'Cybersecurity fatigue' stopping millions from being safe

Credit: Rawpixel.com/Shutterstock.com

NIST reported in IT Professional that the regular publicising of advice fatigues and wearies people, ironically making them less likely to take the necessary precautions to strengthen their online security.

In an age where the likes of TalkTalk and the Carphone Warehouse are having their websites breached because of lax defences, the existence of apathy among the public is a major cause for concern.

It suggests that already underperforming companies have to double their efforts to protect the data of their customers.

More fundamentally, it also suggests that the whole approach to educating and protecting the public has to change, and that cybersecurity has to be made much simpler and accessible if the Government and businesses expect the public to play their part.

Resignation

Otherwise, the kind of fatigue and disinterest reported by NIST will continue.

In their paper, they recorded how "average computer users felt overwhelmed and bombarded, and they got tired of being on constant alert."

Much of this sense of being overwhelmed comes from having to remember so many usernames and passwords, which the authors of the paper reveal can sometimes reach as many as 30.

But it's also a product of having to adopt "safe behavior, and trying to understand the nuances of online security issues."

Together, these kinds of demands were found to have an effect opposite to what was intended.

They not only lead to "feelings of resignation and loss of control", but they also result in many people "avoiding decisions, choosing the easiest option among alternatives ... and failing to follow security rules."

As such, campaigns intended to motivate people to act more responsibly online - such as the public cybersecurity awareness programme launched by the Cabinet Office in 2013 - may have been counterproductive.

Since they required the public to take on considerable amounts of new information and adopt new habits, they may have worsened the uncertainty and indecision they set out to solve.

This is perhaps part of the reason why, after years of campaigns and more campaigns, Britons are still victims to some 6 million cybercrimes each year.

Entrusted data

Part of the problem is no doubt that some cybercriminals are becoming more sophisticated in their methods, yet another big part of the problem is simply the attitudes people have towards cybersecurity.

For example, NIST also noted that many people think "safeguarding data is someone else's responsibility". They often believe that computer security should be left "to their bank, online store or someone with more experience".

This is an assumption that's made much more likely by the aforementioned bombardment of advice, cautions, instructions and campaigns.

In order to combat it, what's needed is an entirely different approach to ensuring that the public aren't a weak link in cybersecurity's chain.

As the NIST paper recommends, business and security companies should "Make it simple for users to choose the right security action". They should also "Design for consistent decision making whenever possible".

While it's only a modest step, such consistency and simplicity would be enabled by a password manager like Dashlane and LastPass.

However, cybersecurity isn't simply a matter of simplicity. It's also a matter of businesses and organisations doing more to protect the data they keep on behalf of their customers.

This is because, whenever someone puts personal information online, they always put it with a business and organisation.

Because they entrust it to a third party, they're actually correct in assuming that the ultimate responsibility for its security resides with this party.

Hard lines

As a result, telecoms providers like TalkTalk really must do more to tighten the defences of their websites and databases.

Since they've been so slipshod recently, it's a good thing the Information Commissioner's Office fined them £400,000.

Because if their cybersecurity is weak, then no amount of sensible, responsible behaviour on the part of their customers is going to save these customers from having their personal data jeopardised.

In fact, it's possible that the general public have been overwhelmed with so much information concerning security precisely because many businesses have been so inept on this regard.

This is why, if the Government wish to avoid giving them cybersecurity fatigue, they should work very hard towards ramping up the cybersecurity of businesses.

Their opening of a National Cyber Security Centre is a step in the right direction, yet what's also required is a consistent hard line on companies who have their websites breached because of security failings.

Because without such a hard line, there would be little use in informing a jaded public about cybersecurity anyway.