Security Fatigue: How Public Agencies Can Counter this Silent Menace

by Thomas LaRock

Every one of us knows one person or colleague who has a Post-it^® Note full of passwords stuck to their monitor. Pre-pandemic, this is a one-in-ten case of security malpractice. But with how rapidly organisations have adopted digital solutions for remote work in the past two years, I’m willing to bet remote workers have passwords written down everywhere from their laptops to their kitchen counter, creating a security nightmare for any IT team.

This is just one anecdotal instance of the security fatigue rapidly sweeping across most organisations across the world. CyberArk reports over 67% of employees attempt to circumvent security policies and 82% reuse older passwords, among a litany of other security no-nos. Our own SolarWinds^® IT Trends Report revealed an increase in apathy and complacency as organisations transition into a post-pandemic world with a false sense of security.

For government agencies dealing with sensitive public data or managing essential citizenry services, security fatigue is an inevitable precursor to a cyberthreat capable of bringing the agency to its knees. Federal IT teams must address and mitigate the risks of security fatigue at all costs, but how should they do it? Below are some simple steps they can begin to take.

Decisions, Decisions, Decisions!

One of the biggest sins within the realm of IT security is replicated passwords, and it’s only natural for security teams to mandate a multiple password policy for the many solutions and services at play. However, this creates “unnecessary” friction and decision-making for federal employees. One can only think up so many combinations of letters, special characters, and numbers before security fatigue and apathy begin to set in.

In other words, federal IT security teams must increasingly consider how their cybersecurity decisions and policies affect fellow workers. To combat onset security fatigue or apathy, IT teams should reduce the number of security decisions users are required to make daily, or even on an hourly basis.

A simple way to do this would be to provide access to a password manager allowing employees to cycle through multiple encrypted passwords, removing a huge swathe of decision-making in the process. Similar moves could be made to utilise two-factor authentication tools built to readily integrate into existing technologies, cloud services, or essential services.

Build a Zero-Trust Culture

Once-a-year security training is no longer sufficient, especially since cybercriminals now exploit an employee’s feelings of fatigue and a false sense of security round the clock. The public workforce is reportedly falling victim to sophisticated phishing attacks, with central governments experiencing a 77% increase in such attacks since the pandemic began—which is higher than even the private sector!

That means a zero-trust security culture must become the norm at all costs. Ask anyone, and they’ll tell you I’m a huge proponent of running internal phishing exercises on a monthly—even weekly—basis. This has the dual effect of keeping employees on their toes while allowing IT security teams to identify vulnerabilities in their systems, whether it’s a human, process, or infrastructure. Plus, these exercises are relatively cheap to execute, at least compared to what you’ll be paying for a data breach fine or a ransom attack.

To further press this point, security teams must think of cybersecurity less as something they do and more as a mindset federal employees must obtain. This means adopting a more behavioural approach; for instance, this means taking the time to guide employees to think about why security policies are important, rather than simply forcing those same policies on people without explanation.

Make Security Visibly Measurable

The above approaches, solutions, and simulations are only possible when federal IT security teams have unparalleled visibility over the security surface of their networks. You can’t measure, remediate, or mitigate what you can’t see, which makes things like user activity monitoring, log analysis, and network event management all the more critical. Get these solutions in place first (if you haven’t already), and the rest should easily follow.

With this level of deep visibility over your entire network, any signs of an onset in security fatigue or complacency—like a higher rate of logged incidents or unauthorised user access—would be easier to detect and address. Though security fatigue may happen over a prolonged time frame, having the data and logs at hand allows IT security teams to begin spotting patterns and act before it’s too late.

Above all, IT professionals would do well to remember cybersecurity is a collective team effort—and not just a siloed function of internal security teams. Security policies failing to consider how people interact with and use technologies tend to inevitably erode the attentiveness and cooperation of the workforce in the long run. Policies designed to make their lives simple, sensible, and no less secure should be the way forward for public agencies in Australia and abroad.

Thomas LaRock

After a decade of being a production database administrator I jumped into the role of Technical Evangelism, and I am currently a Head Geek for SolarWinds. My mission as a Head Geek is to give IT and data professionals longer weekends. Being a Head Geek allows me to work directly with customers to help solve questions regarding database performance tuning and virtualization for a variety of platforms including, but not limited to, SQL Server, Oracle, Sybase, and DB2. I also solicit feedback from customers and industry experts and use that information to help our team create better products. My research and experience helped to create the initial versions of IgniteVM, now known as Database Performance Analyzer with the VM option, an industry recognized leading database performance monitoring tool. Head Geeks are also responsible for content creation. The variety of content includes blog posts, webinars, videos, conference presentations, magazine articles, whitepapers, and books. This content helps with product positioning and overall strategy. The combination of research, content creation, and professional experience allows Head Geeks to be recognized as thought leaders for their industry.