With each new technological advancement, enterprises rush to keep up with the ever-changing ideas of security. While it is understandable that enterprises want to keep up with the times in order to secure themselves against cybersecurity attacks and their ever-increasing sophistication, a bombardment of cybersecurity information can easily backfire and cause a phenomenon known as ‘security fatigue’.
Security fatigue, as the name implies, is the emotional or intellectual exhaustion that comes from continually dealing with cybersecurity policies or tools. This desensitization experienced by employees, when it comes to cybersecurity and safe practices, has been proven to be a huge problem in cybersecurity. The reluctance to deal with the constant demands and requirements of cybersecurity processes results in employees taking easier, though admittedly riskier decisions regarding their cybersecurity.
As humans, it is expected that we get weary from having to keep on constant security alert. This is further exacerbated when the majority of people do not even believe that they are important enough, or have access to such important information that their accounts could be a target for hackers. This is very common in cybersecurity. A study conducted by the National Institute of Standards and Technology (NIST) in 2016 found that the majority of computer users felt overwhelmed and bombarded, and got tired of being at constant alert, adopting safe behaviors, and trying to understand the nuances of online security issues.
We know that a large percentage of security breaches can be traced back to employee behavior. Consequently, if security fatigue is able to harm enterprise security, it is an issue that should be taken seriously and solved sooner than later. Any well-designed information security program that will be put in place to overcome employee security fatigue must carefully balance the positive effects of security protocols, training, and complex systems with the adverse effects that can arise when employees feel overwhelmed by information they cannot process and actions they will not take.
Another major factor to consider is the benefit of simplicity. For many years, cybersecurity professionals have defaulted to adding more layers of security, in order to prevent data hacks and breaches. However, the downside of this is making security technology more unusable for end users. In fact, a popular cybersecurity saying that is often attributed to Evi Nemeth, is: "Security is inversely proportional to convenience". Complex systems, however, just leave users frustrated and eventually indifferent.
Today, workers see security policies and practices as inconveniences that obstruct their day-to-day tasks, so employers need to change that. User convenience is the key requirement for technology adoption today, and security technology is no exception. The reason is simple: making authentication and security technology easy to use and seamless increases the likelihood of end-user adoption. Not doing so, creates unnecessary friction and incentivizes users to go around said technology. There must then be a balance, so that resources remain secure and users willing to adopt them.
According to a Forbes study, good UI and UX design can raise a website’s conversion rate up to 200% and 400%, respectively. The security architecture of many organizations is often made up of multiple layers of legacy systems with multiple constraints on their flexibility, which represents an ever-expanding dimension of complexity. Legacy structures often include open seams and soft connections that can be exploited by hackers, whose capacity to infiltrate sprawling systems has grown.
Not only do complex systems pose security threats, they also make life difficult for the employees who have to use them every day, leading them to security fatigue. This shows that one of the major ways to overcome security fatigue among employees is to resist punishing end users. Basically, we can strip away unnecessary security layers that they have to pass through before they can access their information.
Clever design and innovative solutions can deliver solid security without unreasonably impacting the user experience. An effective and balanced approach to cybersecurity helps enterprises prevent, detect security events and intrusions as well as quickly recover from such events while also giving employees the ability to simply get their jobs done. While this is never easy, it certainly is achievable.
The evolution of authentication technology has come a long way, from what you know (passwords or shared secrets) to more secure forms of authentication: who you are (fingerprint, face, and iris scanning) and what you possess (key cards or access tokens/badges). Biometrics ensures fast authentication, safe access management, and precise employee monitoring.
Easily verifying users’ identities before providing access to valuable assets is vital for businesses, and it is convenient for employees. Biometric technology enables this by being able to identify whether or not users are who they claim to be, without requiring them to set and remember multiple passwords for use at different stages of the authentication and access-granting processes.
The most popular way enterprises introduce biometric technology into their authentication process is by means of Multi-Factor Authentication (MFA), for verifying employee identity. It requires employees to authenticate identities and then grants users access to networked workstations by use of more than one means of authentication. MFA has proven to be more secure than passwords and it is easier for employees to use because it includes newer improvements to authentication, in combination with traditional means like passwords.
The prime example of security fatigue is password fatigue -- employees, being required to remember having to create safe passwords and remember each password for all the services they use, become overwhelmed with set guidelines of passwords and then take riskier decisions concerning their passwords, from storing in insecure files or post-it notes, or using simple, the same or similar passwords across multiple accounts.
Although MFA solutions taking into account passwords with secure biometric technology is commonplace, it still includes passwords as an option for multi-factor layering rather than completely getting rid of the problem. By completely eliminating passwords, not only does passwordless authentication vastly improve ease of use, seamlessness, and security, it also eliminates the habits that lead users to develop bad password hygiene.
Password elimination brings peace of mind because all the shortcomings incurred by a password-based authentication system are removed. There is no more wasted time in failed attempts of password entry, no instances of password reset or remembering security questions to reset passwords. Traditional MFA technology, based on passwords may come with the promise of better security; however, it doesn't quite deliver like true passwordless technology, which has the added advantage of completely removing passwords.
The solution to both securing enterprises and satisfying end-users and employees is simple -- enterprises need to prioritize the quality of their security products versus quantity. Rather than adding layer after layer of security technology and in turn overwhelm users, enterprises should aim at implementing a few of the best authentication principles and technology.
Cybersecurity does not have to be complex and bulky – in fact, less is more when it comes to cybersecurity. Also, educate your employees but not inconsiderately. When they see the practical value of cybersecurity education and the simpler, stripped-back methods that they can use to do their work, security fatigue can – slowly but surely – be overcome.