Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:00 PM
Tom Pendergast
Tom Pendergast
Connect Directly
E-Mail vvv

4 Signs You, Your Users, Tech Peers & C-Suite All Have 'Security Fatigue'

If security fatigue is the disease we've all got, the question is how do we get over it?

There’s been a lot of talk about security fatigue lately, in the press and in my office. It’s a term that people get right away, and it feels like one of the classic social phenomena of our era, like multitasking or that phantom buzz in your pocket.

If security fatigue is the disease we’ve all got (even security pros!), the question is how do we get over it? To help answer that question, let’s take a look at four signs that identify the symptoms, along with recommendations that will put you and your users on the road to recovery.

Sign 1: You Reuse Passwords
Symptom: You want that 10% off coupon for creating an account on a new website—so you use your email address and that one password you use for all those "minor" accounts you’ve created.

What’s the Worst That Could Happen? At the least, hacking that single password might give criminals access to your personal card data. That’s a pain, but most credit card purchases are protected. But if the same hacker starts trying that password on other accounts, and those accounts include more personal information or are used for work credentials, and you could quickly move from identify theft to a data breach. Ouch!

Cure: The best cure is a password manager, which is the easiest way to create unique, lengthy, and difficult-to-crack passwords for every login. Sadly, most people aren’t ready to take this strong medicine. So they fall back on a variety of other schemes to introduce some level of complexity to their password. There are a million of these schemes, and combine them with multi-factor authentication you just may be okay. But you can’t be sure. So use a password manager!

Sign 2: You Forget to Connect to VPN
Symptom: You’re doing some work from home, and you just jump right in and go—completely ignoring the step of setting up a VPN connection. You’re just catching up on e-mail after all.

What’s the Worst That Could Happen? If your home WiFi is password-protected, and you’re just sending email, the risk is pretty low. But let’s say you connect to an insecure website and it tries to download malware—you’re exposed. And you’re not always on password-protected networks or just doing email, right? The truth is, if you’re connecting to the Web or sending sensitive documents, you’re exposed without VPN.

Cure: It’s not establishing a VPN connection that’s hard. The hard part is remembering. It’s a matter of making it a habit, like snapping on your seat belt. I’ve put a reminder on my startup screen that I see every time I log in, and it really helps. We all have the capacity to trigger electronic reminders these days, so set one up for VPN usage today.

Sign 3: You Click on an Email Link — Even Though You’re not Sure
Symptom: It’s been a long day, but you’re determined to churn through a few emails before you bail out. Hmm, you think, you wouldn’t mind winning a new Amazon Alexa offered in one email, so you click the enter automatically link

What’s the Worst That Could Happen? There’s a brief pause as you go to the innocuous-looking site. That pause, unfortunately, indicates the site is downloading a nasty piece of ransomware that will infect your network and bring work to a grinding halt. Cybercriminals have so many different ways to hook you, but they all begin by you visiting a site or downloading a file (or plugging in a USB drive), because you didn’t take that extra second to make sure you were taking the safest action.

Cure: Phishing sucks! It’s the most common form of cybercriminal attacks on employees, and it can be VERY difficult if not impossible to detect. But you can resist phishing with a few simple tricks. First, turn your baloney detector on high and quickly delete anything that sounds too good to be true or comes out of left field. Second, recognize that you should never act on emails when you’re in a hurry (unless it’s to delete them). Third, if you get a lot of commercial email (I sure do), use rules to move it all to a folder, and then take a little time a few times each week to go through and identify the stuff you want to act on—deleting everything else. Remember, you’re in control of your actions when it comes to your email, so make it a personal challenge to never get caught.

Sign 4: You Don’t Report Something that Seems Off
Symptom: Stopping in the kitchen for a cup of coffee, you notice a folder on the counter, with a sticky that says "Vendor Contracts, First Quarter." The person who left it will probably be right back, you reason, so you fill your cup and get off to that meeting.

What’s the Worst That Could Happen? Remember that stranger you let in the door earlier? She could find a gold mine in that folder. Or the disgruntled employee who came in as you headed out. Perhaps he could use what’s in that folder to embarrass the company. The truth is, unreported suspicions can blossom into leaks of proprietary information or malware infections all too easily.

Cure: Reporting suspicious incidents or observations is inconvenient! But so is stopping at red lights, washing your hands before you eat, and a whole lot of other things that we go ahead and do because we care about our fellow man and want to make the world a decent place to live. So report suspicious behavior.

Do you note the similarities in all the cures to security fatigue? They all come back to the need to adopt a new mental model about security and to develop new habits that support that mental model. If you care about protecting yourself and your company from cybercrime, developing those new habits will not be hard. First care, then act. It’s that easy.

Related Content:


Tom Pendergast is MediaPRO's Chief Learning Officer. He believes that every person cares about protecting data, they just don't know it yet. That's why he's constantly trying to devise new and easy ways to help awareness program managers educate their employees. Whether it's ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
2/10/2017 | 6:46:28 AM
VPN as a protection
Whatever the signs are, it's good to use precautions such as using a VPN. I have been using PureVPN for ultimate privacy and protection and it works good.
User Rank: Ninja
2/10/2017 | 7:20:30 AM
all of us suffer
i think we are all suffering.   we are burned-out trying to fix a problem we can do little about.

two things are needed

1. secure operating software

2. effective message authentication

these requirements can only be provided from the OEM development shops.   Until these shops are properly motivated to do things the right way burn-out will continue to get worse -- every year -- as it has recently.

if you total up the cost for all the band-aids, and staff hours required to administer same -- and then add to that the intangible cost of frustration and worry you'd come up with a pretty big number

it means nothing though as the elements responsible for the problem do not carry the cost of its consequences.

at some point, as a society, we will be forced to re-think this -- or make rather far reaching changes in the way we connect electronic equipment. 
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
2/13/2017 | 9:24:49 AM
I tend to think that by the very fact of people being even every-now-and-then readers of this site, they don't have security fatigue...yet.  ;)
User Rank: Author
2/13/2017 | 1:02:04 PM
I'd like to think so, but even those who don't have it can help recognize the signs and move others to improve.
Joe Stanganelli
Joe Stanganelli,
User Rank: Ninja
2/18/2017 | 2:14:52 PM
@TomP: Indeed.  Or, put another way, "Share this on Facebook and Twitter!"  :)
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
In kernel/bpf/verifier.c in the Linux kernel before 5.12.13, a branch can be mispredicted (e.g., because of type confusion) and consequently an unprivileged BPF program can read arbitrary memory locations via a side-channel attack, aka CID-9183671af6db.
PUBLISHED: 2021-06-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2021-06-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2021-06-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.
PUBLISHED: 2021-06-23
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.