Follow us

Alert fatigue: missed cyber threats, staff retention issues and, ultimately, business crisis

The ever-growing number of cyber alerts and resultant ‘alert fatigue’ is creating a vicious cycle that can turn into crisis situations for business leaders.

But, before we look at evidence of the scale and severity of alert fatigue—and the attendant high cost for businesses—here’s the true and salutary story of Jake. It demonstrates just how vulnerable we all are to alert fatigue and how quickly bad things can happen when we let our guard slip.

Jake (not his real name) succumbed to alert fatigue, even though part of his job in the world of IT controls, security and cyber risk management involves educating clients on its dangers.

The saving grace, if you can call it that, is that in this case the high-tech security systems that were compromised were at his home. They were configured to protect his house and his car, which was parked on his drive… but more on that later.

Had a sequence of very similar events and alert decisions occurred in any large or medium-sized organisation, the consequences could have been catastrophic for business continuity, revenue and reputation.

Jake knew all of this, of course, because he lives and breathes enterprise security every working day. Yet still, without thinking twice, he surrendered to alert fatigue.

Why? Because constant alerts do wear you down. Because Jake had convinced himself, “Well, it really won’t matter if I turn this control down a bit, or turn this one off for now because I’m here in the house and nothing will happen.” And because Jake chose to ignore the fact that alerts are there for a very good reason: they signal that something bad could happen any time soon—or is happening right now. Which it was.

State-of-the-art security systems—but still a win for alert fatigue

At this point we’ll let Jake take up the story.

“Embarrassingly, I had my car stolen from right under my nose— from my driveway—on Tuesday.

“That will surprise anyone who knows me because our home is protected with the very latest in security systems, cameras and apps—internet-enabled, smartphone-controlled, you know the kind of thing.

“I’m an absolute gadget freak obsessed with security. It’s got a lot to do with my job in IT controls.

“So, we had a builder’s skip in the driveway at home—it was only going to be there for a few days. This meant my car was parked at the end of the drive, so very close to the pavement and passers-by. In this instance, think of my car as a critical business or mission-critical data.

“Now my real-time security cameras and alerts are fully adjustable with varying levels of reach and sensitivity, so I set them to be sure they covered my car at this furthest position away from the house. The problem was they kept being triggered by people walking past on the pavement. So I temporarily turned off camera alerts to stop this constant flow of annoying and seemingly false alerts. Now the camera was no longer recording events.

“Here, the business parallels are frightening: ‘cameras off’ could have been detective control failed (SIEM Security Incident Event Management system?), preventative control failed (UCA User Control Access?); or Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) failed and did not block the intruder from entering my network/driveway; or lack of perimeter controls such as a firewall as the mission-critical data/car was removed from the network/driveway.

The mistakes mount up

“Turning the cameras off was my first big, big mistake. I then made three more massive mistakes.

“My second mistake—I judged that we were ‘safe’ as there was no history of theft from homes in our area. The business parallel here could be a complete failure of cyber security training and/or a lack of good security hygiene. A case of ignorance definitely not equating to bliss!

“My third mistake is a common one. It was an icy morning and the windscreen needed de-frosting, so I started the engine, left it running with the keys in and walked away.

Did I fully assess the risks involved in this? No. If a passing opportunistic thief or organised criminal fancied hopping in the driver’s seat, I would not have been notified by the car ‘beeping’ to signify engine on/door open/keys in vehicle as it was an older car.  A business parallel here is an older operating system with lower-level security, or a modern operating system but not patched, so vulnerable. At the most basic level, keys left in the car is akin to leaving a system password on a Post-It note stuck to the front of a computer. Another way to correlate this is a ‘vulnerability and patch management system’ not adhering to service level targets, or not installed or configured correctly. Keys in the car could also be seen as SSO (Single Sign On). If a corporate device is compromised, then SSO will enable lots of access to multiple systems from a single device, especially if the user has increased privileges, which is what hackers look for. Again, this translates to a lack of cyber security training and basic security hygiene.

“The mistakes really mounted up. And then it had happened without me being aware of—or having any visibility of—anything unusual occurring. My car had disappeared off my drive, thief at the wheel!

“Because I’d left the keys in the ignition, my insurance was rendered invalid and I won’t be getting any payout. And because there was no witness and no visibility, there is a lack of power of investigation—just like in a cyber attack from another country, where there is often no legitimate way of tracking down the perpetrators.  Of course, in the world of cyber-crime it’s common for hackers to clear system event logs and delete all evidence of their presence, but I had clearly lent a helping hand in this regard..

“So, those actions, caused by a mixture of fatigued decision-making and the misplaced confidence that “it can’t or won’t happen to me” have cost me many thousands of pounds!”

How far does your appetite for risk stretch?

To think that the parallel behaviours mentioned here don’t occur daily in business is, frankly, to be completely out of touch with the workings of the modern digital business. Repeated alerts do get annoying and wearisome; controls do get turned off or turned down; alerts do get ignored altogether.

In fact, turning off certain configurations because they hinder business performance or BAU (business as usual) is very common indeed: a case of trying to achieve the classic balance between security and business performance.

