Your security programme's second biggest challenge
It's not 'new news' that there have been numerous cybersecurity incidents across various industries over the last months, and whilst each of the impacted businesses would have had methods in place to prevent these incidents from happening, somehow the “bad people” still won. Committees and teams will have carefully crafted intricate and sturdy policies, invested in technology, implemented them across the organisation and then firmly stuffed their fingers in their ears singing “Lalalala I can’t hear you” when the actual users encounter the new system and feedback that it is unworkable. If it stops a person doing their job, they will find a way around it to get their job done. The nice policy or swanky tech becomes functionally useless, or worse, gives those naughty hackers (aka me!) a back door.
To keep it simple, because the field of psychology is a massive and complex one (and I’m an ethical hacker, not a doctor) every person has a “budget” of decisions to get them through the day. Many people aren’t aware of this limit, but we develop mental heuristics (cheat codes) and lean on cognitive biases to get us through the day. When we run out, that is when decision fatigue kicks in and we will fall back to the easiest choice. We have all been there, going out to eat after a long day but faced with an epic menu of delicious dishes, we will go with the cheeseburger.
Security fatigue is a subset of this decision fatigue phenomenon but instead of a menu and a cheeseburger, it’s a complex password policy and users picking the password “password123!”.
Various measures are put in place to keep the organisation secure, but these are often built from the perspective of the security team, not the worker at the coal face. It leads to a situation where someone may need several passwords, navigate a complex VPN setup with multi-factor authentication and make a small sacrifice to the deities of IT before they can even start work for the day.
It's important to point out that security fatigue is different from just not following procedures or wilfully ignoring them, there are often systemic factors in play that can’t be countered by “trying harder.” Sometimes the processes need to change, sometimes people need specific examples as to why these measures are in place.
Here are some examples of how security fatigue comes about, and how ethical and unethical hackers can exploit it.
“One Uppercase character, One Lowercase Character…” We have all been there, trying to run the complexity gauntlet on a mandatory password reset because it’s been two months since we last reset it. Now multiply that by the number of systems that a user needs to log into at the start of every day, how many passwords would they need to remember? Users are forced to comply with the complexity/reset policy but to offset cognitive load they will use what tools they have available. This can be done by writing the passwords down, using the dog’s name, something on your desk plus the year. Fantastic, you have just made my job so much easier. Whilst the cracking of passwords is beyond the scope of this blog post, the abridged version is the shorter and less chaotic a password, the easier it is to crack. Frequent password resets are no longer considered best practice for this reason.
You look at the email and up pops “This looks like a phishing email; do you want to open it?” and you select yes because it’s a false positive and you did the training last week, you wouldn’t get caught out now. It’s an email from HR about a change in holiday allocation. Surprise twist! It's not from HR, it's from me, and now I have your credentials.
Why do people still fall for these emails? In part this is due to psychology, phishing emails are designed to appeal to intrinsic and emotional elements of our brains, bypassing logical thinking. Bad actors will spend a great deal of time crafting the perfect email and they only need one person to click. No amount of training is going to patch the evolution of the human brain, and finger pointing is not going to help. A well set up spam filter is much harder to emotionally manipulate than a person. Relying on people alone to catch phishing emails adds to that cognitive load of the security system.
Whilst we are talking about training, there is research that more frequent formal training negatively affects someone’s awareness which seems counterintuitive. And we have all had terrible experiences of training, the two-hour video that could have been summed up in two sentences, awful slides that haven’t been updated since the 90s, multiple choice questions that don’t engage... More examples than I can list. Bad training can be worse than none, creating cynicism in users who are now overloaded with cybersecurity issues. Poor training can be exploited by any number of ways by bad actors; from phishing to social engineering attacks. Plus, if we can get access to the training materials, important organizational information could be found that we can exploit.
Users Aren’t The Enemy
Engage with the people who will use the security put in place, and importantly, listen to what is fed back. If people must bypass security to get their job done, then that isn’t security, it is a barrier. Users will see things that the security and IT teams may not be aware of, provide suggestions on how to streamline something to work better with their workflow. Engagement will also help mitigate elements of security fatigue by giving the users control over the process. People are more willing to engage when they have some investment in it.
Diverse types of technology are available now that can streamline cybersecurity for users. For example, there are several excellent password managers out there that will securely store user passwords so that complex passwords can be used with ease. Authentications schemes like Single Sign On (SSO) can simplify a user's security journey and can be made more secure with One Time Passwords (OTP) and/or smartcards.
Education And Culture
Develop an education plan that can engage the users, use specific examples that can help users see exactly why these systems are in place. Part of security fatigue is the lack of understanding of why these things are in place. Importantly, learn from the mistakes made because they will happen. Each incident, rather than apportioning blame and finger pointing, can be used as a learning experience. An open culture of honesty and transparency will encourage staff to report security breaches as soon as they happen, allowing actions to be taken. Incorporate these into the education materials so users can see the whole story, not just their part and in turn, the value of cybersecurity.
Employ an Ethical Hacking Team
Hiring an ethical hacking team to look at your security can really help identify where things are not performing as they should. This can vary from password audits to wandering into your office and lifting an unattended laptop.
The team at CovertSwarm is driven by a single objective – to constantly compromise the security of our clients through the deep detection of blind spots within their cyber defences and technology stacks before real threat actors are able to exploit them.
Our continuous client-focused cyber intelligence gathering, simulated attack, clear vulnerability reporting, live ethical hacker interaction capability and follow-up education services challenge the status quo of a cyber market in desperate need of modernisation.
Organisations seeking higher degrees of cyber assurance and security confidence than those offered by ‘snapshot’ penetration testing and red team engagements are increasingly partnering with us. They agree that ‘point in time’ testing is no longer enough to secure their organisations, and it is through this shared ethos that CovertSwarm challenges everything that has so far been considered to be ‘standard’ in today’s cyber vendor market.
Encouraging Employee Engagement With Cybersecurity: How to Tackle Cyber Fatigue
Information security burnout: Identification of sources and mitigating factors from security demands and resources