Survey Says: Cybersecurity Fatigue?

Frustrated. Confused. Fatalistic. Tuned out. According to a survey by the National Cybersecurity Alliance, though our awareness of cybersecurity threats has increased over the last five years, our motivation to follow safety protocols and best practices has declined. Clearly this is not good for individuals and businesses—or retirement accounts, and their plan sponsors. Why the fatigue and what can we do about it? Read on for insights and practical advice to protect your business, your retirement plan and yourself.

Guessable Passwords Are Up, While Security Training Is Down…

Even as cyber criminals have more tools and tricks up their sleeves (AI, anyone?), our collective motivation to protect ourselves, our businesses and even our retirement assets in cyberspace seems to be declining. Why are we making crime easier, though we have a plethora of best practices and tools, including multifactor authentication, at our fingertips? The Oh Behave Cybersecurity Attitudes and Behaviors Report, which summarizes findings from five years of annual surveys by the National Cybersecurity Alliance (NCA), indicates that we have developed a rather fatalistic collective attitude: “Cybersecurity awareness is generally up. But the use of online safety and the confidence that security basics are worth doing have fallen across multiple dimensions. There’s a looming and serious question: “Is cybersecurity worth my time?”  

Indeed, from relying on easy passwords, to skipping the training and forgoing data back-ups, online safety behaviors seem to be declining rather than improving. Specific worrisome findings from the NCS about our collective current approach to cybersecurity include:

• Security information is so complex that it’s leading to rampant rates of confusion – attaining 45% in 2025 from 39% in 2021; similarly, those feeling overwhelmed totaled 43% in 2025, up from 34% in 2022 
• Regular MFA use plummeted from 94% in 2022 to only 53% in 2025; a growing percentage of respondents believe their passwords are strong enough, so they chose not to use MFA 
• Use of passwords including easily guessable personal information (e.g., pet names, birthdates) has consistently risen during the past four years; this unadvisable, high-risk behavior rose from 25% in 2022 to 37% in 2025 
• People who “always” check messages (such as emails for phishing attempts) fell from 51% in 2021 to 36% in 2021. Why? because a growing percentage don’t believe checking messages helps stop cybercriminals, escalating from 44% (2022) to 68% (2025) 

Next Wave Cybersecurity Practices: More Engagement

What’s a business owner to do in the face of cybersecurity fatigue? For one thing, Lisa Plaggemier, executive director of the National Cybersecurity Alliance, suggests that the next wave of cyber awareness effort needs to be less boring, predictable and repetitive: “We need to take a different approach in how we motivate and inspire people. Our training is neither fun nor relatable.” Among the new training ideas cybersecurity professionals are exploring are:

1. Not just telling people about the best practices; rather, involving them. Think of the evolutionary progress flowing like this: “Tell me, OK; show me, that’s good; involve me and you’ve won me over. I’m sold.” 
2. Gamify – for whatever reason, many people love to play games; so give them games, and they love awards and badges; shower them with those also 
3. Give trainees immediate and more frequent feedback on their cyber performance behaviors; in-the-moment, specific, and direct – don’t wait until Cybersecurity Awareness Month to tell them 
4. Establish independent, customized learning paths for each individual; people don’t resonate with generalized training that doesn’t directly relate to their work and daily lives, so treat them as unique people with idiosyncratic needs 

Cybersecurity and The 401k Plan: A Must Do

Business owners who sponsor a retirement plan, like a 401k are wise to lean in ever further to cybersecurity. In fact, the Department of Labor (DOL) obligates retirement plan sponsors to mitigate cybersecurity threats to plan assets and data, and this includes conducting deep due diligence on vendor security protocols. 

Specifically, it is essential for retirement plan sponsors to act on the cybersecurity guidance from the U.S. Department of Labor’s Employee Benefits Security Administration (EBSA), which has these three parts: best practices for plan sponsors for plan sponsors, strong security protocols for service providers, and online security tips for distribution to retirement plan participants. 

Toward fulfilling fiduciary responsibilities to an ERISA retirement plan, attorneys at Morgan Lewis encourage sponsors to take cybersecurity oversight seriously, and advice these actions:

• Vet and Monitor Vendors Rigorously: Do not rely on handshake agreements. Rigorously audit the security practices, certifications, and SOC reports of recordkeepers, TPAs, and payroll companies. Carefully document all related discussions and actions.
• Enforce Legal Contracts: Ensure service contracts include clearly defined cybersecurity requirements, data privacy agreements, and mandatory notification procedures for security incidents.
• Train Employees: Establish ongoing training to help staff recognize phishing attempts, practice strong password hygiene, and safely handle plan data.Monitor vendors for their related practices too.
• Maintain a Thorough Response Plan: Document clear, actionable procedures to minimize damage if a breach occurs. This demonstrates a proactive commitment to regulatory standards during a DOL audit or investigation.

Complete ERISA Protection Bundles for Retirement Plan Sponsors

An ERISA fidelity bond protects the retirement plan, but it does not protect you. As a plan sponsor you can be held personally liable for errors or alleged breaches in how the plan is run, and that liability cannot be handed off to a third party, even when you use a pension professional or TPA. That is what fiduciary liability insurance (FLI) is for: it covers your legal defense costs and penalties.

There is a third risk. The Department of Labor treats maintaining a cybersecurity response plan for a retirement plan as a fiduciary duty, so a data breach can become a fiduciary breach. Colonial Surety Company addresses all three risks in one ERISA package: the required bond to protect the plan, fiduciary liability insurance to protect you, and complimentary $50k of cyber liability insurance to protect both the plan and your business.

Only Colonial Surety Company solves the complex puzzle of ERISA compliance and protection by putting all three essential coverages into one seamless, affordable bundle:

1. ERISA Fidelity Bond: Fulfills your federal mandate to protect plan funds from dishonesty. (Colonial Surety is a direct, Treasury-Listed bond writer).
2. Fiduciary Liability Insurance (FLI): Shields your personal assets, covering up to $1,000,000 in legal defense costs and penalties for administrative errors or oversight omissions.
3. Complimentary Cyber Liability Insurance: Provides $50k of vital protection for the plan and company against regulatory actions following a data breach and directly addresses the DOL’s response plan recommendations.

Protect your retirement plan, your business, and your personal assets in one smart move: bundle your ERISA Bond with Fiduciary and Cyber Liability Insurance at Colonial Surety Company. 

👉 Get Your Instant Quote & Download Your Proof of Coverage in Minutes

Why Choose Colonial Surety Company?

• Trusted & Reliable: U.S. Treasury Listed, Rated “A” (Excellent) by A.M. Best Company, and in business since 1930.
• Direct & Digital: Skip the middleman. Quote, purchase, and download your full protection package entirely online in minutes.
• The Carrier, Not a Broker: No agent markups, no waiting for a callback, and no unnecessary fees.
• National Reach, Local Support: Licensed nationwide with a knowledgeable, US-based customer service team ready to assist you.