Cyber criminals are rubbing their hands together with glee as the bombardment of news and discussion on cyber security creates a sense of security fatigue among business owners, writes Jim Cook.
According to the Australian Competition & Consumer Commission (ACCC), security scams have cost Australians over $950,000 to date in 2017, with hacking scams hitting the hardest.
At the same time, whether it’s from TV news, phone notifications, online browsing, social media, or even the good, old-fashioned paper, we hear stories of the increasing dangers of cyber crime.
It’s easy to understand that we may have reached the point at which security fatigue has won the day. Our Malwarebytes researchers are asked to comment on their discoveries of new forms of malware or the latest security breach on a nearly daily basis. And while the media are reporting on legitimate dangers, their fever pitch can leave readers and viewers frozen in a combined state of panic and helplessness.
Users are encouraged to update passwords constantly, run antivirus programs, participate in two-factor authentication, read unwieldy EULAs carefully—often without a clear understanding of why.
Security fatigue manifests itself in much the same way as what psychologists call decision fatigue. People reach a limit with how much information they can process, leaving them weary and unable to make a rational decision moving forward. Security fatigue impacts decision-making in the following ways.
- avoid unnecessary decisions
- choose the easiest available option
- make decisions driven by immediate motivations
- choose to use a simplified algorithm
- behave impulsively
- feel resignation and a loss of control
After the 10,000th story reminding you not to go to shady websites, or to be aware of advertising on prestigious websites, or warnings about what is fake news and what’s real, people with security fatigue will stick their head in the sand, cover their ears and yell, “La la la! Don’t tell me anything else!”
But it goes even deeper than that. When people are online and experience too many barriers to getting where they want, they experience frustration that shuts them down.
Psychologists Amos Tversky and Daniel Kahneman argue that when people are fatigued, they fall back on behavioural and cognitive biases when making decisions.
This means that they might believe:
- They’re not personally at risk (they have nothing of value that a criminal would want).
- Someone else is responsible for security, and if targeted, they will be protected.
- No security measure that they put in place will really make a difference.
So now, not only are people tired and frustrated, they’re also feeling fatalistic—nothing they do will matter anyway, so they may as well not make an effort.
We get it, but don’t give up
While this might seem like irrational behaviour, psychologically it makes perfect sense. Users are conducting a cost-benefit analysis and, when presented with complex security advice that promises little and expects a lot, they decide it’s not worth their time.
Case in point: You’re trying to transfer some money between bank accounts and can’t remember the password. Then you have to reset the password, but you can’t remember the password to access the email you signed up to the account with. So you reset THAT password.
You finally sign into your bank account and discover you need to set up two-factor authentication, so you wait for the text to come through on your phone only to discover its battery is dead and you need to charge it.
Meanwhile, your antivirus is running a scan and has found a piece of malware on your machine, which means you’ll need to close out of your online account and restart your computer. It’s enough to infuriate the most Zen Buddhist.
But! But … it’s problematic to turn your back on cyber security entirely. Clearly doing nothing will not make cyber crime go away. If crime rates are rising in your neighbourhood, would you stop locking your door because you’re overwhelmed? Doubt it.
But locking your door is a simple solution that can ward off a good portion of attacks. Adding a security system would double the protection. Again, fairly simple to install.
So what are some simple ways you can stay protected online without feeling exhausted?
There are three easy and effective steps you can take to ward off 90 per cent of the crap out there while also maintaining your sanity. Without further ado:
1. Get a password manager
On average, people are asked to remember 22 separate passwords, according to a BBC report. You’re not supposed to write them down, and you’re likely prompted to change them every few months for maximum security. Yeah. It’s getting out of control.
Simplify your life by using a password manager like 1Password. It’ll load all your passwords into one encrypted place with only a single master password to remember.
2. Check before you click
Does it look suspicious? It probably is. This applies everywhere online, but is especially important for emails.
Don’t open email attachments or click on links asking for personal data unless you’re 100 per cent sure of who the sender is. Hover over the sender address if you need to confirm.
And if you’re still unsure, go ahead and Google the company name and see what comes up.
3. Keep your devices and software updated
This one might be annoying, but at least you don’t have to remember to update on your own. Your device and software will ping you when there’s a new update to run. As soon as you see that notification, go ahead and run the update. For five minutes of inconvenience, you get a whole lot of peace of mind.
And, finally, if you want to breathe a little easier and invest in a security system, consider a next-gen antivirus program (boot your old antivirus out the door) that uses multiple layers of technology to catch all the latest threats. Let it run in the background full-time so you’re always protected.
Nothing is foolproof. But doing a little something is a lot better than doing absolutely nothing. Decide how much risk you are willing to take on. If you want to play it safe, do yourself a favour and don’t let let security fatigue get the better of you.
Jim Cook is the ANZ regional director for security software provider Malwarebytes.