What is Cybersecurity Alert Fatigue and How Can You Escape It?
Alerting is an essential function in cybersecurity. Alerts give you a heads up that something needs your attention immediately, so they play an essential role in keeping your organisation safe.
However, if your alert logic is misconfigured or you have layered on new reporting tools as your company has grown and developed, it can lead to a specific kind of sensory overwhelm. Where your alerts are chiefly false positives, unactionable notifications, and pedestrian requests for simple inputs, they start to lose urgency.
This is a phenomenon called “alarm fatigue” or “alert fatigue”.
What is Alert Fatigue in Cybersecurity?
Alert fatigue or alarm fatigue happens when team members are regularly overwhelmed by similar alerts and eventually become desensitised to ALL alerts. This effect is particularly exacerbated when many of the alerts encountered are non-actionable or present false positives.
Think about it – in your first week in an alarm-heavy environment, every single alert will get your adrenaline pumping and you’ll feel pressured to attend every time. But after a while, after having been tricked into panic mode by countless low-quality alarms or unactionable “FYI”s, alerts become something you roll your eyes at and get around to at some point.
According to data from the Cloud Security Alliance, 31.9% of IT security professionals report ignoring alerts because of the prevalence of false positives. In a way, it’s not dissimilar to the “boy who cried wolf” fable.
The terms “alert/alarm fatigue” are primarily noted in health and caregiving settings, but also present in heavy industry, construction, and of course in IT and cybersecurity.
See below for a few examples of things that IT teams may be alerted to:
- Unauthorised access to systems, devices, or data
- Attempts to gain higher privilege access than is permitted for a given user
- Malware detected by a firewall or on a device
- Multiple failed multi-factor authentication attempts
- Unusual network traffic patterns that may imply a denial-of-service attack or malware propagation.
Why Does Alarm Fatigue Happen?
Our brains are very good at tuning into alarm signals when danger may be imminent; it’s essential for our survival. But when we receive the same “danger” notification time and time again, and 9 times out of 10 that alarm turns out to be something minor, we start tuning those alerts out, leaving our senses free to perceive other, real threats.
It was useful when we lived out in the wild, but it’s less useful in the digital age. Today we’re assaulted with digital notifications and it’s truly overwhelming. Eventually, all alerts get mentally tarred with the same brush as being “low priority”, even when they’re not. So, when an urgent, disastrous cybersecurity incident does arise, it could well slip through the net if the team are alarm-fatigued enough.
So, let’s explore how you can minimise alert fatigue.
How to Combat Cybersecurity Alert Fatigue
1. Uncover Your Cybersecurity Aims
Before you go changing anything about your alert logic, take a step back. What do your current alerts tell you? How critical are the events that set off your current alerts? What are the most critical alerts that you have received over the past year or so? What kind of attack or incident do you find yourselves fighting off the most? Where does it appear that your cyber weak-spots lie?
Also take this time to establish what security concerns are most appropriate to your needs and operation. Do you need special focus on data security? Perimeter security? IoT or SCADA Security? Evading the latest malware? Fending off phishing attacks? What devices, data, and areas of your business do you especially need to keep secure?
2. Review The Rulebook
Now it’s time to tweak your alerting rules and logic. Take a look at the security alerts you or your team receive on any given day or week. Do any particularly repetitive, low-importance, non-actionable alerts stand out? If so, it may be worth seeing if you can combine them into a single daily digest (if you need to know about them at all). Are there any annoying false positives that can be filtered out?
Also consider your personal observations from point #1. Do any new alerts need setting up since the last time you reviewed your security rules? Diarise a regular review – say, every 2-6 months – to review your security alerting rules and make essential tweaks.
2.5. Don’t Sweat the Little Stuff – Automate It!
On a related note, if you find any minor, repetitive alerts that are resolved with the same manual action each time, see if you can automate them. Not only does this save you time, but it reduces the number of notifications going off too – reducing alarm fatigue.
3. More Information, Less Panic
Any worthwhile security alerting function should be able to provide extensive information within each alert message. Alerts should never just be a message that says “there’s a problem here, go fix”.
The more technical context and log information that can be included in each alert message, the less your technicians have to go on the hunt for information. And the less they have to hunt for information, the quicker they can start resolving the problem. In the Cloud Security Alliance study mentioned above, 40.4% of security professionals said that the alerts they receive lack actionable intelligence to aid investigation.
However, too much information can equally be a hindrance – it’ll just slow your team down. Aim for a happy medium that helps technicians understand each problem at a glance.
