Security fatigue - a wakeup call for business?
New research shows that consumers are unable to deal with the increasingly complex demands of digital security, and are finding it an increasingly stressful issue to manage.
The unrelenting pace of technological change is leading to ‘security fatigue’ among consumers, according to recent research, and businesses should take heed too, as the same attitude among staff can be a serious problem...
The study by National Institute of Standards and Technology (NIST) found that the majority of the users interviewed experienced the issue, which led to risky computing behavior at work.
“We weren’t even looking for fatigue in our interviews, but we got this overwhelming feeling of weariness throughout all of the data,” computer scientist and co-author Mary Theofanos said.
“Years ago, you had one password to keep up with at work,” she said. “Now people are being asked to remember 25 or 30. We haven’t really thought about cybersecurity expanding and what it has done to people.”
The study highlighted that many people felt “overwhelmed” by the concept of having to be constantly alert for digital threats, while others felt worn down by the barrage of passwords, pins and secure credentials they had to remember to access websites and digital services. One vendor study of 2400 consumers across the UK, US and Germany found that UK consumers rarely change their passwords to combat rising online crime, with more than a third of UK respondents claiming to change their passwords “once a year, less or never”
Perhaps most tellingly of all, many respondents also questioned how they could effectively protect their data when large organizations frequently fall victim to cyberattacks. A great case in point is the recently revealed Yahoo security breach involving 500m user accounts. Yahoo has now encouraged users to change their passwords - some time after the initial breach - but this week released new guidelines to ensure that hackers had not already compromised user accounts. The simple 25 step guide is here, and points out that steps 9 through 15 will need to be repeated for each device connected to Yahoo mail.
While the survey was designed around consumers rather than business users, the basic parallels are easy enough to draw. Without robust education and some kind of formalised password management system in place, staff are likely to undergo the same process of desensitisation.
One recent report found that an impressive 40 per cent of businesses store admin passwords in a simple Word document or a spreadsheet – with 28 per cent of organisations storing them on a USB stick or shared server. These figures being thrown into stark relief by the fact that 55 per cent of respondents believed their organization had changed or evolved processes for managing privileged accounts.
Ilia Kolochenko, CEO of High-Tech Bridge, believes that the issue is not only applicable to staff within an organisation, but also to the wider IT security industry. “Too many security vendors offer similar solutions without genuine technological differentiators, creating new challenges for CSOs, who are, in addition to their daily fight with cybercrime and human negligence, are now required to make complicated due-diligence on cybersecurity vendors. Moreover, implementing a security solution is just a beginning: once deployed into production you need to maintain and monitor it, synchronize it with other systems and educate users. If you don’t have the necessary resources to do all this you’d better not spend on a new solution! Companies should keep in mind that [almost] every security solution has a cost of ownership that should be considered in their cybersecurity budgets.”
The NIST report made three key recommendations, which were to: Limit the number of security decisions users need to make, make it simple for users to choose the right security action; and design for consistent decision making whenever possible. As general best practice for enterprise IT security they make a lot of sense too - maybe it’s not just consumers that need to change their security behaviours to defend against the ever-growing range of threats...