Managing Security Fatigue in the Laboratory

Cybersecurity plays a more prominent role in today’s laboratories. Digitalization, remote work, and cloud applications make labs more connected and vulnerable to security breaches. Strong password policies and multi-factor authentication (MFA) improve security, though at a price.

Security practices force laboratory workers to enter log-in credentials several times an hour, interrupting their workflows throughout the day. The resulting security fatigue frustrates people and leads to behaviors that can undermine security.

We will discuss how security fatigue occurs—and its consequences—before explaining how a laboratory information management system (LIMS) from LabLynx reduces security fatigue without compromising security or productivity.

What is security fatigue?

In a typical organization, employees must bear the burden of proper security practices. Over time, this constant state of alert creates a phenomenon called security fatigue. [1, 2] People get tired and adopt behaviors that, while minimizing these burdens, make the organization less secure. A National Institute of Standards and Technology (NIST) study of security fatigue found that “the majority of their average computer users felt overwhelmed and bombarded” by security issues. [1]

Authentication and the requirements it places on workers drive much of this fatigue. To ensure that the people logging into accounts are who they claim to be, organizations expect people to:

• Create long, complex passwords,
• Create unique passwords for every account,
• Recall these passwords at login perfectly, and
• Replace passwords frequently.

In isolation, these expectations are not unreasonable. Security administrators fail to consider the sheer number of account credentials people deal with in their personal and professional lives. LastPass analyzed users of its business password management software and found that, on average, people had 70 to 80 unique passwords. [3] Beyond the workplace, people manage dozens more personal online accounts. [4]

Multi-factor authentication adds to the frustration. Requiring end users to supply one-time codes or fingerprint scans in addition to a password improves cybersecurity. That is why MFA adoption rates range from 22 to 50 percent. [3, 5] However, MFA raises barriers between users and their work when dozens of work accounts require difficult-to-remember passwords, fingerprint readers do not work consistently, security key fobs are left behind, or one-time passwords expire before users can enter them.

Consequences of security fatigue

Workers’ growing sense of security fatigue has severe consequences for an organization. Managing dozens of work-related passwords, each with its own format and expiration period, leads people to adopt poor password practices, including:

• Keeping written password lists by their desks,
• Creating simple but less secure passwords, and
• Reusing passwords across multiple accounts.

Recently, hackers have taken advantage of security fatigue by launching MFA fatigue attacks. [6] Hackers will try to access someone’s account, which generates MFA requests to the person’s smartphone. When the user approves, the hackers gain access to the user’s account. Recent security breaches at Uber and Cisco began with an MFA fatigue attack. [7]

Clearly, the victims knew they hadn’t logged into an account. So why did they approve the MFA request? Security fatigue desensitizes people to constant security prompts. People accept yet another MFA request to make it go away. More sophisticated hackers will time their attacks during the workday when users expect authentication requests.

Security fatigue in the lab

A diary study of workers, most of them scientists, at a government organization concluded that “authentication takes time, is a burden, disrupts primary tasks, and reduces productivity.” [8] Participants reported that they had to enter an average of 23 passwords during the typical workday. These authentication burdens caused workers to batch their work to minimize password entry rather than maximize efficiency, limit work outside the office when authentication is more difficult, and limit their use of laptops and other devices having stricter authentication requirements.

The laboratory environment can exacerbate security fatigue. Standard operating procedures (SOPs) require laboratory staff to switch constantly between multiple applications for managing samples, analyzing results, office communications, and more.

Complicating matters, IT departments that do not manage laboratory systems leave security to lab personnel. As a result, many laboratory systems may require unique logins that staff must enter and re-enter as they move through each step of an SOP.

Analysis and report preparation suffers from similar interruptions. An analyst may access the document management system for one piece of information. By the time they complete that part of the analysis, their access to the document management system will have timed out.

These interruptions to staffers’ workflow become more frustrating should any of these systems require MFA. People leave access badges or key fobs at other workstations. Personal devices may be barred from parts of the laboratory, making cloud-based systems inaccessible.

Laboratories that make a concerted effort to secure their information systems may find their security measures misaligned with the most efficient testing workflows. As observed by Sasse et al. [8], workers will find ways to minimize authentication disruption by creating their own workflows, even if it reduces their productivity.

Reducing security fatigue with a LabLynx LIMS

LabLynx ELab LIMS software solutions can reduce security fatigue while preserving your lab’s data security and testing productivity. Here are four ways to eliminate authentication interruptions with a LIMS.

Consolidating lab operations

Among the benefits of a LIMS is its ability to replace many of the separate software applications, documents, databases, and spreadsheets your lab uses every day. Consider these common laboratory processes:

• Order management;
• Contact management/customer relationship management;
• Employee training and certification management;
• Sample collection planning and scheduling;
• Sample receiving/accessioning;
• Sample tracking;
• Inventory management;
• Instrument maintenance and calibration management;
• Data collection, storage, and transfer;
• Data analysis;
• Report generation; and
• Report communication.