The big worry for business leaders is that all of this ignoring of alerts, dialling down and turning off activity is manual, random, spread across different teams with different perspectives on security and not effectively monitored.

Added to this, when a breach happens people make emotional decisions and not calm, risk-based decisions. This inevitably leads to more issues and more expense.

It short, it’s all very high risk.

So, is this a situation businesses can easily get on top of with a few process improvements? Unfortunately, there seems little chance of that.

“Crisis situations” for business leaders

A report conducted by International Data Corporation (IDC) for managed detection and response company Critical Start highlights that the growing number of cyber alerts, threats and breaches creates a vicious cycle and increased costs that can turn into “crisis situations” for business leaders.

As a result of “the deluge of alerts”, alert fatigue is numbing staff to cyber alerts, resulting in longer response times or missed alerts. This fatigue can, in turn, create burnout in IT departments, resulting in increased staff turnover. When replacement personnel are hired, the cycle begins again.

We also see situations where the increasing volume and variety of security tools is taking staff ages to manage every day. Inevitably, in time they will slip up—or, at the very least, reach the point where they have expensive tools that they don’t use, or don’t monitor, correctly, which again adds complexity and risk.

The sheer extent of lost time and non-investigated alerts are arguably the most alarming findings. According to the report:

  • Security staff spend an average of 30 minutes for each actionable alert, while 32 minutes are lost chasing each false lead
  • Companies with 500–1,499 employees ignore or don’t investigate 27% of all alerts
  • That figure rises to nearly a third (30%) for companies with 1,500–4,999 employees.

One aspect of the vicious cycle makes for particularly uncomfortable boardroom reading. If you cannot hold onto the people responsible for dealing with alerts, then the business ultimately loses the ability to mitigate risk. What then?

The solution, and a way to empower and re-energise IT and cybersecurity staff

What’s needed for business is a new and better approach—one that is able to review alerts automatically, mitigate not just risk but also alert fatigue, and empower and re-energise staff in the process.

The Quod Orbis CCM (Continuous Controls Monitoring) platform is just such a solution.

It gives you complete, real-time controls visibility 24/7—from operational level to board level—via user-friendly dashboards. Our unique wrap-around service is also included for ongoing platform management and risk identification by Quod Orbis experts.

This infographic summarises the situation:

If Jake had had CCM at his home, it would have notified him—and others—in real time of the fact that controls had failed and that he was at increased risk. It could have notified that the keys were in the unlocked and unattended car, and that the engine was running,   In short, Jake’s CCM would have provided him, at a glance, with the assurance that his controls were actually operating in the manner that they were supposed to be.

The same would hold true in your organisation. Wherever you are using controls, right across the business, the Quod Orbis CCM solution will ensure that those controls are working as you want. Not turned off, not turned down, and not degrading over time. And during set up, our experts will also identify what controls, if any, you are missing.

Good, proactive security decisions need to be made at the right time, and not after a breach when you are not making rational choices. CCM allows you to see in advance how your controls and defences are working so you can make more informed decisions with no pressure to do so, and without decisions being clouded by an emotional response.

So, before alert fatigue—and the potentially business-damaging effects of unmonitored and fatigue-induced actions—becomes a serious issue for your business, find out more about the Quod Orbis managed CCM platform by calling Alastair Dickson on 07939 286 006.

RECENT POSTS

Effectively Conveying Cyber Risks to Senior Board Executives

The number one risk to any business is ineffective cyber security because of the catastrophic implications on their reputational and financial status. However, it has become apparent that being able to effectively communicate that risk to Boards and senior executives within an organisation is becoming increasingly difficult,  leaving cyber security

Find out more

Contact Us

To find out more about cyber security and Continuous Controls Monitoring, please complete the form below with a short message and we’ll get right back to you. Alternatively, you can book a meeting directly.

Address:
2nd & 3rd Floor,
2 Burgon Street,
City Of London,
London,
EC4V 5DR

 

Uttamkurmar Lakhani

Technical Analyst -

Register for updates

Please register your contact details with us to receive links to insightful blog articles as soon as they are published.

Address:
2nd & 3rd Floor,
2 Burgon Street,
City Of London,
London,
EC4V 5DR

 

Liam Flavin

Intern Developer -

Ekaterina Kuzevanova

Back End Developer -

Mohamed Mohamud

Front End Developer -

Juan Morales

DevOps Engineer -

Luke Bakare

DevOps Engineer -

Rutvik Belapurkar

Technical Analyst -

Harman Singh Malhotra

Technical Analyst -

Jason Wilkes

Technical Lead -

Annie Greenfield

Marketing Executive -

Will Tonge

Head of Recruitment -

Will has spent the last 9-years embedded in Cyber Security working with global, household names and innovative start-ups.

Passionate about bringing people and technology together, Will has worked in various settings, helping build high-growth organisations across multiple sectors. During this time, he has built an extensive network with access to some of the best talent out there.

Outside of QO, his young daughter keeps him well on his toes!

