Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

2/9/2017
04:00 PM
Tom Pendergast
Tom Pendergast
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

4 Signs You, Your Users, Tech Peers & C-Suite All Have 'Security Fatigue'

If security fatigue is the disease we've all got, the question is how do we get over it?

There’s been a lot of talk about security fatigue lately, in the press and in my office. It’s a term that people get right away, and it feels like one of the classic social phenomena of our era, like multitasking or that phantom buzz in your pocket.

If security fatigue is the disease we’ve all got (even security pros!), the question is how do we get over it? To help answer that question, let’s take a look at four signs that identify the symptoms, along with recommendations that will put you and your users on the road to recovery.

Sign 1: You Reuse Passwords
Symptom: You want that 10% off coupon for creating an account on a new website—so you use your email address and that one password you use for all those "minor" accounts you’ve created.

What’s the Worst That Could Happen? At the least, hacking that single password might give criminals access to your personal card data. That’s a pain, but most credit card purchases are protected. But if the same hacker starts trying that password on other accounts, and those accounts include more personal information or are used for work credentials, and you could quickly move from identify theft to a data breach. Ouch!

Cure: The best cure is a password manager, which is the easiest way to create unique, lengthy, and difficult-to-crack passwords for every login. Sadly, most people aren’t ready to take this strong medicine. So they fall back on a variety of other schemes to introduce some level of complexity to their password. There are a million of these schemes, and combine them with multi-factor authentication you just may be okay. But you can’t be sure. So use a password manager!

Sign 2: You Forget to Connect to VPN
Symptom: You’re doing some work from home, and you just jump right in and go—completely ignoring the step of setting up a VPN connection. You’re just catching up on e-mail after all.

What’s the Worst That Could Happen? If your home WiFi is password-protected, and you’re just sending email, the risk is pretty low. But let’s say you connect to an insecure website and it tries to download malware—you’re exposed. And you’re not always on password-protected networks or just doing email, right? The truth is, if you’re connecting to the Web or sending sensitive documents, you’re exposed without VPN.

Cure: It’s not establishing a VPN connection that’s hard. The hard part is remembering. It’s a matter of making it a habit, like snapping on your seat belt. I’ve put a reminder on my startup screen that I see every time I log in, and it really helps. We all have the capacity to trigger electronic reminders these days, so set one up for VPN usage today.

Sign 3: You Click on an Email Link — Even Though You’re not Sure
Symptom: It’s been a long day, but you’re determined to churn through a few emails before you bail out. Hmm, you think, you wouldn’t mind winning a new Amazon Alexa offered in one email, so you click the enter automatically link

What’s the Worst That Could Happen? There’s a brief pause as you go to the innocuous-looking site. That pause, unfortunately, indicates the site is downloading a nasty piece of ransomware that will infect your network and bring work to a grinding halt. Cybercriminals have so many different ways to hook you, but they all begin by you visiting a site or downloading a file (or plugging in a USB drive), because you didn’t take that extra second to make sure you were taking the safest action.

Cure: Phishing sucks! It’s the most common form of cybercriminal attacks on employees, and it can be VERY difficult if not impossible to detect. But you can resist phishing with a few simple tricks. First, turn your baloney detector on high and quickly delete anything that sounds too good to be true or comes out of left field. Second, recognize that you should never act on emails when you’re in a hurry (unless it’s to delete them). Third, if you get a lot of commercial email (I sure do), use rules to move it all to a folder, and then take a little time a few times each week to go through and identify the stuff you want to act on—deleting everything else. Remember, you’re in control of your actions when it comes to your email, so make it a personal challenge to never get caught.

Sign 4: You Don’t Report Something that Seems Off
Symptom: Stopping in the kitchen for a cup of coffee, you notice a folder on the counter, with a sticky that says "Vendor Contracts, First Quarter." The person who left it will probably be right back, you reason, so you fill your cup and get off to that meeting.

What’s the Worst That Could Happen? Remember that stranger you let in the door earlier? She could find a gold mine in that folder. Or the disgruntled employee who came in as you headed out. Perhaps he could use what’s in that folder to embarrass the company. The truth is, unreported suspicions can blossom into leaks of proprietary information or malware infections all too easily.

Cure: Reporting suspicious incidents or observations is inconvenient! But so is stopping at red lights, washing your hands before you eat, and a whole lot of other things that we go ahead and do because we care about our fellow man and want to make the world a decent place to live. So report suspicious behavior.

Do you note the similarities in all the cures to security fatigue? They all come back to the need to adopt a new mental model about security and to develop new habits that support that mental model. If you care about protecting yourself and your company from cybercrime, developing those new habits will not be hard. First care, then act. It’s that easy.

Related Content:

 

Tom Pendergast is MediaPRO's Chief Learning Officer. He believes that every person cares about protecting data, they just don't know it yet. That's why he's constantly trying to devise new and easy ways to help awareness program managers educate their employees. Whether it's ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/18/2017 | 2:14:52 PM
Re: QED
@TomP: Indeed.  Or, put another way, "Share this on Facebook and Twitter!"  :)
tompendergast
50%
50%
tompendergast,
User Rank: Author
2/13/2017 | 1:02:04 PM
Re: QED
I'd like to think so, but even those who don't have it can help recognize the signs and move others to improve.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
2/13/2017 | 9:24:49 AM
QED
I tend to think that by the very fact of people being even every-now-and-then readers of this site, they don't have security fatigue...yet.  ;)
macker490
100%
0%
macker490,
User Rank: Ninja
2/10/2017 | 7:20:30 AM
all of us suffer
i think we are all suffering.   we are burned-out trying to fix a problem we can do little about.

two things are needed

1. secure operating software

2. effective message authentication

these requirements can only be provided from the OEM development shops.   Until these shops are properly motivated to do things the right way burn-out will continue to get worse -- every year -- as it has recently.

if you total up the cost for all the band-aids, and staff hours required to administer same -- and then add to that the intangible cost of frustration and worry you'd come up with a pretty big number

it means nothing though as the elements responsible for the problem do not carry the cost of its consequences.

at some point, as a society, we will be forced to re-think this -- or make rather far reaching changes in the way we connect electronic equipment. 
CaitlinT801
100%
0%
CaitlinT801,
User Rank: Apprentice
2/10/2017 | 6:46:28 AM
VPN as a protection
Whatever the signs are, it's good to use precautions such as using a VPN. I have been using PureVPN for ultimate privacy and protection and it works good.
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19794
PUBLISHED: 2019-12-13
The miekg Go DNS package before 1.1.25, as used in CoreDNS before 1.6.6 and other products, improperly generates random numbers because math/rand is used. The TXID becomes predictable, leading to response forgeries.
CVE-2019-19795
PUBLISHED: 2019-12-13
samurai 0.7 has a heap-based buffer overflow in canonpath in util.c via a crafted build file.
CVE-2019-19796
PUBLISHED: 2019-12-13
Yabasic 2.86.2 has a heap-based buffer overflow in myformat in function.c via a crafted BASIC source file.
CVE-2019-5253
PUBLISHED: 2019-12-13
E5572-855 with versions earlier than 8.0.1.3(H335SP1C233) has an improper authentication vulnerability. The device does not perform a sufficient authentication when doing certain operations, successful exploit could allow an attacker to cause the device to reboot after launch a man in the middle att...
CVE-2019-5260
PUBLISHED: 2019-12-13
Huawei smartphones HUAWEI Y9 2019 and Honor View 20 have a denial of service vulnerability. Due to insufficient input validation of specific value when parsing the messages, an attacker may send specially crafted TD-SCDMA messages from a rogue base station to the affected devices to exploit this vul...