LabLynx LIMS software has internal functions for these processes and more. Naturally, your lab has email, video conferencing, accounting, and other business applications that require their own account credentials. For day-to-day lab work, however, your staff could sign into the LIMS in the morning and never have to sign into another system.

Instrument integrations with your LIMS

You can reduce authentication overhead further by integrating your LabLynx ELab LIMS with other laboratory systems.

Advanced instruments and laboratory automation systems usually have dedicated computers. Security best practices require a unique login ID and password for every person authorized to access these computers. At the very least, labs will have a restricted administrator account and a shared login for laboratory staff.

As part of a complete LIMS solution, LabLynx integrations let these instruments and your LIMS seamlessly exchange data. Security rules within the LIMS let you limit instrument access to the staff authorized for its use. They will no longer need separate logins since their LabLynx credentials have already met your lab’s security requirements.

System integrations with your LIMS

A LIMS is one of many information systems a laboratory relies upon. Quality control labs interact with their companies’ manufacturing systems, while clinical diagnostic labs interact with hospital-wide electronic health record (EHR) systems.

LabLynx can help integrate your LIMS with these business-wide applications. Integrations improve efficiency, reduce opportunities for error, and enhance security. Rather than transferring data by importing and exporting CSV files, your LabLynx LIMS will exchange data with enterprise systems on demand.

At the same time, system integrations reduce the number of authentication interruptions your laboratory’s staff experiences throughout the day.

Single sign-on systems

In its study of business password management use, LastPass found that the average number of passwords per employee at small organizations was 85, yet only 25 at large organizations. [3] Single sign-on (SSO) is one reason for this difference.

SSO is a technique that reduces password proliferation. When employees first log in, they do so through a centralized SSO solution such as Okta or OneLogin. This authorization approval follows employees as they access other business applications. Besides eliminating repeated logins and MFA requests, SSO makes the organization more secure by reducing hackers’ opportunities to break through network defenses.

LabLynx supports the open standards SSO that solutions use to unify multi-factor authentication across multiple business applications. By integrating your LabLynx ELab LIMS software with your enterprise SSO solution, laboratory staff can access the LIMS without needing to create or remember a unique password.

No-compromise reduction of security fatigue with LabLynx

Implementing a complete LabLynx LIMS solution will significantly reduce security fatigue within your lab. Your staff can switch between processes without constant interruptions for passwords and multi-factor authentication. Able to maintain a sense of flow, your team will work more efficiently, and your lab will become more productive.

Reducing security fatigue will not compromise your lab’s information security—quite the opposite. A LabLynx LIMS improves security by bringing all your data within an encrypted, accessible cloud database.

To learn more about the benefits of LIMS consolidation and integration, download our article Improve Laboratory Accuracy and Reporting Quality with a LIMS. To learn about the security benefits of a LabLynx LIMS, download our Guide to Lab Security with a LIMS.

 

References

[1] B. Stanton, M. F. Theofanos, S. S. Prettyman and S. Furman, “Security Fatigue,” in IT Professional, vol. 18, no. 5, pp. 26-32, Sept.-Oct. 2016. https://doi.org/10.1109/MITP.2016.84.

[2] Reeves, A., Delfabbro, P., & Calic, D. (2021). Encouraging Employee Engagement With Cybersecurity: How to Tackle Cyber Fatigue. SAGE Open, 11(1). https://doi.org/10.1177/21582440211000049.

[3] “New Research: Most People Have 70-80 Passwords,” Newswire, February 27, 2020, https://www.newswire.com/news/new-research-most-people-have-70-80-passwords-21103705.

[4] Rawlings, R. “Password Habits in the US and the UK: This Is What We Found,” NordPass, April 29, 2020, https://nordpass.com/blog/password-habits-statistics/.

[5] “Identity is the new battleground,” Microsoft Cyber Signals, Jan-Dec 2021, https://news.microsoft.com/wp-content/uploads/prod/sites/626/2022/02/Cyber-Signals-E-1-218.pdf.

[6] Kovacs, E. “High-Profile Hacks Show Effectiveness of MFA Fatigue Attacks,” Security Week, September 28, 2022, https://www.securityweek.com/high-profile-hacks-show-effectiveness-mfa-fatigue-attacks.

[7] Constantin, L. “Multi-factor authentication fatigue attacks are on the rise: How to defend against them,” CSO Online, September 22, 2022, https://www.csoonline.com/article/3674156/multi-factor-authentication-fatigue-attacks-are-on-the-rise-how-to-defend-against-them.html.

[8] Sasse, M.A., Steves, M., Krol, K., Chisnell, D. “The Great Authentication Fatigue – And How to Overcome It,” In: Rau, P.L.P. (eds) Cross-Cultural Design. CCD 2014. Lecture Notes in Computer Science, vol 8528. Springer, Cham. https://doi.org/10.1007/978-3-319-07308-8_23.