Shaun Barnes

DevOps Team Lead

Mark Hudson

Non-Exec Director -

Mark works with SMEs and charities to develop strategies to help them grow and access development capital. He is a NED, charity trustee and mentor to a wide range of people. His plural career started in 2017 after 16 years at pwc as a Deals partner working with large corporates and PE houses; at pwc he also ran the Retail and Consumer practice and was Chairman of the pwc UK Supervisory Board. Prior to pwc he was an executive director at Welcome Break and Iceland Group, and a partner at Bain and Company. He trained as an engineer at Imperial College and has an MBA from INSEAD. 

Register for our event

Sign-up to future Quod Orbis events

Eamon Flavin

Non-Exec Director -

Eamon is a highly regarded and massively respected technology career professional as well as serial entrepreneur. He has started, grown and successfully taken to market three technology business.

Genuinely expert in technology, Eamon has enjoyed long-term working relationships with many of the world’s top companies and organisations in finance, banking, government, manufacturing, engineering, technology and the charities sector.

He draws on unparalleled contacts and experience and provides advice, solutions and recommendations, as well as helping respond to emergencies. Eamon has grown in-house and client teams and has a gift for hiring great people.

Peter Martin

Non-Exec Director -

Peter has the ability to do what many fail to and that is to consistently bring together highly professional teams and build a business environment that is supportive, agile, professional and where everyone enjoys coming into the office.

Bringing a unique blend of business acumen and technical knowledge to the role of non-exec director, Peter has already demonstrated his ability to bring an exceptional flair for dealing with complex situations with a clear, considered approach.

Personally, Peter brings humility and a strong moral compass to the team. His disarming and self-deprecating approach wins everyone over.

Anwen Haynes

Head of Marketing -

Anwen has worked in B2B and B2C marketing for over 20 years. From transforming end-to-end customer journeys in retail with strategic customer-centric plans to target driven focused strategies for B2B sales. With extensive experience in digital marketing including SEO, as well as Brand development, she loves to develop a cohesive approach to brand image and communications to drive and develop the business proposition and perception.

Alice Walker

Head of Customer Success -

Alice has worked in the IT industry for 20 years. Starting in Procurement, she moved into Software Asset Management before transitioning into Customer Success Management. Working across a variety of roles for different industries as both a customer and a service provider has given her a great understanding of what makes a great service. She has always been passionate about building and maintaining great customer relationships and helping her customers achieve their goals.

Owain Rowley

Lead Developer -

Owain has spent nearly a decade building software solutions and products within the cyber security sphere for the likes of government entities, large telecommunication companies, banks and card transaction companies.

This level of experience allows him to swiftly identify business and security processes that can be streamlined with automation, increase the efficiency of existing processes, as well as generate insightful data visualisations and models for members of an organisation at each different level.

Ami Penolver

Head of HR & Legal -

Ami is a finance sector career professional, with many years’ experience working in financial services, both in London and throughout the UK. In addition to financial control, she looks after HR and legal for the company.

Being a mother of two also equips her with the basic skills required to manage a senior team of management and technology consultants.

Ami’s sense of balance and perspective is an essential ingredient of the Quod Orbis culture.

Alastair Dickson

Commercial Director -

Alastair has spent the last 20 years working in Cyber Security and Risk Management. He is a passionate believer that security solutions should enable a business to take advantage of all the benefits of the digital world, while not putting the organisation’s data or productivity at risk.

Alastair has developed high-performing teams in some of the industry’s most competitive markets and launched new innovative technologies to market.

Being a rugby coach, and also having four sons at home, means he has lots of experience in keeping a passionate team in order but always has time for some fun!

Gary Penolver

CTO -

Gary has 15 years’ experience in senior technology roles, and has already been closely involved in starting and taking two technology companies to market.

Totally comfortable with a fast-moving, state-of-the-art technical landscape, he helps his clients maintain and improve security and compliance.

He has a reputation for delivering pragmatic and easy to maintain solutions – business owners and managers enjoy knowing that the security and compliance is well managed and automated, properly instrumented and reported at a competitive cost point.

Honest, open, unflappable and very social, Gary is trusted by many household-name organisations to protect their, and their client’s data.

Martin Greenfield

CEO -

Martin is an experienced technology and organisational transformation specialist and an excellent, proven leader and communicator in mission-critical operations, particularly in security technology.

Over the past 20 years, multi-billion pound commercial organisations, including global banks, utilities and major investment funds have trusted Martin to transform their operations to meet financial, operational and compliance targets.

Martin optimises operations, managing and transforming operational teams of between 50 and 500 people, to deliver the highest levels of audit compliance, risk management and financial efficiency.

Often working with other major consultancies and suppliers for new global corporate owners or management teams, Martin will help integrate and streamline operations on a global basis.

Thank you.

Please register your contact details with us to receive links to insightful blog articles as soon as they are published.

Sign Up!

Fill in your details to access the Liberty & QO White Paper

Request a Quod Orbis CCM demo

Contact us to schedule a demo of the Quod Orbis CCM managed platform.

See it for yourself – automated Continuous Controls Monitoring (CCM), with complete cyber controls visibility in a single pane of glass, continuance compliance, automated audits, our unique service wrap, and more.

Please complete your details and a member of the Quod Orbis team will be in touch soon.