Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

How to Wake Up Your Security-Fatigued Employees

A widely shared survey last week called attention to the growing number of end-users who feel "security fatigue" related to their responsibilities around staying protected from cyberattacks.

The respondents to the study, conducted by the U.S.-based nonprofit NIST, expressed sentiments of "weariness and reluctance" when it comes to dealing with computer security both at home and in the workplace, primarily because they continually feel besieged by warnings and requests.

"When asked to make more computer security decisions than they are able to manage, they experience decision fatigue, which leads to security fatigue," NIST said. "Researchers found that the result of weariness leads to feelings of resignation and loss of control. These reactions can lead to avoiding decisions, choosing the easiest option among alternatives, making decisions influenced by immediate motivations, behaving impulsively and failing to follow security rules."

Download "Outthinking Cybercrime: Prepare for the Human Factor" - a Trustwave Webinar on Demand

While this news may be disconcerting for security professionals, it should not come as much of a surprise. Researchers have been sounding the alarm for years about the burdensome costs felt by end-users to practice protection and how many of them actually make a "rational" decision to spurn security advice and training - even though the human element is widely considered the weakest link in an organization and responsible for a large majority of breaches.

So what options exist for organizations to ensure that their employees aren't going to sleep on infosec? Here are five recommendations that will help cultivate a more alert and accommodating user base - and lead to a more mature security program overall.


Balance Security and Risk with Usability

If your users view security as a disruption that requires them to jump through too many hoops to do their jobs, they will eschew it and work around certain controls to even further expose your organization to harm. Your job as a security professional is to find a way to keep the company protected while simultaneously acting as an enabler who recognizes the need for worker productivity.


Avoid Telling Employees Too Much

Never mind security fatigue, users can also experience "training fatigue" if your awareness efforts are throwing too much at them, too often. Instead you should identify themes that matter most to your organization and will result in the greatest reduction of risk - keeping in mind that each department faces different risks.


Build in and Test Security

One way to avoid security fatigue is to never have to worry about it in the first place, meaning you catch oversights and weaknesses before criminals are able to use them against your users. You can accomplish this by implementing secure development practices (and avoiding a rush to market new projects), as well as by security testing your databases, networks and applications.


Prepare for mistakes

The inevitable attacks will make their way through, which is why disproportionately focusing on prevention is a fast-pass to cyber mayhem. Instead, you need to also invest in detection and response so that you can identify threats that are already inside your environment and methodically react to them before real damage can be carried out.


Amplify your resources

The IT department isn't immune to security fatigue either, or security pressures for that matter. If you find yourself trying to compensate for shortages in time, skills and expertise - and spreading yourself thin to invest what available resources you do have - it may be time to consider outside help. Partnering with a managed security services provider can assist you in a multitude of ways.

Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.

Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More