[June 17, 2020]

Security Fatigue defeats Security Education

SECURITY FATIGUE

The average employee has security fatigue according to a study from the National Institute of Standards and Technology (NIST). “Security fatigue is defined as a weariness or reluctance to deal with computer security.”  The security fatigue often results in risky computing behavior at work and in their personal lives. It is this bla·sé attitude that we have all seen in our co-workers or ourselves at times when we are fatalistic and say “my credit card company takes care of me so it does not matter if my account gets hacked.” This not only exposes the individual to increased personal risk (credit card fraud, phishing) but costs businesses with compliance violations and businesses losses as their valuable corporate data  is exposed to unnecessary risk.

The survey shares a few ways to reduce security fatigue as:

  1. Limit the number of security decisions users need to make;
  2. Make it simple for users to choose the right security action; and
  3. Design for consistent decision making whenever possible. 

These recommendations can help users maintain secure online habits and behavior. But implementing procedures universally is not always easy.  Security training is still required to help employees make the right decision every time and reduce risk.

MISTAKES MATTER AND MULTIPLY 

According to Ponemon 2020 Insider Threat Survey “ the frequency of insider incidents is positively correlated with organizational size.” Size amplifies data risk.  The larger the organization, the more frequent occurrence of accidental insider threats. More people mean more people make mistakes.  Many organizations typically focus on malicious insider threats due to the high cost of a breach. The average cost of a careless leak due to a security fatigued employee is $4.5 million per year. Accidental threats are 60% of all the insider threats. The expensive result is that the annualized cost of accidental insider threats is 2.5 times higher than the cost of the malicious threats. Companies would immediately benefit if they could systematically reduce the accidental threats that are the result of security fatigue.

JUST-IN-TIME SECURITY TRAINING

Some training companies have introduced “education triggers” or “teachable moments” that are targeted at those who violate security policy or need the training the most.  The philosophy is to identify and focus training on those in the organization who (despite being non-malicious) pose the greatest risk. By systematically implementing training there is documentation if and when it is required to remove problem employees who continue to put the company at risk.

Vendors for “Just in Time” training advocate provide a very basic compliance-focused training for the majority of people, and more specific training for those that violate some security policy, and/or do something inappropriate, such as clicking on a simulated phishing link.

In Special Publication 800-50, NIST provides two clear objectives for security awareness and training.

“Material should be developed with the following in mind:

What behavior do we want to reinforce? (awareness); and

What skill or skills do we want the audience to learn and apply? (training).”

NIST recommends training that includes educational, awareness-based content as well as skill development to help employees understand the threats they face and take the right action to prevent security incidents.

RELEVANCE DRIVES ENGAGEMENT 

Cyberhaven believes that if you can make security training relevant to the employees' work then you can not only build awareness but actually train employees to do the right thing. But do users need a warning every time I email someone outside of the organization?  Preferable, is a warning just when there is high value data such as source code, financial, PII or any identifiable and traceable Intellectual property, in the email or attachment. The interactions with users must not become a nuisance otherwise they will ignore them. The interventions must vary in nature and must be relevant to the work and the actions the employee is taking. The security system must be able to know what type of data the user is interacting with and alert only when there is true high risk to the data.

Automated alerts as data is being put at risk that reflect a varying degree of risk will help users sensitize to what is not recommended and what will get them fired. The exfiltration of data for example is typically black and white. Using USB drives for high-value data is prohibited by most employers. The use of USBs rose with the recent COVID crisis. But sometimes marketing staff is just downloading a video or a presentation for an event. Ideally, the monitoring tool needs to be able to differentiate between different types of data (PII, HIPAA) and whether it came from a top secret source. Where the data originated can tell us, what level of protection it needs.  Is it copied from the server where the source code is kept. Does it include any secret code names or product name references that should not be public yet?

At one Cyberhaven customer we help prevent cross customer contamination by assuring a match and a business correlation between source and destination. This means that information for CVS will never be sent to Walgreens for example. For many organizations a simple mistake can cost millions in compliance fines and worse lose them customers and damage their reputation.

Each business has unique business processes that give them competitive advantage or differentiation. . Security tools tend to be rigid. They are YES/NO gates. Firewalls and DLP solutions are built with a “you shall not pass” philosophy that have made them too strict for many business scenarios. UEBA attempts to establish normal business patterns at great cost, requiring tuning to identify the line that employees should not cross. No single technology has been able to adapt to the rapid rate of change and enthusiastic adoption of collaboration and every flavor of cloud applications.

What is needed is not only adaptive security training but adaptive security solutions that adapt to the business environment. At Cyberhaven, we developed Data Behavior Analytics (DaBA), an adaptive monitoring tool that finds and follows data. It adapts to your business needs and provides the visibility you need to see how users are interacting with data to implement real-time training to help users learn to be more secure. Cyberhaven can identify your valuable data dynamically by automatically correlating it to the source that it came from. By documenting the data journey, we help protect data. We can help identify both careless and malicious insiders and help you differentiate between them. And we can help you address security fatigue by implementing interactive security measures that will help educate your users to help reduce your risk. 

Increase security awareness and train your users with Cyberhaven. See a demo today and start your free trial.

Topics: Security Training