Cyber security fatigue among employees leads to carelessness and ignorance, undermining efforts to strengthen cyber security postures.
This is according to systems integrator +OneX, part of the JSE-listed Reunert Group.
Adam Whittington, security and services executive at +OneX, says despite significant investment in cyber security training and awareness, employee behaviour remains the most vulnerable part of the average enterprise’s defences.
“Criminals have added smarter techniques to their arsenal, such as ‘spear phishing’ - which targets people with highly convincing and personalised messages - and QR code phishing (quishing), which deceives a recipient into scanning a QR code that redirects them to a bogus website,” says Whittington.
While many phishing messages give themselves away through poor grammar or unnatural sounding language, the criminals have lifted their game, he says.
Cyber security has become a topic that bores many end-users.
Adam Whittington, +OneX.
“GenAI tools such as ChatGPT have been a godsend for cyber criminals, enabling them to generate more phishing e-mails than ever before while improving the sophistication of their work.
“For example, they can use public data about executives and companies harvested with AI to launch precision attacks on company employees. In addition, GenAI can help cyber criminals to eliminate misspellings and grammar mistakes, so that their e-mails seem like credible copies of a communication from a bank or tax authority,” Whittington continues.
Cyber criminals can also use Gen AI to rapidly build convincing landing pages to harvest logins and passwords from people they duped, he adds.
“With this as the backdrop and with companies taking end-user education seriously, one would imagine that employees would be more alert… but the reality is that cyber security has become a topic that bores many end-users. Not only have they tuned out from the warnings they get from their IT department on an almost daily basis, they have also started to become tired of the friction that cyber security causes in their working lives.”
Combating cyber security fatigue
The statistics also reflect issues linked to cyber security fatigue, says Whittington
“A recent study from security vendor, SlashNext, found that there has been a 341% increase in phishing attacks in the first half of 2024. If that isn’t disturbing enough, an alarming proportion of users still fall for phishing attacks -- in our experience with phishing simulations as many as 10% of users among our client companies will still fall victim. Stats from Verizon show that the median time for users to fall for phishing e-mails is less than 60 seconds."
More than a third of users cut security corners, he adds.
“One international study found that 54% of office workers are ignoring important cyber security alerts and warnings due to information overload from digital communication. Nearly 47% agreed that information overload is inhibiting their ability to identify threats such as phishing e-mails, while 36% admitted to cutting corners on cyber security practices. Shockingly, less than a quarter report being engaged with their cyber security training,” says Whittington.
Unless every end-user is hypervigilant, it is only a matter of time before an attacker gets their hands on credentials or tricks someone into download a ransomware file, he adds.
“As such, it’s essential to combat cyber security fatigue and keep users deeply engaged in the importance of security. It’s helpful to understand why cyber security fatigue sets in, to rectify or prevent it.”
Having an engaged, vigilant workforce requires an environment where people feel rewarded for constantly learning and adapting, he concludes.
Last year, +OneX, acquired privately-owned managed services company MMC to bolster its ability to offer cyber security and compliance-as-a-service solutions.
In April this year, the Reunert Group announced its intention to merge subsidiaries IQbusiness and +OneX into a single entity to create a digital integrator within Reunert ICT.
Share