Overcoming ‘cyber-fatigue’ requires users to step up for security

Publication Type: 
Other Writing
Publication Date: 
January 23, 2017

As a new presidential administration takes over, it will need to pay significant attention to cybersecurity. Indeed, we’ve already been told to expect “a comprehensive plan” for cybersecurity in the first few months of the new administration. But as a professional who has long been part of the global internet security community, I am pessimistic that the typical government and individual plans or responses to our ongoing cybersecurity concerns actually will lead to meaningful improvements.

For decades, this cycle has repeated itself. First, a high-profile incident occurs – like the two massive Yahoo hacks revealed in 2016 or the even more damaging breach of federal employee data disclosed in 2015. Among other things, the resulting advice is the same: Users should change their passwords and make their login process more complicated (and more secure) by enabling two-factor authentication.

The affected services often require users to reset their passwords, but research shows very few people enable features like two-factor authentication. And even if they can, few people consider canceling their accounts – they depend too heavily on specific email addresses or other internet services in their daily lives.

Policymakers get stuck, too: New groups of well-heeled executives convene to study the same old problem and end up issuing the same old recommendations anyway. The cybersecurity industry remains a constant presence by offering new white papers, products and services to meet these many recurring challenges, too.

In broad terms, though, we do nothing at all. Over time, this leads to what I call “cyber fatigue” – namely, an inability to think critically about what needs to happen for meaningful, lasting cybersecurity improvements while focusing only on near-term problems. So as 2017 unfolds, instead of falling prey to cyber fatigue and tolerating the “status quo cyber,” we should capitalize on the global trend toward radical change in taking some new approaches to internet security thinking. That includes how we as consumers and users of technology, both large and small, act to protect ourselves and our systems.

Read the full piece at The Conversation