The wider American public was afforded an unwanted glimpse into the Wild West world of ransomware this week, after a cyber-attack crippled Colonial Pipeline, causing fuel shortages across the eastern seaboard and states of emergency to be declared in four states, reports The Guardian.
The latest ransomware attack on the US Colonial Pipeline has sparked a discussion about how the attack happened – with many cybersecurity professionals pointing out a phishing attack as a probable cause.
Here comes SAT to the play. The term SAT stands for Security Awareness Training, which seems to have come back to the fore for a very good reason.
Thus far, some cybersecurity professionals regarded SAT as a money and time wasting endeavour but it has been recently reported that, by 2022, 60% of large organisations will have comprehensive SAT programs. The global spending on security awareness training for employees is predicted to reach $10 billion by 2027, according to the Gartner Magic Quadrant for SAT 2019.
Humans make mistakes
The average human makes 35,000 decisions every single day. On a weekday, the majority of these decisions are those made at work: decisions around things like data sharing, clicking a link in an email, entering the password credentials into a website.
Employees have so much power at their fingertips, and if any one of these 35,000 decisions is, in fact, a bad decision – like somebody breaking the rules, making a mistake or being tricked – it can lead to serious security incidents for a business, warns Tim Sadler from Tessian.
The Tissian article also warned that are three fundamental problems with any awareness campaign: (1) it is often irrelevant to the user, (2) training is often boring, and (3) it takes a big chunk of money out of the business.
On the other hand, many cybersecurity professionals believe that SAT is still indispensable for fighting cyber-crime. However, it seems that part of the problem around the fact that most users have no idea how big of a role security awareness training can play in their fight against, for example, social engineering or phishing – as compared to other defences.
Here is an illustration of the digital technology user’s confusion. Users are told they have to do a “hundred different things” to fight computer crime, such as “Make sure your software is patched”, “Make sure to lock your desktop when you are away”, “Don’t click on unexpected file attachments”, and “Make sure your password is long and complex”. Users hear so many rules and recommendations that they cannot figure out which one is or is not as important as another.
There is, however, very little teaching of relevance in the computer security world. It is the equivalent of playing with Nerf darts to playing with real guns. Both can cause injury, but one is more likely to result in serious, long-lasting injury than another, warned the True North Networks.
So, the question is how do we make employees more engaged with and care about cybersecurity training? Here is some advice from cybersecurity professionals.
‘Classic’ approach to SAT
SAT is one-size-fits-all and boring, cautions the Tessian article: “We give the same training content to everyone, regardless of their seniority, tenure, location, department, etc. This is a mistake. Every employee has different security characteristics (strengths, weaknesses, access to data and systems) so why do we insist on giving the same material to everybody to focus on”?
“We dress it up, SAT just isn’t engaging. The training sessions are too long, videos are cringeworthy and the experience is delivered through clunky interfaces reminiscent of CD-ROM multimedia from the 90s. What’s more, after just one day people forget more than 70% of what was taught in training, while 1 in 5 employees don’t even show up for SAT sessions”, added Sadler.
On the other hand, the cybersecurity articles and blogs on the topic often suggest ‘classic’ improvements of SAT such as using personal messages, incentives, rewards, certificates and alike. Although these actions are important, we believe that one critical facet of SAT is often neglected: cybersecurity fatigue.
Cybersecurity fatigue in a nutshell
Cybersecurity fatigue manifests itself in much the same way in what psychologists call ‘decision fatigue’ or ‘ego depletion. It drains our mental energy making us less resistant to real dangers and lures us to do things without real consideration for consequences.
“I get tired of remembering my username and passwords. I never remember the PINs; there are too many things for me to remember. It is frustrating to have to remember this useless information.”
“[It]…first gives me log in, then it gives me a site key I have to recognise, then gives me a password. So that is enough, don’t ask me anything else” was a resentful testimony of one of the participants in a recent US National Institute of Standards and Technology (NIST) study. “It also bothers me when I have to go through more additional security measures to access my things or get locked out of my account because I forgot as I accidentally typed in my password incorrectly”, added another irked participant in this study.
As we have written in our previous post, achieving individual objectives and finding the way of least resistance is the key driver for many employees when approaching working responsibilities. For example, cybersecurity warnings are used to inform the users of the risks of allowing potentially harmful applications to run on a particular computer. However, the practice shows that most of the users tend to ignore those warnings as they are appearing over and over again. This behaviour eventually leads to bad habituation.
It is needless to say that this ‘bury head in the sand’ approach is the most damaging to those self-deceiving users. This behaviour can, for example, result in stolen identities, which can often end up in stolen money or reputation. Refusing to enhance online security because people loathe the added security pathways can cost businesses revenue and lost customers.
What to do about it?
The first step in managing cybersecurity fatigue should be a recognition that, when under fatigue, we tend to make ‘escaping’ decisions. Declaring that nobody will attack us as we are too small and do not have anything of great value or that cybersecurity is somebody else’s responsibility – these are all examples of self-deception.
Some reports show that at least one out of every 20 Fortune 1000 companies had experienced a publicly disclosed breach, which prods some people to think that the cybersecurity measures do not have any value. Hence, it is needless to bother. This defeatist behaviour inhibits people to make the right decisions. However, by doing nothing the cybersecurity threats will not disappear.
Being knowledgeable about common cybersecurity scams is a driving motivation behind cybersecurity campaigns. However, it is well reported that many cybersecurity awareness campaigns fail to change behaviour due to the cybersecurity fatigue of employees. Hence, the role of many cybersecurity awareness campaigns and programmes should be re-examined as they also contribute to cybersecurity fatigue. Generally, these campaigns should be based on personal concerns, without too many details of how the attacks are done but what the consequences are.
Building a proactive culture, which demonstrates that cybersecurity is not a solely technological problem, can also help in managing security fatigue. Educating and training users on how to protect their devices and data should be a part of organisational culture. Developing this kind of culture should start at the school level and then extended beyond to the working places and private lives, hence making it national cybersecurity minded culture.
A final thought: it is necessary to reiterate that cybersecurity fatigue can make computer users feel hopeless and act recklessly. Looking forward, it is good to know that reputable standardisation organisations such as NIST have recognised and are addressing cybersecurity fatigue. However, at this point, this phenomenon is not sufficiently explored eider internationally or in South African. Hence need for more light to be thrown on this important topic.