Security Fatigue? Maybe It’s Time to Physically Isolate
In analysis / By Phil Muncaster / 24 October 2016
New research from US standards body NIST suggests that a weariness and reluctance to deal with computer security is exposing users and the companies they work for to unnecessary risk.
There’s even a case for saying IT administrators are becoming increasingly fatigued by an endless stream of threat alerts. It all adds up to pretty bad news for organisations.
But all is not lost – there are things that can be done to keep corporate assets secure.
The NIST research, titled simply Security Fatigue, reveals an increasingly weary online populous filled with a sense of resignation and loss of control and displaying characteristics including fatalism, risk minimisation and decision avoidance.
Although the researchers didn’t set out looking for security fatigue, the sense of weariness expressed by respondents – who were chosen from all ages, job types and location – was apparently telling.
Typically, users said they felt bombarded by security alerts, struggled to manage credentials for multiple online accounts and are basically fed up with having to be constantly on the alert, adopting safe behaviour and understanding the ins and outs of online security.
This weariness is leading to a sense of resignation and loss of control, the report claims. And this in turn can mean users tend to choose the easiest option on offer, behave impulsively and engage in risky behaviour online.
The report authors also got a sense that security is someone else’s problem. And many respondents felt that they were simply “not important” enough for hackers to bother going after. All of which are worrying behaviours which could quite easily expose them to an even greater risk of suffering online fraud or theft, or negligence which could create cybersecurity risk at work.
“The finding that the general public is suffering from security fatigue is important because it has implications in the workplace and in people’s everyday life,” said report co-author Brian Stanton in a statement. “If people can’t use security, they are not going to, and then we and our nation won’t be secure.”
Although not covered in the report, this kind of fatigue could quite easily also be applied to IT teams. The volume of security alert-related info put in front of the average user on a daily basis is nothing compared to the barrage of threat intelligence, security warnings and the like facing your typical IT admin.
Advanced security tools now produce a never-ending stream of information and alerts to triage, investigate and resolve – sifting out the false positives as they go.
Threats are also getting more sophisticated, making the whole investigation process more difficult and time consuming. And all of this must be done with ever-stretched resources.
In July, Intel Security polled over 700 IT leaders in Australia, France, Germany, Israel, Japan, Mexico, the US and the UK and 82% admitted a shortage of cybersecurity skills.
Nearly three-quarters (71%) said that this shortage is directly responsible for damaging their organisation, claiming the shortfall in talent has made them a more desirable target for hackers.
The Insider Threat
What this boils down to is a growing insider threat – whether we’re talking about IT teams or regular employees. Password sharing, using default credentials and other security no-nos are far from uncommon in the IT department.
And as for regular employees, their fatigue-based decision making is a sure fire way to get malware on the corporate network. All it takes is a single ill-advised click on a dodgy link or a suspicious attachment and the entire organisation could be locked out of their data thanks to a crypto-ransomware infection.
Or perhaps that malicious email was the first stage in a targeted attack or advanced persistent threat (APT) designed to covertly install data slurping malware designed to silently search for and exfiltrate sensitive customer data or IP.
The stats speak for themselves. A recent Ponemon Institute report claimed that staff negligence is more than twice as likely to lead to an account compromise than any other reason, including external attackers, third party contractors or malicious employees.
And separate research revealed that human error accounted for nearly two-thirds (62%) of data breaches reported to UK watchdog the Information Commissioner’s Office (ICO) at the start of the year.
Time For Change
As with everything in IT security, there are no quick fixes to endemic problems of this sort. User education obviously plays a part, as do tight information security policies that are regularly communicated to staff. But that won’t work in isolation.
If it only takes one user to make a mistake that could land their organisation in big trouble, then we have to approach this from a different angle.
That Ponemon research also revealed that almost two-thirds (62%) of end users believe they have access to data they probably shouldn’t.
A smart move would therefore be to isolate internal networks both from users and the internet.
The internet is the conduit via which the vast majority of threats travel. And users are the missing link that connects that latent web-based threat to the corporate network.
So give high risk users non-persistent disposable desktops for all their browsing needs. And then air gapped computers to access internal corporate data.
It might not suit every type of company out there. But this kind of “risk persona virtualisation” offers a new approach already being used by organisations like the FBI, where cybersecurity is obviously paramount.
The bottom line is security fatigue is here to stay, so we have to get smarter about how we manage access to our most important IT resources.