4. Minimise Your Reporting Tools
Say, for example, that you have a PC app that feeds you firewall alerts, a web portal for monitoring your IPS, you receive email alerts about internal network security, and you have a phone app that notifies you about failed MFA attempts. Sounds like a lot of juggling.
If this describes your own cybersecurity alerting situation, you’re far from alone. The Cloud Security Alliance also reported that half of enterprises use six or more tools that generate security alerts. That understandably makes for a very noisy, inefficient security experience.
In addition, hopping between different screens is more mentally taxing than we think. Psychologist and computer scientist Gerald Weinberg called flitting between tasks, windows, projects, or areas of focus “context switching” and that every additional “context” that we try to handle at the same time gobbles up 20% of our productivity.
So, for the sake of simplicity and productivity, try to bring all of your security monitoring into a single screen or dashboard, so everything is coming from a single source.
Also pay attention to how alerts are delivered. If you have to deal with dashboard notifications, Slack messages, and email alerts that all report on different things and provide different contextual information, this is only going to further add to your security juggling act. As you standardise alerts to come from a single source, also standardise them to contain the same information in the same format, so you know where to look for which details each time.
5. Establish Best Practices for Common Alerts
Chances are there may be some alerts that come up regularly that you just can’t automate. The best you can do in this situation is to determine the most straightforward way to investigate and solve these particular alerts and follow this “best practice” each time the alert appears. This way, you and your team don’t have to reinvent the wheel every time.
Creating these “best practice” flows may even uncover sub-tasks that can be automated. Even if some of the alert response flow needs manual input, parts of it might be ripe for automation.
6. Proactivity Often Saves the Day!
This is good cybersecurity advice regardless of alerts, but make an effort to keep an eye out online for new threats, vulnerabilities, and scams doing the rounds. Forewarned is forearmed when it comes to IT security, and if a threat hasn’t reached you yet – you’ve got time to batten down the hatches before disaster strikes. Pre-emptive defence against a threat is much better than firefighting after it hits you!
7. Establish Defined Levels of Criticality
If all alerts are presented in the same way, with the same sounds, the same presentation, or with the same level of priority, then it’s harder to sort the wheat from the chaff. So, consider adopting differing levels of criticality for different kinds of issues. Not only does this help you differentiate a minor snag from a red alert, it also gives you an opportunity to consider how each level of urgency is handled.
For example, do all alerts really need to be sent as emails, push notifications, and text messages? Or should that level of coverage be reserved for the real business-changing, all-hands-on-deck stuff? The more we are surrounded by notifications, the more we become desensitised to them, so make sure that urgent, genuine issues are easily discernible from minor notifications.
8. Regularly Change Up Alert Sounds & Language
It’s easy to simply tune out alerts when they make the same noises and use the same header text time and time again. So, switch it up!
Ideally, you could use different language and sounds to reflect the different levels of criticality – so as different alerts come in, you can immediately tell how urgent they are without further digging. Alternatively, you could change the text and language of alerts every few months to keep alert fatigue at bay (though this could potentially cause some confusion).
9. Establish Team Roles
If you have more than one person who deals with IT alerts, you might find it beneficial to assign roles. Make different team members responsible for different types of alerts – preferably working with their individual skill sets and preferences. Alternatively, it may be an idea to rotate roles every month or so to further keep alarm fatigue at bay.
10. Train Your Non-Techies!
Good cyber awareness training is essential for all team members, but it also has an important role in the fight against alert fatigue. The more your non-technical team know how to keep your organisation safe, the fewer active threats your technicians will have to deal with.
A cyber-informed workforce therefore allows anyone in an IT role to focus on proactive threat management rather than firefighting against incoming attacks.
Are You Fatigued by Cybersecurity Alerts?
A lot of small businesses feel quite alone when it comes to cybersecurity. There are almost limitless blogs and guidance abound online, but sometimes you need input that relates to your own individual situation.
If this sounds familiar – and if alarm-overwhelm is less of an annoyance and more of a constant reality – why not consider Just Firewalls’ managed firewall service?
For an easily budgetable, monthly fee, our expert team will take all aspects of firewall management off your hands, including alert monitoring, day-to-day management, and technical support. We’re priority partners with SonicWall and WatchGuard – two indisputable industry leaders in firewall technology.
If you want managed security services that go beyond just firewalling, our colleagues at Just Cyber Security offer a full suite of Managed Security and Incident Response Services, taking all digital security worries off your hands.
Don’t delay, learn more about Just Firewalls’ comprehensive managed firewall service today!