With attack vectors spreading and the cost of data breaches rising rapidly, employees at every level need to be capable of identifying and preventing cyberattacks. However, this relentless focus on cybersecurity has led to frustration and burnout among employees who find it difficult to keep up — a phenomenon known as “security fatigue,” which can harm a company’s culture, lead to careless behavior and ultimately cause breaches.
From keeping track of an ever-expanding list of account credentials to monitoring digital communications for any sign of cyberattacks in progress, it’s easy for employees to feel overwhelmed by their cybersecurity responsibilities. The good news? Several trusted tactics are available to address security fatigue, using an acronym called “HEAR.”
Not only will these strategies reduce fatigue, but employees will actually hear the message being communicated when management is:
(H) Helping them understand the “why.”
(E) Engaging them with relevant cybersecurity awareness training.
(A) Automating cybersecurity processes.
(R) Rewarding healthy cyber behavior.
When companies build a culture of cybersecurity, employees will no longer view the development of cybersecurity awareness as an onerous chore. Instead, it will be recognized as an integral aspect of the job function and the focus on cybersecurity will be oriented accordingly.
No matter what roles employees have in the company, cybersecurity can’t be dismissed as someone else’s responsibility. While this requires all employees to learn about emerging cyber threats and improve digital behavior, it also empowers employees to take cybersecurity into their own hands and play a vital role in the future of the company.
Why security fatigue is spreading
First, it’s important to understand why this phenomenon is on the rise. The process of digitization is inexorable: accelerating cloud usage, the exploding Internet of Things (IoT) market and the steady growth of e-commerce are all signs that the digital transformation continues to pick up momentum. While this process has improved employee productivity (with cloud-based communication and collaboration tools, for instance), it has also given cybercriminals a much broader range of attack vectors to exploit. This means employees constantly have to be on guard against cyberattacks from many different directions.
For example, according to Verizon’s 2022 Data Breach Investigations Report, the top-action variety in breaches is the use of stolen credentials. Employees have long complained about the number of passwords they have to remember and a 2021 survey found that 87% of employees reuse passwords. However, just over one-fifth of internet users report that they use password managers. Credentials are prime targets for cybercriminals, but there’s still a widespread reluctance to take the necessary steps to keep account names and passwords safe.
There are many other reasons security fatigue is spreading. The shift to remote work created new cyber liabilities, made it difficult for employees to interact with their IT teams and often required extra security measures like the use of VPNs. The number of cyberattacks is increasing. Cloud-based productivity tools like Slack pose significant vulnerabilities, as the recent hacks of Uber and Rockstar Games demonstrated. The attack on Uber relied on repeated two-factor authentication requests to infiltrate the company — a tactic known as authentication fatigue. But amid all these difficult developments, companies have never had more tools to address security fatigue.
How companies can combat security fatigue
Next, it’s crucial to understand how to avoid burning out employees on the topic of cybersecurity. Despite the prevalence of security fatigue, companies have plenty of ways to energize and galvanize their workforces around cybersecurity. Businesses can provide engrossing cyber-awareness content that will capture employees’ attention and keep them engaged with positive reinforcement and gamification. Companies can also automate essential cybersecurity processes with tools like password managers. And, the cybersecurity infrastructure can be built up with streamlined incident reporting mechanisms, personalized learning plans and performance tracking resources (such as phishing tests).
It’s essential for companies to give employees compelling reasons to make cybersecurity a priority. Instead of providing cursory cybersecurity awareness training once or twice per year, companies should make it a regular part of their employees’ working lives. It may seem counterintuitive that more frequent training will reduce security fatigue, but there are several reasons why this is the case. First, many employees actually look forward to training when the content is engaging and entertaining. Second, one element of fatigue is a lack of clarity on cybersecurity policies and procedures, which regular training can provide. And third, at a time when the vast majority of employees are prepared to learn new skills to advance their careers, cyber-awareness training can meet this demand.
Employee recognition is central to any effort to confront security fatigue and establish a cyber-aware culture. When employees are rewarded for their efforts to keep the company safe, they’ll be much more inclined to take cybersecurity seriously over the long term.
Establishing a sustainable culture of cybersecurity
Last and most importantly, the way in which a company’s culture is built with regard to cybersecurity is paramount. Fortunately, building healthy cultures has become a top priority for company leaders and employees alike. According to a survey conducted by PwC, the proportion of company leaders who say culture is an “important topic on the agenda” rose from 61% in 2018 to 67% in 2021. Meanwhile, 69% of the organizations that were able to adapt well during the pandemic cited culture as a competitive advantage. Development and training was cited as one of the top culture enablers.
The pervasiveness of security fatigue demonstrates that too many companies have allowed cybersecurity to become a cultural liability rather than an asset. As companies struggle to retain talent in spite of high quit rates and a stubbornly tight job market, they should present cybersecurity education as a valuable form of professional development — something many employees say their companies are failing to provide. This will build a more skilled workforce, reduce turnover and make cybersecurity a core part of the company’s culture.
Companies will only be able to build a culture of cybersecurity when clearly explaining the “why,” including how much damage cyberattacks can cause and how every employee has a role in preventing them. Cyber-awareness education should never feel like a waste of time. When employees understand the stakes of cybersecurity and feel empowered to take action, security fatigue will decrease dramatically.