With the number of data breaches in 2021 soaring past that of 2020, there is even more pressure on security teams to keep businesses secure in 2022.
But at a time when strength and resilience have never been more important, burnout, low staff morale and high employee turnover could put businesses on the backfoot when attempting to manage the mounting cybersecurity threat.
Employers are already face something of a dilemma when it comes to cybersecurity in 2022. Not only is the number of attempted cyberattacks escalating worldwide, but employers face the added pressure of a tightening hiring market and record levels of resignations that are also affecting the tech industry.
This battle for talent could hit cybersecurity particularly hard. According to a survey of more than 500 IT decision makers by threat intelligence company ThreatConnect, 50% of private sector businesses already have gaps in basic, technical IT security skills within their company. What's more, 32% of IT managers and 25% of IT directors are considering quitting their jobs in the next six months - leaving employers open to a cacophony of issues across hiring, management, and IT security.
Many employees are being lured away by the prospect of better pay and more flexible working arrangements, but excessive workloads and performance pressures are also taking their toll. ThreatConnect's research found that high levels of stress were among the top three contributors to employees leaving their jobs, cited by 27% of survey respondents.
Burnout threatens cybersecurity in multiple ways. First, on the employee side. Human error is one of the biggest causes of data breaches in organizations, and the risk of causing a data breach or falling for a phishing attack is only heightened when employees are stressed and burned out.
A study conducted by Tessian and Stanford University in 2020 found that 88% of data breach incidents were caused by human error. Nearly half (47%) cited distraction as the top reason for falling for a phishing scam, while 44% blamed tiredness or stress.
Threat actors are wise to this fact, too: "Not only are they making spear-phishing campaigns more sophisticated, but they are targeting recipients during the afternoon slump, when people are most likely to be tired or distracted. Our data showed that most phishing attacks are sent between 2pm and 6pm."
Carlos Rivera, principal research advisor at Info-Tech Research Group, says the role exhaustion plays in making a company susceptible to phishing attacks should not be shrugged off or underestimated. It is, therefore, good practice to create a simulated phishing initiative as part of an organization's security awareness programme.
This program can be optimized by enforcing an hour's worth of training per year, which can be carved into five-minute training sessions per month, 15 minutes a quarter.
In order to have the most impact on your training effectiveness, base it on topics stemming from current events that typically manifest as tactics, techniques and procedures used by hackers.