March 27, 2022
The ever-growing number of cyber alerts and resultant ‘alert fatigue’ is creating a vicious cycle that can turn into crisis situations for business leaders.
But, before we look at evidence of the scale and severity of alert fatigue—and the attendant high cost for businesses—here’s the true and salutary story of Jake. It demonstrates just how vulnerable we all are to alert fatigue and how quickly bad things can happen when we let our guard slip.
Jake (not his real name) succumbed to alert fatigue, even though part of his job in the world of IT controls, security and cyber risk management involves educating clients on its dangers.
The saving grace, if you can call it that, is that in this case the high-tech security systems that were compromised were at his home. They were configured to protect his house and his car, which was parked on his drive… but more on that later.
Had a sequence of very similar events and alert decisions occurred in any large or medium-sized organisation, the consequences could have been catastrophic for business continuity, revenue and reputation.
Jake knew all of this, of course, because he lives and breathes enterprise security every working day. Yet still, without thinking twice, he surrendered to alert fatigue.
Why? Because constant alerts do wear you down. Because Jake had convinced himself, “Well, it really won’t matter if I turn this control down a bit, or turn this one off for now because I’m here in the house and nothing will happen.” And because Jake chose to ignore the fact that alerts are there for a very good reason: they signal that something bad could happen any time soon—or is happening right now. Which it was.
State-of-the-art security systems—but still a win for alert fatigue
At this point we’ll let Jake take up the story.
“Embarrassingly, I had my car stolen from right under my nose— from my driveway—on Tuesday.
“That will surprise anyone who knows me because our home is protected with the very latest in security systems, cameras and apps—internet-enabled, smartphone-controlled, you know the kind of thing.
“I’m an absolute gadget freak obsessed with security. It’s got a lot to do with my job in IT controls.
“So, we had a builder’s skip in the driveway at home—it was only going to be there for a few days. This meant my car was parked at the end of the drive, so very close to the pavement and passers-by. In this instance, think of my car as a critical business or mission-critical data.
“Now my real-time security cameras and alerts are fully adjustable with varying levels of reach and sensitivity, so I set them to be sure they covered my car at this furthest position away from the house. The problem was they kept being triggered by people walking past on the pavement. So I temporarily turned off camera alerts to stop this constant flow of annoying and seemingly false alerts. Now the camera was no longer recording events.
“Here, the business parallels are frightening: ‘cameras off’ could have been detective control failed (SIEM Security Incident Event Management system?), preventative control failed (UCA User Control Access?); or Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) failed and did not block the intruder from entering my network/driveway; or lack of perimeter controls such as a firewall as the mission-critical data/car was removed from the network/driveway.
The mistakes mount up
“Turning the cameras off was my first big, big mistake. I then made three more massive mistakes.
“My second mistake—I judged that we were ‘safe’ as there was no history of theft from homes in our area. The business parallel here could be a complete failure of cyber security training and/or a lack of good security hygiene. A case of ignorance definitely not equating to bliss!
“My third mistake is a common one. It was an icy morning and the windscreen needed de-frosting, so I started the engine, left it running with the keys in and walked away.
Did I fully assess the risks involved in this? No. If a passing opportunistic thief or organised criminal fancied hopping in the driver’s seat, I would not have been notified by the car ‘beeping’ to signify engine on/door open/keys in vehicle as it was an older car. A business parallel here is an older operating system with lower-level security, or a modern operating system but not patched, so vulnerable. At the most basic level, keys left in the car is akin to leaving a system password on a Post-It note stuck to the front of a computer. Another way to correlate this is a ‘vulnerability and patch management system’ not adhering to service level targets, or not installed or configured correctly. Keys in the car could also be seen as SSO (Single Sign On). If a corporate device is compromised, then SSO will enable lots of access to multiple systems from a single device, especially if the user has increased privileges, which is what hackers look for. Again, this translates to a lack of cyber security training and basic security hygiene.
“The mistakes really mounted up. And then it had happened without me being aware of—or having any visibility of—anything unusual occurring. My car had disappeared off my drive, thief at the wheel!
