How You Can Fight Cyber Fatigue

More than two decades into the mass adoption of the internet, many rank-and-file employees still disregard the security protections their networks put in place to defend against attackers.

That doesn’t shock Dr. Terry Gudaitis, a security specialist who once spent time as an FBI profiler. Watching people and understanding their motivations is what she does.

A major financial institution she was working with insisted that all employees use its highly secure, wireless network for any business they did. That sounded ideal for a short while. And then the problems started.

“They didn’t have a really good signal, and too many people were trying to jump on,” she says. “And so, someone set up a hotspot on like the 15th floor, in the men’s room. And literally it became like a little café in there. That hot spot had much better connectivity, so people were clamoring to get in. They just wanted better service.”

Years ago, techies might have accused these rogue employees of disloyalty or worse. Nowadays, we call it cyber fatigue. It’s the not-quite sense of burnout that arises when workers are faced with a pokey network, one password too many, an authentication scheme they can’t remember - or some other needless obstacle preventing them from doing their job.

Consultant Dan Kusnetzky, who sees this play out on a regular basis in the corporate world, says that security needs to move towards greater simplicity. Unfortunately, organizations often create unnecessary security complications for their employees. Consider, for instance, the way many businesses treat password security requirements.

“Are the requirements for passwords making them impossible for a normal person to remember? If so, it is likely that a forest of sticky notes containing passwords will sprout on the devices or on a plain-text paper on the desk,” he said.

What’s more, Kusnetzky added, he doesn’t think the average network user should have to remember odd combinations of letters, numbers and punctuation marks, either.

University of Maryland professor Rick Forno has seen plenty of examples of workers driven to distraction by security speed bumps. He’ll even admit to having violated a cardinal rule himself, once.

“The only time I wrote down a password was for a client,” Forno acknowledged.

Forno recalled that each time he would enter the client’s secure facility, the password requirements were more than he could track.

“I’d have to spend 30 minutes getting myself verified,” he said. “I couldn’t remember the password.”

Gudaitis notes that top managers seldom tolerate cumbersome security. Even so, that doesn't mean they should be given special treatment. C-level executives handle the most sensitive information there is, so it's especially important they toe the line along with everyone else.

Persuasion and people skills are critical to getting compliance. Successful security often means thinking like a generalist first and a security guru second.

"The question ‘why does your car have brakes?’ is a telling one,” said consultant and former CERT director Ken Van Wyk. “Most people when asked will tell you it's to enable you to slow down. But the right answer is they are there to enable you to drive fast safely. You have to find a balance ... Security can't just be the department that says no.”

Instead, he said, security professionals should take their cue from an organization like Disney to learn about how to guide users to their goal.

"At Disney World, dad walks up and finds the nearest employee and says, `Hey, my kid wants a Mickey Mouse ice cream bar.’ The Disney approach to customer service is that the employee now owns that problem... But the employee can’t simply say go down this street and find an ice cream bar. The employee has to take you through that solution and make sure it's resolved. Organizations that put their customers first are going to provide superlative service, no matter what."

Security professionals are fighting a popular culture where Gudaitis noted, sloppy cyber hygiene is widespread.

“What I hear from the individual is ‘it’s too complicated. I’m not a techie. It takes too much time. I can’t remember all these passwords.’ There’s a home society culture that competes against a lot of policies that organizations have set,” she said.

Still, society’s experience with seatbelts, bicycle helmets and anti-smoking campaign of the 1960s and 70s offers evidence that public education campaigns can be effective in getting people to change their behavior.

But Gudaitis cautioned against expecting too much, too soon. When it comes to getting employees to unlearn bad security habits that they picked up at home, all too often, the two sides “are still not on the same page.”