After six months of social distancing, sheltering in place, working from home, distance learning, mask-wearing, hand-washing, and plenty of hand-wringing, people are pretty damn tired of COVID-19. And with no magic bullet (yet) and no end in sight, annoyance has turned into exasperation and even desperation.
Doctors and mental health professionals call this Covid fatigue.
Covid fatigue, not to be confused with fatigue as a symptom of the COVID-19 infection, can be characterized by denial, defeatism, and careless or reckless behavior in response to feeling overwhelmed and exhausted by a constant stream of pandemic-related information. And since COVID-19’s impact on our lives has been both profound and long-lasting, the fatigue is further pronounced by such prolonged exposure to intense stress. Conflicting information about the seriousness of the virus does little to provide relief. Instead, emotions are extra muddied by uncertainty about how stressed we should really be feeling.
Those of us in cybersecurity recognize this emotional response well. We’ve seen it play out in the digital realm in the form of security fatigue and alert fatigue, or what some doctors call “caution fatigue.” And we understand that if it isn’t addressed, it can lead to dangerous choices for the health and safety of people in the real world and online.
COVID-19 has upended nearly every facet of our lives, driving us into the open arms of the Internet like never before. Yet, as we struggle with anxiety and burnout related to the pandemic, our fatigue spills over into our online behavior. And with so many working and schooling from home, the stakes have never been higher.
So, when we see users exhibiting classic symptoms of Covid fatigue, security fatigue, or other caution fatigue, we feel their pain but recognize that this behavior can’t go on unchecked. If you think that you, your friends and family, or coworkers might be experiencing Covid fatigue, read on to learn how to recognize the symptoms, why they are dangerous, and what can be done to fight against it.
What is Covid fatigue?
To understand Covid fatigue, it helps to first zoom out and consider that fatigue is a natural response to any ongoing stressful situation or threat. When you couple that with the need to take specific actions to protect against that threat, you get caution fatigue. In an interview for a WebMD special report, Jacqueline Gollan, Associate Professor of Psychiatry and Behavioral Science at Northwestern’s Feinberg School of Medicine, explains what she means by the term caution fatigue:
“[Caution fatigue] is really low motivation or interest in taking safety precautions. It occurs because the constant state of being [on] alert for a threat can activate a stress hormone called cortisol, and that can affect our health and our brain function…When we're subjected to high levels of stress, we start to desensitize to that stress. And then we begin to pay less attention to risky situations.”
Caution fatigue, then, can apply to numerous situations where individuals are under siege for an extended period of time and grow tired of being required to employ protective measures. This is especially true when the threat is not perceived as imminent or direct, and even more prominent when the threat is invisible. Other factors that increase caution fatigue include:
- Lack of transparency into the threat or the reasons for the restrictions
- Unfair or overly complicated restrictions or recommendations for safety precautions
- Inconsistent actions and mixed messages about which measures are effective
- Unpredictable changes to safety measures, including using subjective criteria to alter directions
Looking at this list in the context of the coronavirus pandemic, it appears we’ve checked off all the boxes, turning what was strong public support for COVID-19 response strategies into a collective case of the Mondays. According to an October report by the World Health Organization (WHO), pandemic fatigue has reached over 60 percent in some parts of Europe. In the United States, a July 2020 Kaiser Family Foundation poll found that 53 percent of Americans believed the pandemic had harmed their mental health.
WHO says that Covid fatigue is expressed through an increasing number of people not sufficiently following recommendations and restrictions, decreasing their effort to stay informed about the pandemic, and having lower risk perceptions related to COVID-19. Previously effective core messages about washing hands, wearing face masks, practicing proper hygiene, and maintaining physical distance may now be lost in the shuffle. Instead, vigilance is replaced by denial (I won’t get infected) or nihilism (we’re all screwed anyway, so I might as well do what I want).
What does Covid fatigue have to do with cybersecurity?
Covid fatigue shares characteristics with another form of fatigue that has long plagued the cybersecurity industry: security fatigue. In 2017, the National Institute of Standards in Technology (NIST) published a study stating that security fatigue was the threshold at which users found it too hard or burdensome to maintain security, a phenomenon affecting 63 percent of its participants.
The NIST report went further to say, “People are told they need to be constantly on alert, constantly ‘doing something,’ but they are not even sure what that something is or what might happen if they do or do not do it.”
Security fatigue and its cousin alert fatigue (which technicians are likely already familiar with) prevent users from taking definitive steps to protect themselves while connected to the Internet. Every news story on ransomware or major breach of personally identifiable information (PII) or cyberattack by a nation-state comes with its own set of “here’s how to protect against this” steps to follow.
Some of those instructions may be complex or incredibly specific, contributing to confusion (especially for those who aren’t tech savvy). Likewise, the constant pinging from alert notifications on security software may result in IT teams dismissing those alerts altogether.
