It’s undebatable that phishing fatigue is rapidly growing across all businesses no matter the size, and it’s beginning to cause mass paranoia with employees. Based on recent studies, organizations receive roughly 17,000 malware alerts weekly, but only 19 are deemed reliable. This means most alerts are false positives directly contributing to alert fatigue.
Alerts in cybersecurity can come in many forms and are triggered by various suspicious activities and events. Because some alerts are being more heavily emphasized within most organizations’ cybersecurity training, companies are now intentionally targeting their employees with phishing tests to build their awareness. These tests are designed to teach employees to take timely action and evaluate the source of the email, while fully expressing the danger of clicking on truly infected emails that can compromise the network.
Essentially, the constant onslaught of phishing tests creates tension for employees regardless of their computer skills. They often become overwhelmed to the point where actual serious threats go overlooked.
The consequences and risks of phishing fatigue are dangerous to the security of your organization. Phishing fatigue can lead to:
A false sense of security. When security professionals or employees with any relevant computer skills are inundated with alerts, they may become desensitized, assume alerts are false positives, and ignore them
Delayed responses. Employees who become overwhelmed by constant testing may be slow to react to actual critical threats. This can lead to delayed reporting of a phishing email to the security operation center.
Increased workload. When the company keeps continuously testing, those who fail tests may experience added work stress. This often leads to higher burnout, turnover, paranoia, and decreased productivity.
Legal and regulatory compliance issues. By encouraging employees to become paranoid about emails, rather than educating them with visual illustrations of phishing emails, organizations run the risk of untrained employees opening an infected email, which may result in massive data loss that may be sensitive to the company.
Increased cost. When cybersecurity systems fail to filter and prioritize genuine alerts, organizations may be forced to spend additional resources to handle the high volume of alerts, which can lead to higher unplanned budgets within IT departments.
Decreased morale. Sometimes employees take excessive phishing tests as a sign they are considered incompetent at the most basic level, even though they are assigned to do critical work. Stress over not being trusted and fear of making a mistake in a zero-tolerance organization may lead to discouragement, demotivation, and a high turnover rate because the employees feel the company doesn’t trust them.
It's important to mitigate phishing fatigue while also improving cybersecurity:
Organizations and teams need to establish thresholds to prioritize alerts based on severity levels. For example, Level 1 for critical alerts demanding immediate attention. Level 2 for priority alerts requiring action within a set or designated time frame. Level 3 for bi-weekly or low-priority testing to be addressed during normal working hours. Should an individual fail the phishing test, instead of reprimanding the employee, an IT security professional should consult with them and try to understand their thought process and provide helpful suggestions for the next time they receive a questionable email.
Assign an incidence response team to evaluate the number of failed security tests vs. the ones successfully recognized to get a better understanding as to why employees weren’t able to identify certain phishing attempts while correctly identifying others.
Continuously evaluate the road map/mission for educating employees in a comprehensive manner, rather than scolding or humiliating them, and evaluate how they took the test to see what educational points could be better enhanced within the training programs.
Although phishing fatigue will likely continue because other cyber threats are rising exponentially, management and IT operations should strongly consider and evaluate their entire phishing testing program. This is to ensure their security training awareness is up to date and provides clear visual examples while still giving the employees a sense of being respected as they’re being educated.
Comentarios