Malwarebytes

Still enduring from home

As the cybersecurity marathon continues, could fear fatigue be the next threat?

Chapter 1

A year later

Key statistics

After the world moved to remote working conditions in the spring of 2020, Malwarebytes surveyed 200 IT decision makers (ITDMs) through the C-suite about how the COVID-19 pandemic lockdowns affected their businesses and changed the face of work environments forever. Now that companies have been working in a hybrid or remote environment for over a year and a half, we checked back in to see what—if anything—had changed.

Our research shows that organizations have embraced many cybersecurity best practices as employees become more aware and vigilant of constant threats, both from cybercriminals and COVID-19. However, organizations must also learn to balance cybersecurity education while avoiding fear fatigue.

Fear fatigue is defined as the “demotivation to follow recommended protective behaviors, emerging gradually over time and affected by a number of emotions, experiences, and perceptions.”1 In the context of cybersecurity, fear fatigue refers to a complacency that leads to careless behaviors, such as opening an email attachment without properly scrutinizing the sender or neglecting to turn on a VPN while using public WiFi.

Organizations must learn to balance cybersecurity education while avoiding fear fatigue.

Organizations must learn to balance cybersecurity education while avoiding fear fatigue.

IT managers surveyed on cybersecurity posture and employee experiences

Revealed that their organizations have made some improvements in their cybersecurity posture since the beginning of the pandemic 55% Implemented new cybersecurity trainings 71% Implemented new tools 74% Reported employees are experiencing fear fatigue, with 27 percent feeling particularly overwhelmed by fear 61% Expressed that employees needed more IT support than their businesses had IT resources available 69% of IT Managers’ most significant concern was employees accidentally exposing data, such as by using “shadow IT” tools 62%

Chapter 2

How the pandemic changed IT and security

As organizations adapted to remote working, their spending habits also changed. More than 70 percent of respondents said they now spend more on cybersecurity tools, cloud-based software tools, and IT support and management staff. A significant number (60 percent) also reported spending more on hardware, which is consistent with increased hardware spending in our original report (62 percent) at the beginning of the pandemic, when many organizations provided hardware for remote work environments.

We have beefed up our security controls as well as security tools as we expand to support an ever increasing remote work force. Our goal is security controls protecting the users and users being smarter about security. We have one gauge that we consistently measure – a monthly/quarterly phishing awareness campaign – that indicates our employees are getting more vigilant about security.”

— TC, manufacturing company

We have beefed up our security controls as well as security tools as we expand to support an ever increasing remote work force. Our goal is security controls protecting the users and users being smarter about security. We have one gauge that we consistently measure – a monthly/quarterly phishing awareness campaign – that indicates our employees are getting more vigilant about security.”

— TC, manufacturing company

Remote work has changed the way we work and significantly increased the use of tools across cloud collaboration, cybersecurity, backup, and other solutions.

of ITDMs reported an increase in the use of cloud storage platforms saw an increase in the use of video conferencing platforms noted an increase in the use of identity management systems and cloud access tools noted an increase in the use of cybersecurity and antivirus tools saw an increase in the use of password management tools reported an increase in the use of VPNs increased their use of data management and backup platforms reported an increase in the use of online instant messaging and communications services 78% 76% 73% 72% 71% 71% 66% 65%
Chapter 3

Cybersecurity Improvements in the time of COVID-19

Despite the challenges of remote work, ITDMs continued to be confident in employees following security best practices.

A majority of respondents (61 percent) said they think their employees are “very aware” or “acutely aware” of cybersecurity best practices, which is only a slight decrease from our initial report of 64 percent.

ITDMs also perceived their employees as being committed to cybersecurity practices at home. Most respondents (82 percent) felt that their employees care about maintaining good cybersecurity practices.

How aware do you think your employees are of the security best practices they need to follow when working from home?
200 total respondents

Oblivious and risky
11% (21/200)
Slightly aware
13% (26/200)
Aware but not a priority
15% (30/200)
Very aware
44% (87/200)
Acutely aware and mindful to avoid risk
18% (36/200)

Despite the challenges of remote work, ITDMs continued to be confident in employees following security best practices.