Although there have been efforts to reduce security and alert fatigue, they likely make themselves known on a regular basis to anyone working in IT and security. For other users, security fatigue might flow as an undercurrent or barely register. But when you add Covid fatigue to the recipe, you get a dangerous cocktail of weary indifference.
Now, those with Covid fatigue aren't just endangering themselves by ignoring best health practices and tuning out the latest news. They're also letting their fatigue-influenced behavior spill over into other areas, including conducting business (or pleasure) online.
Because COVID-19 has forced much of the globe to spend a lot more time online, it has opened up the floodgates for cybercriminal activity, misinformation, and digital infection. Here, at the crossroads of Covid, security, and alert fatigue, people might find themselves in just as much danger on the Internet as they would be at a packed rally of maskless, cheering crowds.
Caroline Wong, CSO of pentest-as-a-service company Cobalt, recently spoke to Malwarebytes employees at a virtual fireside chat about Covid fatigue.
“One of the things that I worry about the most is anxiety and burnout and what that means for human error,” she said. “When we’re anxious, maybe we’re more likely to fall for a phishing scam. When I’m burnt out, maybe I’m more likely to purposefully or accidentally take some kind of a shortcut. Every behavior of an employee affects the security posture of the company."
And behaviors have changed drastically for both users and cybercriminals since the onset of COVID-19. Here are a few examples of how threat actors are taking advantage of fatigued users:
- Now that more people are shopping online to avoid crowded stores, cybercriminals have stepped up their credit card skimming efforts on legitimate sites. In just the first month of sheltering in place, digital skimming was up 26 percent. Users were previously told that a site secured by "https" and a lock icon should be safe. Those rules are now out the window.
- Threat actors have weaponized information on COVID-19, using it as a hook to lure phishing victims, from SBA scams to nation-state espionage. Just consuming information about COVID-19 from the wrong source, then, could compromise users’ safety.
- Students are distance learning, often on their own devices. And parents/individuals are mostly working from home, again using their (unprotected) personal devices to conduct work, or work devices to conduct personal errands. Cybercriminals look to capitalize on these risky choices by targeting employees on insecure devices and infiltrating business/school networks in the process.
"I think the biggest threat from Covid fatigue comes down to the massive distraction it causes," said Adam Kujawa, Director of Malwarebytes Labs. "People who are so desperate for hope might scrutinize less and end up falling into a trap or exposing themselves to cyberthreats, just for the idea of relief."
Combine this with the general malaise brought on by Covid fatigue, and you get an exponentially higher chance of infecting your home and business networks, rendering your devices obsolete, having your PII stolen and sold on the black market, opening the door for nation-state actors to spy on your organization, or even inviting threat actors to seize company files and ransom them for a hefty price.
How to fight Covid fatigue
If one of the symptoms of fatigue is feeling overwhelmed by a heavy dose of information and advice about what to do to combat a threat, how do you go about giving important information and advice about what to do to combat that threat? One method would be to consider the factors that are causing stress and fatigue and then deliver simple, actionable instructions to counter those factors. For example, if a constantly changing outlook on the future of the pandemic and other mixed messages are creating anxiety, consider only visiting a small selection of websites to find answers.
In researching for this article, I came across dozens of different recommendations for combatting Covid and security fatigue. Rather than overwhelm readers with too many choices, I opted to boil down all instructions to the three most pertinent. For battling Covid fatigue, try:
- Turning to a coping mechanism. Take a five minute break from the screen or TV if COVID-19 news is getting you down. If you need more time, spend it consumed in a favorite hobby to re-energize.
- Lowering your expectations. This may sound crude, but what it really means is give yourself a break. If you're forgetting words or taking a long time to complete a project, forgive yourself. And if you think a vaccine will definitely be here in January 2021, perhaps consider placing your hopes elsewhere.
- Talking to someone. COVID-19 has been isolating for all of us. When loneliness strikes, schedule a virtual happy hour with a close friend, jump on a phone call with family members, or book an appointment with a trusted counselor.
In addition, remember these key preventative measures for keeping the virus at bay, recommended by leading scientists:
- Wear a mask in public. That includes not just stores and workplaces, but at any gathering with people outside your household.
- Wash your hands frequently. Especially after being around other people or handling any objects that came from outside your home.
- Practice social distancing. When in doubt, stay at least six feet away from others. Refrain from gathering in large groups, especially indoors in poorly-ventilated areas.
And finally, to ensure you don't let Covid fatigue transform into security fatigue, remember these three important rules:
- Use a password manager. To avoid re-using passwords across accounts or having to remember 27 different ones, a password manager will keep your account credentials encrypted inside a digital vault, which can only be opened by a single master password. For extra protection, employ multi-factor authentication.
- Use security software on all of your devices, including your mobile phone. (iPhones don't allow for external antivirus protection, but they do let users download robocall blockers and apps that secure mobile browsers.)
- Use common sense. We've learned that "trust but verify" doesn't work for the Internet. If it seems too good to be true...you know the rest.