With the constantly evolving threat landscape and increased awareness around cyber security, cyber fatigue is a growing concern for many organisations. With cyber fatigue, a weariness for cyber security advice and behaviours, on the rise, AARNet has implemented a number of strategies internally to combat it.
What is causing cyber fatigue?
Cyber security is high on the agenda for many organisations due to the recent wave of high-profile security incidents, and for staff, this and the constant vigilance required to stay up to date with processes and procedures can be exhausting and overwhelming.
In addition, executives, boards and stakeholders want to know that an organisation is protecting itself as best it can, which means more questions and work for staff, along with higher expectations around the delivery of security requirements.
Plus, the implementation of security controls, such as multi-factor authentication, are impacting the user experience and causing frustration by making tasks take longer to complete than before.
Adding to these pressures on staff and organisations, the demand for cyber security skills is also increasing, making filling vacancies with high quality staff difficult or highly competitive.
Here are five strategies that AARNet has adopted internally to help guard against cyber fatigue:
1. Lead with risk and ensure ‘top down support’
AARNet is aligned to the ISO31000 risk management framework. Using this common language consistently across multiple communication channels when discussing cyber security, both inwards/down and outwards/out, helped to focus senior management on cyber security as a key business risk to be prioritised across the organisation.
2. Shifting left
Security is often an afterthought, and by ‘shifting left’, cyber security risks and requirements can be addressed up front instead of having them baked on after, which can lead to additional costs and time wasting.
AARNet has implemented policies and standards across the organisation, applied a ‘trust but verify’ mentality through regular security testing and checks and ensured that all staff have access to guidance, advice and support around cyber security requirements or concerns.
3. Identity champions
Cyber security is a team sport and to protect an organisation, you cannot rely solely on the cyber security team.
AARNet has identified and embedded security champions across the organisation to organically help spread awareness. They are the key points of contact for their respective teams and the cyber security team for activities relating to maturing the company’s security posture.
Along with security champions, a range of communication channels are used to make it easy for staff to report and share security concerns, including a cross-functional security and privacy working group, emails and chats.
4. Reporting and metrics
AARNet leverages both informal and formal reporting channels to share information throughout the organisation.
Working with the communications team and channels, the cyber security team is able to take the initiative in influencing or controlling the narrative and to avoid knee jerk responses to security.
Informal channels may involve email or phone communications with the senior management team, the CEO or Chair to keep them abreast of security regulatory or incident developments. Formal channels for providing information to staff as required include operational reporting, governance steering committees, or updates via all-staff meetings, and through ticket reporting systems.
5. Security, usability and automation
It’s important to take a balanced approach to security and usability whilst leveraging automation.
For example, AARNet has taken a risk-based approach to meet security control requirements by extending the expiry period for password rotations while increasing the length and complexity requirements.
In another example, the manual action by analysts of checking multiple screens was removed by curating this information automatically from different systems into a single console view.