Will “Security Fatigue” Inevitably Overwhelm Your Organization?

January 17, 2017

“Security fatigue” is a growing concept within cybersecurity circles: experts report that the sustained threat of malicious attacks is causing end users to feel defenseless and hopeless. There's a growing frustration about online account security, as the mounting frequency and severity of attacks is creating a bunker mentality that is difficult to escape.


In many cases, organizations and employees are taking the fatalistic attitude of hoping they're not a high enough value target to attack, rather than acting definitively to bolster their defenses.

What can you do to keep security fatigue from stunting your security posture? Here are three key responses:

Empower employees to control their credentials

Identity & access management (IAM) is the front line of organizational cyber defense -- since the vast majority of today’s attacks start with stolen accounts. However, many employees feel like they're just along for the ride, rather than a driving force in maintaining an edge over bad actors.

There are now numerous tools that provide employees with an opportunity to feel engaged and vital in the security process. Password managers, self-service password resetting, and easy, mobile-based two-factor authentication all give employees an active and recurrent role to play, which promotes a more active and confident stance.

One very important security company to look at in this space is Centrify, a leader in securing applications and infrastructure. A wide variety of their identity & access management solutions prioritize empowering employees in a way that creates a robust and aggressive defense. It pays to remember their motto: “Half protected is half not!”

Emphasize a cybersecurity culture

Effective security begins with a culture that embraces security as a priority: this begins with senior management and trickles down to all employees. In cases where the senior management team has identified the top three priorities and cybersecurity is not one of them, security can still be effectively piggybacked into the conversation and the culture. For example, if business growth is a defined priority, remind leadership that a security incident can absolutely cripple the ability to attract new customers and grow market share.

A positive and dynamic attitude toward security that begins at the top is infectious, and can inspire the rank and file to resist the hopelessness that leads to security fatigue.

Prioritize cybersecurity education

A bunker mentality that crystallizes into full-blown security fatigue is often a case of, “The only thing we have to fear, is fear itself.” That is, the unknown is inherently frightening and employees can easily convince themselves of the omnipresence of threats that do not exist.

The best antidote for the unknown is a good education. Demystifying security reduces the scope of the unknown, which means fewer things to fear. Educating employees also keeps them engaged in the process, which creates a cycle that further expands the bounds of security and reduces the potential for feeling helpless in the face of accelerating threats.

Simple examples of attacks that try to steal passwords, and how things like multi-factor authentication can stop those attacks in their tracks – can go a long way towards empowering employees, and making the battle seem winnable again.

Security fatigue is real, but it doesn't have to infect your organization. Stay active, stay focused stay engaged and bring everyone else in your organization along for the ride. You'll find that security fatigue is soon a distant memory and security incidents that plague other organizations are issues you can avoid with greater success and optimism.

Learn more about MFA by checking out the history of passwords and the evolution of cyberthreats.  

Editor’s Note: The opinions expressed in this guest author blog are solely those of the contributor, and do not necessarily reflect those of Centrify.

This is written by the individual author in his/her personal capacity, and the opinions, views and/or thoughts expressed herein are solely the author’s own. They are not intended to and may not necessarily reflect the official policy or position, or the opinions or views of ThycoticCentrify or its affiliates, employees, or any other group or individual.