Is your organisation confronted by cyber security fatigue

With so many factors to consider when it comes to cyber security, how do you avoid total burnout?

South African companies have seen a drastic increase in cyber security and data protection related requirements. These include, but are not limited to:

• Recent amendments to The South African Cybercrimes Bill (B6-2017) – initially introduced as the Cybercrimes and Cybersecurity Bill in 2017;
• The United States CLOUD Act (Clarifying Lawful Overseas Use of Data Act) – enacted on 23 March 2018. This Act applies regardless of where the data in the service providers’ possession, custody or control is stored;
• The South African POPI Act (Protection of Personal Information Act 4 of 2013) – effective 1 July 2020, with a 12 month grace period to 30 June 2021; and
• The PCI-SSC (Payment Card Industry Security – Standards Council) has begun work on PCI-DSS v4.0 (Payment Card Industry Security – Data Security Standard). The new standards are expected to be published in mid-2021 and will replace v3.2.1 in 2024.

Given these changes (among others) with regards to cyber security laws and regulations, coupled with the increase in recent cyber security incidents and breaches, companies will soon be confronted by a growing concern – cyber security fatigue – if they haven’t already.

It’s no secret that cyber security can cause people to feel overwhelmed, out of their depth and powerless to manage the threats they face today. That's why 'cyber security fatigue' is such a common problem.

What is cyber security fatigue? It is most simply defined as avoiding additional cyber security measures as a result of being overwhelmed and oversold with little to no measurable risk reduction. In other words, virtually giving up on proactively defending against malicious actors.

What causes cyber security fatigue? Those confronting cyber security fatigue complain that managing a multi-vendor environment can be extremely challenging. There seems to be a strong relationship between multi-vendor environments and growing fatigue. This complexity is the main cause of burnout.

If one takes POPIA, for example, in South Africa there has been a drastic number of newly registered domains with domain names associated with POPIA in some way or form. These range from services and technologies to training and memberships. It is important to note that at the time of publishing this article, the South African Information Regulator has not appointed any authoritative body that accredits an organisation to provide certifications, consequently no organisations have been recognised.

Additionally, complex technology environments with too many alerts are also proven to exacerbate cyber security fatigue. As alerts continue to increase over the time, so does cyber security fatigue.

A third potential cause of cyber security fatigue, perhaps unsurprisingly, is suffering a major and extended cyber breach, with the number of hours of downtime influencing the extent of the fatigue.

What is the risk associated with cyber security fatigue? It goes without saying, cyber security fatigue can really have a harmful impact on organisations. This is because, by definition, the inevitable outcome is an increasingly vulnerability attack surface (environment) with a growing risk of becoming a target of a cyber attack and/or data breach.

How can cyber security fatigue be lessened? Owing to the complexity of security resource management (one of the reasons for cyber security fatigue), outsourcing this management might help. Another strategy is to simplify supply chains.

As organisations increasingly embrace digital transformation, CISOs are placing higher priority in adopting new security technologies to reduce exposure against malicious actors and threats. Rather than adopting a risk-based approach, often these technologies are not addressing the risk exposure at all, but rather the technology investment is the result of a well-positioned sales pitch.

To address this issue, organisations should first identify the cyber security risks within their environment and then only perform a needs analysis to determine whether or not a technology is needed to address the risk. This approach would have a far more beneficial outcome than investing in technology in the hopes that an organisation's risk is being reduced.

Another solution is automation, which could be the answer to coping with the volume of alerts. Automation enables policies to be enforced more consistently, quickly and efficiently. When a device is determined to be infected or vulnerable, it’s automatically quarantined or denied access, with no action required from an administrator.

On a positive note, cyber security fatigue should organically reduce as security improves. Increasing reliance on cloud security and automation to strengthen their security posture will reduce the risk of breaches and, along with it, the fatigue arising from them.

Ultimately, cyber fatigue is a very real and human response to a complex problem. Security leaders need to accept this, looking for ways to reduce stress and burnout if they wish to prevent cyber security fatigue from contributing to major security breaches.