Despite the challenges of remote work, ITDMs continued to be confident in employees following security best practices.

Conversely, a small group reported that their employees “don’t care enough” about cybersecurity best practices (3 percent) and some reported a few employees who are considered “reckless” (1.5 percent).

While few ITDMs were concerned about employee recklessness, even one employee can represent a significant risk: An organization’s cybersecurity posture is only as strong as its weakest link.

How would you say that the employees in your organization feel about cybersecurity practices at home?
200 total respondents

Our employees care deeply about maintaining good cybersecurity practices
51% (101/200)
Our employees care somewhat about maintaining good cybersecurity practices
32% (63/200)
Our employees are ambivalent about cybersecurity practices
14% (27/200)
Our employees don’t care about cybersecurity practices enough
3% (6/200)
Our employees are reckless about cybersecurity practices
1.5% (3/200)

The best approach here is to continually practice radical empathy — for others in the workplace and for yourself. You have to be willing to forgive and willing to be flexible. You can’t be too hard on yourself right now as we are all still collectively healing. In moments of extreme exhaustion, I think it’s important to take time to reflect and to practice mindfulness. Remind yourself of things you’re still grateful for and let go of outdated mindsets, routines, and the things that don’t truly matter.”

— Tanya Barlow, PROCON, Inc.

The best approach here is to continually practice radical empathy — for others in the workplace and for yourself. You have to be willing to forgive and willing to be flexible. You can’t be too hard on yourself right now as we are all still collectively healing. In moments of extreme exhaustion, I think it’s important to take time to reflect and to practice mindfulness. Remind yourself of things you’re still grateful for and let go of outdated mindsets, routines, and the things that don’t truly matter.”

— Tanya Barlow, PROCON, Inc.

Chapter 4

The problem with fear fatigue

With the increase in velocity and damage from cyberattacks, many organizations have invested in new tools, processes, and staff training programs to stay safe.

However, remaining ever vigilant comes at a cost, with almost 80 percent of survey respondents reporting some level of jadedness or “fear fatigue” within their organization.

ITDMs reported that more than one in four employees (27 percent) were overwhelmed by threats and jaded by cybersecurity procedures.

Organizations must continue to design cybersecurity programs that take the burden off of employees and counter inadvertent actions that put data at risk.

Are your employees facing “fear fatigue?” Does that impact cybersecurity threats?
200 total respondents

Yes, employees seem overwhelmed by threats and jaded by cybersecurity procedures
27% (54/200)
Yes, employees overall seem to have reached a point of fear fatigue during the pandemic beyond just cybersecurity
22% (43/200)
My employees seem somewhat overwhelmed by threats and jaded by cybersecurity procedures
13% (26/200)
My employees seem to be experiencing some level of fear fatigue during the pandemic beyond just cybersecurity
18% (35/200)
There is no clear impact of fear fatigue within my organization
21% (42/200)
Chapter 5

Fortifying cybersecurity remotely still presents challenges

Despite increasing cybersecurity fortification in the remote work environment, another set of challenges have come to life.

Almost three in four ITDMs (74 percent) said they have implemented new tools to enhance security. They also reported enforcing new cybersecurity trainings (70 percent); requiring employees to use additional security measures (51 percent), such as two-factor authentication (2FA); and updating their crisis management protocol (48 percent).

After being home for up to 18 months, what would you say has changed about your organization’s security posture?
200 total respondents

71% 74% 49% 52% 13% My organization has implemented new trainings to enhance security | 141 My organization has updated our crisis management protocols | 97 We have implemented new tools to enhance security | 148 We have required additional security measures (2FA, etc.) | 103 We have continued the same way as at the beginning of the pandemic | 26

62% of businesses are still struggling to find the right cybersecurity tools to support employees at home.

62% of businesses are still struggling to find the right cybersecurity tools to support employees at home.

However, many businesses are still struggling to find the right cybersecurity tools (62 percent) to support employees at home. Another challenge ITDMs reported was how to remotely train their employees (54 percent) on working securely and meeting compliance requirements from home.

