Fast, reliable and secure solutions purpose built for research and education
Solutions for managing data and enabling collaboration virtually anywhere
Solutions for protecting campus networks and assets from cyber threats
Empower collaboration, discovery and innovation
Accelerate digital transformation
Inspire great teaching and learning
Transform the classroom experience
Discover, share and preserve collections
About our company and what we do
From pioneering the internet in Australia in 1989 to today
Our Board, Executive Team and Advisory Committee
Our company policies, statements and public reports
Explore opportunities and benefits of working with AARNet
Log in to view details about your AARNet services, including usage reports
Log in to send files of any size, quickly and securely
CloudStor is being decommissioned on 15 December, 2023.
Browse answers to frequently asked questions about our products and services
Check the current performance status for our services
Fast local access to popular international open-source content
Check to see if a web address is on-net
AARNet's General Manager of Security Operations discusses why cyber fatigue exists and offers some strategies for managing its effects on staff
With the constantly evolving threat landscape and increased awareness around cyber security, cyber fatigue is a growing concern for many organisations. At THETA 2023 in Brisbane this week, James Ng, General Manager of Security Operations at AARNet, discussed why cyber fatigue, a weariness for cyber security advice and behaviours, is on the rise. He also shared some of the strategies AARNet has implemented internally to combat it.
Cyber security is high on the agenda for many organisations due to the recent wave of high-profile security incidents, and for staff, this and the constant vigilance required to stay up to date with processes and procedures can be exhausting and overwhelming.
In addition, executives, boards and stakeholders want to know that an organisation is protecting itself as best it can, which means more questions and work for staff, along with higher expectations around the delivery of security requirements.
Plus, the implementation of security controls, such as multi-factor authentication, are impacting the user experience and causing frustration by making tasks take longer to complete than before.
Adding to these pressures on staff and organisations, the demand for cyber security skills is also increasing, making filling vacancies with high quality staff difficult or highly competitive.
Here are five strategies that AARNet has adopted internally to help guard against cyber fatigue:
AARNet is aligned to the ISO31000 risk management framework. Using this common language consistently across multiple communication channels when discussing cyber security, both inwards/down and outwards/out, helped to focus senior management on cyber security as a key business risk to be prioritised across the organisation.
Security is often an afterthought, and by ‘shifting left’, cyber security risks and requirements can be addressed up front instead of having them baked on after, which can lead to additional costs and time wasting.
AARNet has implemented policies and standards across the organisation, applied a ‘trust but verify’ mentality through regular security testing and checks and ensured that all staff have access to guidance, advice and support around cyber security requirements or concerns.
Cyber security is a team sport and to protect an organisation, you cannot rely solely on the cyber security team.
AARNet has identified and embedded security champions across the organisation to organically help spread awareness. They are the key points of contact for their respective teams and the cyber security team for activities relating to maturing the company’s security posture.
Along with security champions, a range of communication channels are used to make it easy for staff to report and share security concerns, including a cross-functional security and privacy working group, emails and chats.
AARNet leverages both informal and formal reporting channels to share information throughout the organisation.
Working with the communications team and channels, the cyber security team is able to take the initiative in influencing or controlling the narrative and to avoid knee jerk responses to security.
Informal channels may involve email or phone communications with the senior management team, the CEO or Chair to keep them abreast of security regulatory or incident developments. Formal channels for providing information to staff as required include operational reporting, governance steering committees, or updates via all-staff meetings, and through ticket reporting systems.
It’s important to take a balanced approach to security and usability whilst leveraging automation.
For example, AARNet has taken a risk-based approach to meet security control requirements by extending the expiry period for password rotations while increasing the length and complexity requirements.
In another example, the manual action by analysts of checking multiple screens was removed by curating this information automatically from different systems into a single console view.