Is Cyber Fatigue putting everyone in danger?

Guest Post by Rob Kleeger


I am sure that most people today are simply tired with the consistent news about hacking the election, a financial services firm who has been compromised, or worse your PII (Personally Identifiable Information) and PHI (Protected Health information) is being sold on the Dark Web. 


A majority of computer users suffer from “security fatigue” — a weariness of or reluctance to engage with cybersecurity — that leads them into risky behavior online, according to a new study by scientists from NIST (The National Institute for Standards and Technology).  In short, they found that users’ weariness led to feelings of “resignation, loss of control, fatalism, risk minimization, and decision avoidance, all characteristics of security fatigue.”  In turn, that made them prone to “avoiding decisions, choosing the easiest option among alternatives, making decisions influenced by immediate motivations, behaving impulsively, and failing to follow security rules” both at work and in their personal online activities including banking and shopping.


The report’s authors write, “Users are tired of being overwhelmed by the need to be constantly on alert, tired of all the measures they are asked to adopt to keep themselves safe, and tired of trying to understand the ins and outs of online security. All of this leads to security fatigue, which causes a sense of resignation and a loss of control.”


These findings have direct implications for businesses that are legally required to protect personal and financial data, including retailers, financial and healthcare businesses, law and other professional services firms. 


Cybercrime activities like phishing, spear phishing, business email compromise and social engineering all rely on innocent but unwary employees being led to do the cyber criminal’s dirty work. 


Even small businesses can interrupt this chain of events at several points, making it much more difficult for a cyber criminals to gain a foothold.  


The below techniques are simple and inexpensive:

  • Make sure everyone in your company understands phishing schemes and how to recognize them.   A phishing scam is an attempt to trick someone into providing username and password information to a hacker.   Spearphishing is a phishing attack customized to a particular individual.
  • Do not allow people to have administrative privileges on their computers.   This prevents them (or viruses acting under their credentials) from installing hacking tools on a computer.
  • Change passwords regularly and use different passwords for different accounts.   In other words, the password to your work computer should be different from the one you use on, say, your Yahoo account.   Password manager software (such as LastPass, KeePass, Dashlane,...) makes it easy to track and change passwords.
  • Ensure your computers install security updates from Microsoft, Apple, and Adobe automatically.
  • Install antivirus software on your computers
  • Install a firewall if you don’t have one, and review your firewall to tighten it up as much as possible.   A firewall is a device that stands between your network and the rest of the world, blocking unauthorized access.
  • Configure spam filters to be as restrictive as possible and use Sender Policy Framework (SPF) records to reduce the likelihood of phishing messages.
  • Confirm backups run regularly and periodically test those backups.

About Rob Kleeger:


Rob Kleeger is the Founder & Managing Director of Digital4nx Group, Ltd., a boutique firm which offers regional digital forensic investigation and electronic discovery consulting and advisory services.  Kleeger is a frequent speaker and subject matter expert on digital forensics, cyber security, and electronic discovery. He speaks passionately at various industry conferences and seminars around the Metro area and Nationally and has been featured on WNBC/NBC 4 News Channel.