“Because I’d left the keys in the ignition, my insurance was rendered invalid and I won’t be getting any payout. And because there was no witness and no visibility, there is a lack of power of investigation—just like in a cyber attack from another country, where there is often no legitimate way of tracking down the perpetrators. Of course, in the world of cyber-crime it’s common for hackers to clear system event logs and delete all evidence of their presence, but I had clearly lent a helping hand in this regard..
“So, those actions, caused by a mixture of fatigued decision-making and the misplaced confidence that “it can’t or won’t happen to me” have cost me many thousands of pounds!”
How far does your appetite for risk stretch?
To think that the parallel behaviours mentioned here don’t occur daily in business is, frankly, to be completely out of touch with the workings of the modern digital business. Repeated alerts do get annoying and wearisome; controls do get turned off or turned down; alerts do get ignored altogether.
In fact, turning off certain configurations because they hinder business performance or BAU (business as usual) is very common indeed: a case of trying to achieve the classic balance between security and business performance.
The big worry for business leaders is that all of this ignoring of alerts, dialling down and turning off activity is manual, random, spread across different teams with different perspectives on security and not effectively monitored.
Added to this, when a breach happens people make emotional decisions and not calm, risk-based decisions. This inevitably leads to more issues and more expense.
It short, it’s all very high risk.
So, is this a situation businesses can easily get on top of with a few process improvements? Unfortunately, there seems little chance of that.
“Crisis situations” for business leaders
A report conducted by International Data Corporation (IDC) for managed detection and response company Critical Start highlights that the growing number of cyber alerts, threats and breaches creates a vicious cycle and increased costs that can turn into “crisis situations” for business leaders.
As a result of “the deluge of alerts”, alert fatigue is numbing staff to cyber alerts, resulting in longer response times or missed alerts. This fatigue can, in turn, create burnout in IT departments, resulting in increased staff turnover. When replacement personnel are hired, the cycle begins again.
We also see situations where the increasing volume and variety of security tools is taking staff ages to manage every day. Inevitably, in time they will slip up—or, at the very least, reach the point where they have expensive tools that they don’t use, or don’t monitor, correctly, which again adds complexity and risk.
The sheer extent of lost time and non-investigated alerts are arguably the most alarming findings. According to the report:
One aspect of the vicious cycle makes for particularly uncomfortable boardroom reading. If you cannot hold onto the people responsible for dealing with alerts, then the business ultimately loses the ability to mitigate risk. What then?
The solution, and a way to empower and re-energise IT and cybersecurity staff
What’s needed for business is a new and better approach—one that is able to review alerts automatically, mitigate not just risk but also alert fatigue, and empower and re-energise staff in the process.
The Quod Orbis CCM (Continuous Controls Monitoring) platform is just such a solution.
It gives you complete, real-time controls visibility 24/7—from operational level to board level—via user-friendly dashboards. Our unique wrap-around service is also included for ongoing platform management and risk identification by Quod Orbis experts.
This infographic summarises the situation:
If Jake had had CCM at his home, it would have notified him—and others—in real time of the fact that controls had failed and that he was at increased risk. It could have notified that the keys were in the unlocked and unattended car, and that the engine was running, In short, Jake’s CCM would have provided him, at a glance, with the assurance that his controls were actually operating in the manner that they were supposed to be.
The same would hold true in your organisation. Wherever you are using controls, right across the business, the Quod Orbis CCM solution will ensure that those controls are working as you want. Not turned off, not turned down, and not degrading over time. And during set up, our experts will also identify what controls, if any, you are missing.
Good, proactive security decisions need to be made at the right time, and not after a breach when you are not making rational choices. CCM allows you to see in advance how your controls and defences are working so you can make more informed decisions with no pressure to do so, and without decisions being clouded by an emotional response.
So, before alert fatigue—and the potentially business-damaging effects of unmonitored and fatigue-induced actions—becomes a serious issue for your business, find out more about the Quod Orbis managed CCM platform by calling Alastair Dickson on 07939 286 006.