Move your IT strategy past alarm fatigue

May 22, 20184 minute read

Select article text below to share directly to Twitter!


Alarm fatigue might be killing your IT strategy from the inside out. A recent IDC survey paints a captivating—but concerning—picture of the alarm environment IT professionals deal with today:

  • 35 percent of companies spend over 500 hours each month responding to alerts

  • One business with just three full-time workers can face 300 alerts each day

  • 37 percent of cybersecurity professionals deal with 10,000 alerts each month

  • 52 percent of alerts are actually false positives

This dynamic may lead IT staff to become complacent in a cybersecurity climate that’s actually becoming more dangerous by the day. In a world where 44 percent of organizations report being victims of cybercrime, an alarm-fatigued staff is a major vulnerability.

Understand the real problem with alarm fatigue

In an era of digital disruption and constant connectivity, you can only expect the already alarming (pun intended) statistics around alerts to become more severe. That amounts to more than an annoyance—it guarantees that alarms, created to be cybersecurity’s allies, will soon become its enemies.

Alarm fatigue is the new normal, and it will only get worse. As the number of mobile devices, desktops, printers, and other endpoints increases, the number of cybersecurity issues IT workers face will only grow—both in number and complexity. But let’s take a step back and look at the side effects of alarm fatigue:

  • Fatigued teams become susceptible to burnout; hiring more staff isn’t a good long-term solution, either

  • Threats may go overlooked while teams are busy investigating false alarms

  • Staff may develop skewed perspectives on cybersecurity issues overall (a huge danger for leadership)

  • Your ability to protect the systems and infrastructure making up the business’s backbone may be compromised

These side effects are compounded by the fact that attacks are dynamic occurrences. They happen across a chain of events, moving from layer to layer—from exploitation to infection, compromise, incident, and finally, breach—with the possibility of muddying the waters with new alerts at each level.

As the security climate stands now, an entire cottage industry has welled up to handle the constant influx of incidents and compromises. You likely deal with a wealth of coalescence technology, correlation tools, attribution-biased triage, and big data analytics to address issues, but even so, you still need to put every alarm fire out manually—and that isn’t sustainable.

Step into a responsive IT strategy

Alarm fatigue isn’t an issue you can fix overnight, but security professionals have a few options for dealing with it right now:

  • Automate responses to routine issues to free up and devote more time to higher priority problems. This allows analysts to think about overarching security concerns instead of focusing on manual ticket processing.

  • Partner with an outside managed security services provider to protect against employee fatigue and give internal staff more room to tackle high-priority issues.

  • Invest in big data to establish what “normal” looks like for your organization and assign priorities to alarms.

  • Develop an incident response plan, so staff isn’t always reinventing the wheel. Procedures should exist for handling duplicate alerts and false positives, and for distributing alert assignments to the correct staff members.

  • Automate the analysis of logged activity, so device infection alerts are correlated with abnormalities in logs. This will save manual investigation time and reduce the rate of false positives.

Get to the root of the problem

The deeper answer to alarm fatigue, though, isn’t one that addresses alarms at all. Alert-based indicators are the most obvious concerns—and are the culprits for a big chunk of the time suck happening around security escalations—but you can’t blame everything on them. The root issue is a reactive IT strategy that’s still trying to catch up with today’s evolving threat environment. Addressing that challenge requires not only a proactive approach but also one that focuses on endpoints of all types, including PCs, servers, printers, and IoT devices.

Essentially, you need to look at this from a holistic perspective that aligns the reality of today’s cybersecurity environment with the massive growth in endpoints most organizations are navigating. An effective IT strategy will rethink alarms—moving away from indicative alerts and the issues of cost, volume, and inaccuracy that come along with them—and focus on the dynamic behavior of the endpoint, instead.

The future of cybersecurity lies in an approach that models endpoint behavior and creates alerts based on actual changes in that behavior. One of the most important steps to a better security escalation strategy is finding endpoints with strong device security features that do the work for you, such as devices that can detect and mitigate vulnerabilities automatically. By focusing on stronger security for the endpoints where attacks actually occur, you can reduce the rate of false positives and make sure the security alerts you receive are more actionable.

Drowning under alerts is a common experience for IT teams, but it doesn’t have to be. With smart alert management strategies and better monitoring at the endpoint level, you can transition from reactively responding to alerts to proactively managing them.

  • Recommended for you
  • Recommended for You