To compound matters, ITDMs’ biggest cybersecurity concerns were exacerbated by remote work: 62 percent were concerned about accidentally exposing data, while 51 percent harbored concerns that cloud-based collaboration tools may not offer adequate security, especially as use increased significantly.

Following the move to remote and hybrid work environments, what are the current challenges for your organization?
200 total respondents

Finding the right cybersecurity tools to support employees at home | 125 Training employees how to most securely and compliantly work at home | 108 Serving employee needs through limited IT resources | 138 Shifting to a new, remote model of communication and/or collaboration amongst employees | 108 Ensuring work/life balance | 82 Setting up work or personal devices with new software to continue responsibilities/roles | 86 63% 54% 69% 54% 41% 43%

Many ITDMs who were not fully prepared for the added security measures needed at the beginning of the pandemic have since improved their remote cybersecurity posture.

In our first report, IT decision makers scored their organization over 7 out of 10 in readiness to work from home. Although, at the time, 44 percent did not provide cybersecurity training that focused on the potential threats of working from home, and 65 percent did not deploy a new antivirus solution for new devices issued to employees working remotely for the first time.

What are your biggest cybersecurity concerns currently?
200 total respondents

Bossware monitoring employee performance | 52 Phishing/clicking on a malicious link | 78 Exposing data or information accidentally, (possibly by using shadow IT tools or other software/tool) | 125 Ransomware | 67 Hackers gaining access to proprietary information | 63 Losing access to immediate, physical IT support in the office | 68 Purposeful insider data exfiltration from company employees | 61 Cloud collaboration tools may not provide adequate cybersecurity | 103 Difficulty in offboarding remote employees when necessary to prevent unauthorized future access | 29 26% 39% 63% 34% 32% 34% 31% 52% 15%

Many ITDMs who were not fully prepared for the added security measures needed at the beginning of the pandemic have since improved their remote cybersecurity posture.

Many ITDMs who were not fully prepared for the added security measures needed at the beginning of the pandemic have since improved their remote cybersecurity posture.

How has your organization’s level of security changed from the start of hybrid work environments due to the pandemic versus now?
200 total respondents

We’re significantly less secure than at the beginning of the shift to remote work
8% (16/200)
We’re slightly less secure than at the beginning of the shift to remote work
18% (36/200)
We’re equally secure than at the beginning of the shift to remote work
19% (38/200)
We’re slightly more secure than at the beginning of the shift to remote work
29% (57/200)
We’re significantly more secure than at the beginning of the shift to remote work
27% (53/200)

How has your use of devices changed in today’s working environment, when compared to the beginning of the pandemic?
200 total respondents

I now only use my work-issued devices for work
42% (84/200)
I now sometimes use my personal devices for work
28% (55/200)
I now use my personal and work devices to the same degree
21% (41/200)
I now use my personal devices for work more than my work-issued devices
10% (20/200)
My organization did not offer me a work-issued device
0% (0/200)
Chapter 6

Will employees return to the office?

As lockdowns continue to ease and people return to the “new normal,” many businesses have an eye towards reopening. However, not all employees feel the same. According to a survey by FlexJobs, an online employment agency, 58 percent of most remote workers would “absolutely” look for a new job if they were not allowed to work out of the office.2

While many employers may worry that employees are less productive outside the office, 65 percent of ITDMs report that productivity has actually stayed the same or improved in remote environments.

When asked to rank their concerns for returning to the office, ITDMs’ top concern was health matters, followed by being unable to focus in open office environments, or losing valuable time commuting to the office. Concerns about pets being left home alone ranked last.

65% of ITDMs report that productivity has actually stayed the same or improved in remote environments

65% of ITDMs report that productivity has actually stayed the same or improved in remote environments

Top return to work concerns

Health concerns Trouble focusing or Not being present due to relocating Childcare concerns Commuting time lost Pets not adjusting to owners absence 71% 35% 32% 29% 27% 6%
Chapter 7

How to create a “new normal” for cybersecurity

According to the Verizon 2021 Data Breach Investigations Report, 85 percent of breaches are caused by people3. Employees are an organization’s biggest asset, but they also break the rules and make mistakes—sometimes, costly ones. Mistakes can happen due to distractions (57 percent), stress (52 percent), and general fatigue (44 percent)4, and employees need protecting, supporting, and keeping safe.

