Every one of us knows one person or colleague who has a Post-it^® Note full of passwords stuck to their monitor. Pre-pandemic, this is a one-in-ten case of security malpractice. But with how rapidly organisations have adopted digital solutions for remote work in the past two years, I’m willing to bet remote workers have passwords written down everywhere from their laptops to their kitchen counter, creating a security nightmare for any IT team.

This is just one anecdotal instance of the security fatigue rapidly sweeping across most organisations across the world. CyberArk reports over 67% of employees attempt to circumvent security policies and 82% reuse older passwords, among a litany of other security no-nos. Our own SolarWinds^® IT Trends Report revealed an increase in apathy and complacency as organisations transition into a post-pandemic world with a false sense of security.

For government agencies dealing with sensitive public data or managing essential citizenry services, security fatigue is an inevitable precursor to a cyberthreat capable of bringing the agency to its knees. Federal IT teams must address and mitigate the risks of security fatigue at all costs, but how should they do it? Below are some simple steps they can begin to take.

Decisions, Decisions, Decisions!  

One of the biggest sins within the realm of IT security is replicated passwords, and it’s only natural for security teams to mandate a multiple password policy for the many solutions and services at play. However, this creates “unnecessary” friction and decision-making for federal employees. One can only think up so many combinations of letters, special characters, and numbers before security fatigue and apathy begin to set in.

In other words, federal IT security teams must increasingly consider how their cybersecurity decisions and policies affect fellow workers. To combat onset security fatigue or apathy, IT teams should reduce the number of security decisions users are required to make daily, or even on an hourly basis.

A simple way to do this would be to provide access to a password manager allowing employees to cycle through multiple encrypted passwords, removing a huge swathe of decision-making in the process. Similar moves could be made to utilise two-factor authentication tools built to readily integrate into existing technologies, cloud services, or essential services.

Build a Zero-Trust Culture 

Once-a-year security training is no longer sufficient, especially since cybercriminals now exploit an employee’s feelings of fatigue and a false sense of security round the clock. The public workforce is reportedly falling victim to sophisticated phishing attacks, with central governments experiencing a 77% increase in such attacks since the pandemic began—which is higher than even the private sector!

That means a zero-trust security culture must become the norm at all costs. Ask anyone, and they’ll tell you I’m a huge proponent of running internal phishing exercises on a monthly—even weekly—basis. This has the dual effect of keeping employees on their toes while allowing IT security teams to identify vulnerabilities in their systems, whether it’s a human, process, or infrastructure. Plus, these exercises are relatively cheap to execute, at least compared to what you’ll be paying for a data breach fine or a ransom attack.

To further press this point, security teams must think of cybersecurity less as something they do and more as a mindset federal employees must obtain. This means adopting a more behavioural approach; for instance, this means taking the time to guide employees to think about why security policies are important, rather than simply forcing those same policies on people without explanation.

Make Security Visibly Measurable 

The above approaches, solutions, and simulations are only possible when federal IT security teams have unparalleled visibility over the security surface of their networks. You can’t measure, remediate, or mitigate what you can’t see, which makes things like user activity monitoring, log analysis, and network event management all the more critical. Get these solutions in place first (if you haven’t already), and the rest should easily follow.

With this level of deep visibility over your entire network, any signs of an onset in security fatigue or complacency—like a higher rate of logged incidents or unauthorised user access—would be easier to detect and address. Though security fatigue may happen over a prolonged time frame, having the data and logs at hand allows IT security teams to begin spotting patterns and act before it’s too late.

Above all, IT professionals would do well to remember cybersecurity is a collective team effort—and not just a siloed function of internal security teams. Security policies failing to consider how people interact with and use technologies tend to inevitably erode the attentiveness and cooperation of the workforce in the long run. Policies designed to make their lives simple, sensible, and no less secure should be the way forward for public agencies in Australia and abroad.