Security fatigue is the state of being so exhausted and overwhelmed by threats and safety measures that you just can’t deal with it anymore. It’s understandable, and it leads to irrational but predictable behaviour.
From a user perspective, we all get it. No, I don’t want to restart my computer right now, in the middle of the day, when I’m trying to get this work done. Steve needs to borrow $20? That’s weird because… well, whatever. Yes, I approve the e-transfer request. And, yes, I do allow that program to make changes, because I just asked to. Didn’t I??? Update. Download. Change the password. It’s exasperating.
Fighting for our psychological well-being, our brain starts telling us that it’s not that important. The threats aren’t really targeting us. We don’t need to worry about it right now. We start to ignore all of it. That’s when we’re vulnerable.
So, what can you do to protect your business? Here are a few ideas.
Use business-wide measures as much as possible: The less employees have to do in order to comply with security protocols, the more likely they are to do it consistently.
Explain the risks in concrete terms: Every business is unique, so make sure employees understand what your biggest concerns are and why.
Create instructions to go with security policies: When you can’t figure out how to do something, you’re likely to set it aside. Make sure employees know the policies and also how to comply with them.
Make someone responsible for policy-standard setups: Many businesses have specialized software that is top of mind when onboarding new employees. You need to remember though that they may not know or even think about how to make sure that firewalls and automatic updates are turned on.
Use singular-task reminders: Reminding people everyday about IT security in general, just makes the fatigue worse. Instead, be specific, like “Chrome has issued an update. You can relaunch your browser right now. All of your tabs will reopen.”
Talk about the latest scams: Social engineering type scams are still not well known by most people, and AI has made it easier to spoof branded emails and even complete websites. Sharing news stories and employee personal experiences makes the threats real and helps to promote the “us vs. them” mentality needed to thwart those devilishly clever scammers.