless behavior, such as opening an email attachment without properly scrutinizing the sender or neglecting to turn on a VPN while using public WiFi.

Fear fatigue is very similar to ‘warning fatigue’, that is, the ambivalence associated with the constant barrage of warnings which users encounter in apps, websites and operating systems. And not only in IT systems but think of the warning signs you see all over California, informing you that everything causes cancer!

Hence users can’t tell what is a real threat and what is just satisfying the letter of the law. Since IT warnings are so common, users tend to ‘click-thru’ without reading the message, potentially causing substantial harm. In similar fashion, users are tired of hearing about the threats to their personal computer security and may be ignoring actual threats.

However, these warnings are important for effectively mitigating attacks. The challenge is false alarms do happen, and over time, even information security pros can become desensitized to the alerts.

A key challenge facing enterprises is finding the right balance between false alarms and not enough alerts. If alerts are being ignored, filtered or missed, this represents a huge failure.

One way to combat this is for information security teams to identify the events that cause the alarms to trigger in the first place. By simply tuning the event triggers to more appropriate values or addressing problems on a single system can greatly improve the quality and validity of alerts.

Including context for users to help determine the importance of an event can also help address warning fatigue. Single events by themselves can seem innocuous but included in the context of other events can be deemed significant.

But at the end of the day, the best remedy is user education, which can take many forms. But instead of drilling users with rules which tend to go in one ear and out the other, a different approach should be considered.

Fun videos with actors using a ‘soap opera’ like story to convey the message which engages users, could be more useful and provide optimal results. The viewing of such stories could be staggered, similar to a TV series which keeps users interested and in suspense of what’s coming. At the same time, these stories convey valuable lessons in cybersecurity, making learning fun, engaging and something they can talk about with their colleagues.

There are several companies that offer such educational products and it’s incumbent upon IT to join with HR to ensure employees undertake the training and complete a short quiz. Results could be posted on a leader board, with prizes awarded to top rankings, creating a corporate competition to exhibit pride in employee results.

I think it’s safe for us to admit that most employees across the world are experiencing some sort of cyber fear fatigue. This combined exhaustion and fear overload can have a negative impact on cybersecurity posture.

We’ve been immersed in COVID protocol for over two years. Our travel options have been limited, and most of us have endured numerous other restrictions, depending on where we live. Thus, we’ve been even more of a captive audience, watching in dread from our seats at home as some of history’s most significant cybersecurity breaches and compromises have unfolded in seeming continual succession.

The weight of cyber fear fatigue is probably heaviest for those forced into working remotely since the initial Coronavirus wave – way before the idea of variants had entered the picture. However, C-level executives have lived in fear since day one of shutdowns and the massive, rapid-scaling of remote work.

In a recent survey from Munich Re, 81% of the C-level respondents said they didn’t feel adequately protected against cyberthreats. There comes a point when you fear something so much you get sick of it, then you get inured to it and maybe even complacent. That’s how fatigue can work to wear down our defenses.

We are all exhausted with the relentless cyberattacks that continue to cripple businesses, economies and critical supply chains. The pandemic has just exacerbated the exhaustion, while making our jobs harder and attackers’ jobs easier.

As individuals, each of us has varying levels of tolerance, or resistance, to fatigue. However, as an organization, we are only as secure as our weakest link, which can be our most sensitive employee. If their cyber fatigue induces them to have lapses in cyber hygiene, that employee will end up being the part of your attack surface that gives threat actors a foothold, or a pivot point from which to engage in lateral movement.

Enjoy this article? Don’t forget to share.