Cybersecurity burnout is real. And it will be a problem for all of us

News125 views

Burnout has become endemic in the tech industry.

Image: Westend61/GETTY

With the number of keterangan breaches in 2021 exceeding 2020, there is even more pressure on security teams to keep organizations safe in 2022. But at a time when strength and resilience have never been more important, burnout, low morale and high employee turnover could leave companies behind as they try to manage the escalating cybersecurity threat.

Employers already face a dilemma when it comes to cybersecurity in 2022. Not only is the number of attempted cyberattacks rising around the world, but employers are also facing added pressure from a tightening hiring market and a record number of layoffs, which are also impacting the tech industry.

This war for talent could hit cybersecurity particularly hard. According to a survey of more than 500 IT decision makers by threat intelligence company ThreatConnect, 50% of private sector organizations already have gaps in basic, technical IT security skills within their organization. Additionally, 32% of IT managers and 25% of IT directors are considering quitting their jobs in the next six months – leaving employers vulnerable to a cacophony of hiring, management and IT security issues.

SEE: Cybersecurity is hard work, so beware of burnout

The prospect of better pay and more flexible working time models attracts many employees, but overwork and pressure to perform also take their toll. ThreatConnect research found that high levels of stress are among the top three factors contributing to employees leaving their jobs, cited by 27% of respondents.

Burnout threatens cybersecurity in many ways. First on the employee side. “Human error is one of the leading causes of keterangan breaches in organizations, and the risk of causing a keterangan breach or falling for a phishing scam only increases when employees are stressed and burned out,” said Josh Yavor, chief information security officer ( CISO) at the provider of enterprise security solutions Tessian.

A 2020 study conducted by Tessian and Stanford University found that 88% of keterangan breach incidents were caused by human error. Almost half (47%) cited distraction as the top reason for falling for a phishing scam, while 44% blamed fatigue or stress.

“Why? Because when people are stressed or burned out, their cognitive load is overwhelmed and that makes it so much harder to spot the signs of a phishing attack,” Yavor told ZDNet.

Threat actors are also aware of this fact: “Not only do they make spear phishing campaigns more sophisticated, but they also target recipients during the afternoon lull when people are most likely to be tired or distracted. Our keterangan showed that the most common phishing attacks are sent between 2pm and 6pm.”

Carlos Rivera, ulung research advisor at Info-Tech Research Group, says the role exhaustion plays in leaving a company vulnerable to phishing attacks shouldn’t be shrugged off or underestimated. It’s therefore a good idea to create a mock phishing initiative as part of an organization’s security awareness rencana, he tells ZDNet.

“This rencana can be optimized by enforcing one hour of training per year, which can be broken down into five-minute workouts per month, 15 minutes per quarter,” says Rivera.

“To have the greatest impact on the effectiveness of your training, base it on topics that are drawn from current events and typically manifest as tactics, techniques, and procedures used by hackers.”

SEE: Cybersecurity training doesn’t work. And hacking attacks are only getting worse

A recent report by analyst Gartner argued that the cybersecurity leader’s role needs to be “recast” from one primarily concerned with risk within the IT department to one accountable for making executive-level information risk decisions and ensure business leaders have comprehensive risk knowledge of cybersecurity.

The analyst predicts that by 2026, 50% of C-level executives will have cybersecurity risk performance requirements built into their employment contracts. This would mean that cybersecurity executives would have less direct control over many of the IT decisions that would fall under their purview today.

News Feed