A female member of a security team, visibly displaying symptoms of burnout.

Human Risk Management

Security teams are facing burnout: A look at the cyber risks

11 August 2023 · 6 min read

No time to read? Listen instead:

Cyber security professionals are no strangers to the rapidly evolving landscape of their industry. However, as cybercriminals become increasingly professional, innovating new and sophisticated schemes, the pressure on those protecting our digital spaces intensifies. The strain is beginning to show, with burnout and excessive workload pushing many valued security professionals to the point of resignation.

According to a study by the Information Systems Audit and Control Association (ISACA), 2022 was a challenging year for staff retention in the cyber security field. An alarming 60 percent of organizations reported difficulties in retaining skilled cyber security professionals, with work-related stress being a primary factor driving these resignations. 

The current scenario is further exacerbated by an unprecedented staffing crisis. According to the Chartered Institute of Information Security, the cyber security industry is grappling with a shortfall of 3.5 million workers, putting additional pressure on the already overstretched existing teams.

This shows how security teams are fighting an uphill battle: Not only are they outnumbered due to a massive talent shortage, but they are also up against an enemy that’s growing stronger every day. Next, we’ll explore the impact of this cyber security crisis and how the spiraling cost of cybercrime is overwhelming our under-resourced security teams.

Visual representation of employee burnout, where a low battery symbol is creatively used in place of a brain.

The rising cost of cybercrime: A challenge for overstretched security teams

The escalating scale and complexity of cybercrime, which is expected to cost the global industry a staggering $10.5 trillion annually by 2025, up from $3 trillion in 2015, presents a formidable challenge for already overstretched security teams. The recent breaches suffered by organizations like the BBC, British Airways, Boots, and Aer Lingus are sobering examples of the new landscape of digital threats.

Graph from Security Magazine illustrating the sharp increase in cybercrime costs to the global industry.

Attacks are becoming more sophisticated, with hackers exploiting vulnerabilities in widely used software, as illustrated by the MOVEit transfer software hack. These threats are not isolated to a single industry or geographical location, reinforcing the notion that no organization is immune. With attackers often linked to organized crime groups, such as the CLOP ransomware group suspected in the recent wave of attacks, there’s an increasing challenge for companies to stay ahead of the ever-evolving cyberthreat landscape. 

The rising costs associated with cybercrime don’t just include potential ransom payments or immediate financial loss due to theft. Companies also have to contend with costs related to data recovery, system upgrades, legal fees, potential fines for regulatory non-compliance, and reputational damage. The latter can often result in lost business opportunities and a decline in consumer trust, which can have long-term financial implications. Yet despite the increasing risks and costs, security teams are often overstretched, lacking the resources or capacity to respond swiftly and adequately to such incidents. 

Hybrid work models are also straining cyber security efforts

Even if employees around the globe continue their transition back to office environments after years of remote work due to the global pandemic, hybrid work models have become a new standard for many organizations. This flexible approach offers multiple advantages, including improved work-life balance, reduced commuting times, and potential cost savings. However, this new norm inherently expands the attack surface for cybercriminals. In fact, 75% of the security experts surveyed in our Human Risk Review 2023 believed that hybrid work models increase the risk of cyberattacks.

Graph showing that 75% of security experts believe that hybrid work increases the risk of cyberattacks.

With employees working from various locations, often on personal devices and unsecured networks, vulnerabilities increase. Each device and network outside the controlled office environment represents a potential entry point for attackers. The line between personal and professional data blurs, making it more challenging for organizations to maintain control and visibility over their digital assets.

Moreover, the informal nature of home environments might lead to less stringent adherence to cyber security protocols. Employees may inadvertently engage in risky behaviors, such as clicking phishing links, using weak passwords, or sharing sensitive information over unsecured channels.

Quote by Dr. Stefan Lüders, Computer Security Officer at CERN.

To know more about the key factors contributing to this heightened cyber risk in hybrid work models, read our Human Risk Review 2023.

Human Risk Review 2023

Read the report

Discover our latest phishing data, expert insights, and strategies for navigating the European cyberthreat landscape.

The consequence: Burnout emerges as a preferred attack vector

A potent mix of stress, understaffing, and the enlarged attack surface brought about by new work models cultivates a fertile ground for cybercriminals. These malicious actors seize the opportunity to exploit the fatigue and stress of cyber security professionals who, under pressure, might be more prone to oversights and less efficient in resolving security issues. Additionally, beyond safeguarding other departments within the organization and responding swiftly to attacks, security teams themselves have been identified by our survey respondents as one of the most at-risk departments susceptible to cyberattacks.

Graph showing the top 3 departments at the highest risk of being targeted in cyberattacks.

A separate study surveying 1,027 security team members across the US and Europe paints a concerning picture. It found that a substantial 66% of team members report significant stress at work, 51% have been prescribed mental health medication, and 19% consume more than three alcoholic drinks daily as a coping mechanism for stress.

Graph by Tines showing that 51% of security employees surveyed were prescribed mental health medication in 2022.

Aware of the vulnerabilities that emerge when security teams are under stress, cybercriminals are leveraging burnout as a novel attack vector. They meticulously analyze team compositions, targeting organizations whose teams appear externally to be more vulnerable and susceptible to breaches. These unsettling trends underscore the necessity for organizations to prioritize investments in employee well-being and retention. 

Urgent measures: Countering burnout and empowering cyber security’s future workforce

As the threat landscape continues to evolve, addressing employee burnout within security teams is an urgent priority for businesses. The consequences of leaving such issues unaddressed can be dire: Exhausted, overworked employees are less able to defend against attacks, potentially becoming unwitting allies for threat actors exploiting their vulnerabilities.

Quote by Stéphane Duguin, CEO at CyberPeace Institute.

It’s clear that these challenges cannot be tackled in isolation. Instead, they call for a comprehensive, multi-faceted approach that involves organizational commitment and tangible support. This includes increasing cyber security budgets to allow for essential tools and resources, implementing robust career development plans to encourage long-term retention, and maintaining well-staffed teams to prevent burnout from overwork.

Yet the issues extend beyond these practical measures. Security teams often face an additional burden: the misperception that they hinder workflow, particularly when they enforce necessary measures like software download restrictions on work devices to avoid shadow IT practices. This kind of misunderstanding underscores a lack of organizational awareness about the crucial role of cyber security.

And this is where top management must step in, steering the organization toward a culture that values and understands security. They have a responsibility to communicate the positive impact of security efforts, emphasizing the critical role these teams play in organizational health and resilience. Furthermore, management needs to prioritize and invest in ongoing employee security training, equipping all staff with the knowledge and tools to recognize potential threats and contribute to the overall cyber security of the company. This way, all employees will be empowered to protect their company, helping security teams focus more on strategic initiatives and complex challenges while mitigating the risk of burnout.

Platforms like SoSafe make cyber security awareness a shared responsibility. SoSafe gamifies the learning process, using real-life phishing simulations to engrain secure habits, and equips decision-makers with actionable insights via an interactive dashboard. Additionally, our new Rapid Awareness feature transforms security communication – any time prompt action is required. Investing in comprehensive tools like SoSafe can empower all employees, alleviate the strain on security teams, and build a resilient organization equipped to face the evolving threat landscape.

You might also be interested in:

Do you want to stay ahead of the cyber game?

Sign up for our newsletter to receive the latest cyber security articles, events, and resources. No spam, only content that truly matters.

Newsletter visual