Is EMEA suffering from 'security fatigue'?

Research reveals that over half of employees in EMEA don’t regularly think about cybersecurity.

Although workers in EMEA understand security risks and consequences, they are taking less action than their global counterparts. This is according to a recent report by networking solutions provider Aruba, which highlighted that staff in EMEA consider cybersecurity as an afterthought and don't worry about legislative compliance compared with other regions.

Surveying more than 2,500 employees across EMEA, Aruba found that over half (55 per cent) didn't regularly think about cybersecurity, and nearly a fifth (17 per cent) didn't think about it at all. This is very different from workers in Asia and the Americas, who Aruba says think about cybersecurity often or daily (61 per cent and 51 per cent respectively).

The company believes EMEA workers' lack of action could be down to ‘security fatigue', brought on by over-exposure to security rules with little technical assistance.

"Security fatigue is a state of exhaustion that sets in among workers who are constantly presented with new security messaging, tools and procedures, along with constant media coverage of breaches and threats by the media," says Gamal Emara, Country Manager - UAE at Aruba.

"Inundated with this information, it's easy to see how workers could think that it's impossible to avoid a breach and would pay less attention to security checks that ultimately slow down their working day. As the influx of data from mobile, cloud and IoT devices continues to flood the network, security teams find it almost impossible to keep on top of all of the data that they need to secure, which adds to the problem," he notes.

Until recently, security wasn't something employees really had to give much thought to. Less than a decade ago it wouldn't have been on their radar at all, but now security has become everyone's problem - including that of each individual within an organization. Outside of their comfort zone and not sure where to start, employees resent that they've become responsible for security.

"There's also an unsettling feeling of fluidity due to fast-paced changes in the cybersecurity landscape," points out Bridget Kenyon, Global Chief Information Security Officer at Thales eSecurity. "As soon as employees think they are up to date with risks and what to do, something changes and what they are doing is no longer good enough. With this constantly changing advice on how to approach security, employees feel as if they are facing a never-ending uphill struggle; this is causing them to give up and stop trying. It's like being given lots of homework, finishing it all, and as a prize getting more homework."



But why are workers in EMEA the worst for cybersecurity discipline? Emara thinks several things could be to blame. He believes it may be down to the efficacy of IT systems - as a whole, Europe has an older IT infrastructure and is seeing a huge amount of devices connecting to the network, such as industrial sensors, that were never designed with connectivity or security in mind.

He also highlights that the region has been thoroughly exhausted by discussions around security legislations and regulations like the EU General Data Protection Regulation (GDPR).

Another reason could be a lack of clarity around where accountability for cybersecurity sits, as many EMEA employees believe that this responsibility should not be theirs.

"Aruba's study suggested that 36% of European employees consider cyber to be a problem for the leadership or IT team rather than their own responsibility," says Lydia Ragoonanan, Director of the London Office for Rapid Cybersecurity Advancement (LORCA).

"LORCA's own research shows that more than one fifth of CEOs across the UK acknowledge that behaviour change is the top issue for helping their companies be secure online. Engaging employees as an asset as opposed to a threat is key," she notes.

Ragoonanan says that rather than EMEA actually being the worst for cybersecurity discipline, the statistics show us that people across EMEA are more likely to report that they're not thinking about cybersecurity compared to those in the Americas or Asia.

"Before we take this at face value, we need to consider the cultural side to this data and understand how aware people are. People may report that they think about cybersecurity a lot, but what they say they think about, in comparison to what they understand and mean by that, may differ. For some, cybersecurity might mean strong passwords, whereas for others it might mean end-to-end encryption," she highlights.


The answer may lie in automation

So what is the solution to dealing with security fatigue, wherever in the world it's taking place? Many believe the answer lies in removing the responsibility from employees, freeing them to focus on the work they really care about.

Aruba's report recommends Gartner's Continuous Adaptive Risk and Trust Assessment (CARTA) approach to security, which leans heavily on AI, analytics and automation. "Through this we can start to lift the burden away from humans, who will always make mistakes," notes Emara.

"Autonomous technologies are the solution," agrees John Abel, Senior Business Director, Oracle Engineered Systems at Oracle EMEA. "If security is being viewed as an admin task, and therefore falls to the bottom of the priority pile, businesses have two options. Firstly, they can encourage cultural change in the organization, regularly enforcing security as a business priority. But this can be a lengthy process: cultural change doesn't happen overnight and doesn't guarantee the desired outcome at the end.

"The second option is get technology to do the work for you. Autonomous systems are self-patching, self-securing and self-encrypting, taking these tasks off the plates of employees who can focus on doing the work they enjoy.

"Autonomous systems can go even further, by monitoring all business systems to ensure sensitive data is secured at all times, assessing vulnerabilities before hackers do. So while encouraging employees to think of security proactively is important, a system that isn't impacted by human error is an even better place to start to solve the issue."