Fear fatigue inspires complacency, and complacency leads to risky cybersecurity behavior. Scammers are primed and ready to take advantage of reduced focus.

Stronger awareness and overall protection are essential to keeping threats at bay. However, maintaining low risk factors by addressing fear fatigue will better serve organizations in the long run. As the pandemic drags on, with no real end in sight5, there’s no better time to confront complacency.

Any organization that requests, processes, accesses, or stores customer data should prioritize securing employees against inadvertent errors. In fact, organizations should consider “human-proofing” an essential layer of their cybersecurity approach.

Leveraging technology, for example, to automatically and readily block site visits from employees clicking potentially malicious links, or detecting and binning spear phishing email attempts before a targeted employee gets to see them, are some of the ways organizations can help keep their employees—and, in turn, company data—safe.

Scammers are ready to take advantage of reduced focus.

Scammers are ready to take advantage of reduced focus.

But technology can’t do it all. Organizations should start looking into implementing effective fatigue mitigation programs6. Employers must collaborate with employees to figure out general strategies7, which could include ways of developing strong social networks and regularly practicing healthy routines, to manage fatigue. It’s recommended that employees be given ample chance to unplug and refresh themselves.

To further help employees stay secure, cybersecurity-wise, Malwarebytes suggests the following tips for organizations: “Reinforce security measures often and in a fun way. Phish your own employees. Gamify security trainings. You can get fatigue from communications, too, so balance the right amount of communication. Know how to provide folks with guardrails, so they don’t drive off the road by mistake. Proper endpoint protection must be in place. Use a corporate VPN when you are on unsecured networks.”

The sudden change to work in response to the COVID-19 pandemic has illustrated that focusing solely on the security of data and systems, while ignoring the people using them, is not a holistic cybersecurity strategy. Innovative organizations are realizing that to improve overall cybersecurity posture, we need to secure everything and everyone.

Cyberattacks and threats to businesses will never go away. What organizations need is technology that automatically negates human error and provides the confidence needed for employees to work securely and productively from anywhere. Remote work may be here to stay, but fear fatigue shouldn’t be.

Sources

1 Fear fatigue or Pandemic fatigue – reinvigorating the public to prevent COVID-19. Policy framework for supporting pandemic prevention and management. Copenhagen: WHO Regional Office for Europe; 2020. License: CC BY-NC-SA 3.0 IGO

2 Pelta, Rachel. “FlexJobs survey finds employees want remote work post-pandemic.” (April 19, 2021)
https://www.flexjobs.com/blog/post/flexjobs-survey-finds-employees-want-remote-work-post-pandemic/

3 Verizon. “Verizon 2021 Data Breach Investigations Report.” (May 13, 2021)
https://www.verizon.com/business/resources/reports/dbir/

4 Tessian Research & Hancock, Jeff (Stanford University). “Understanding the mistakes that compromise your company’s security” (July 2020)
https://www.tessian.com/research/the-psychology-of-human-error/

5 Abutaleb, Yasmeen; Achenbach, Joel. The Washington Post. “How does a pandemic start winding down? You are looking at it.” (October 31, 2021).
https://www.washingtonpost.com/health/2021/10/31/when-does-the-pandemic-end/

6 Wong, Imelda, PhD; O’Connor, Mary, MS. Centers for Disease Control and Prevention. “COVID-19 and Workplace Fatigue: Lessons learned and Mitigation Strategies” (January 13, 2021)
https://blogs.cdc.gov/niosh-science-blog/2021/01/13/covid-19-fatigue/

7 Centers for Disease Control and Prevention. “What Workers and Employers Can Do to Manage Workplace Fatigue during COVID-19” (May 19, 2020)
https://www.cdc.gov/coronavirus/2019-ncov/hcp/managing-workplace-fatigue.html