The Looming Threat of Fatigue, Stress and Burnout in Cybersecurity

The March 2022 attack on communications app maker 3CX was not the first attempt by threat actors to monetize their scams. Perpetrated by the Labyrinth Chollima group based in North Korea, the attack – nicknamed Smooth Operator – has however been acknowledged as the first recorded instance of a breach that linked two separate supply chain attacks.

Mandiant, the Google Cloud-owned incident response provider that was hired by 3CX to investigate the attack, found that infected code⁽¹⁾ was first surreptitiously introduced on an unrelated (to 3CX) trading website in Nov 2021, and then in early 2022, was ported to the computer of a 3CX employee. The infected app spread through the 3CX network, thereafter, corrupting a software development server and an installer application, before making its way to a broad segment of the 600,000-strong 3CX database. It is estimated at least 240,000 of these customers could have had their personal data compromised as a result. Cybersecurity firm Kaspersky further found that this list was then screened carefully by the scammers to single out select customers for second-stage malware installation intended for cryptocurrency fraud.

Yet for all its ingenuity and the alarm bells that it set in motion, the 3CX data breach – the warning signs of which came early but were clearly missed at both primary and secondary threat levels – is being seen as a harbinger of a far greater peril for the cybersecurity world. Cybersecurity experts attribute the lapse to the growing and disconcerting trend of ‘alert fatigue’ resulting from ‘cybersecurity professionals becoming desensitized to the stream of alerts and frequent false positives coming from their threat detection tools’.

Too hot to handle

Once a purely technical area with roots in conventional IT, cybersecurity has now burgeoned into a vast domain encompassing a host of areas and spawning a variety of specializations. Added to this mix is something no one would have envisaged as the industry grew. With the passage of time, the demands of cybersecurity – in no small measure amplified by the ever-increasing threat landscape – began to tell on the mental health of professionals engaged in its setup and administration and manifest itself in many ways.

Alert fatigue is however just the tip of the iceberg. Stress arising from a variety of factors, burnout caused by exacting conditions ranging from humungous workloads to long hours, lowered levels of morale attributable to lack of appreciation, and job dissatisfaction are just some of the problems that the cybersecurity industry is experiencing.

This article looks at some of these problems in the making for the cybersecurity industry.

Alert fatigue

Cited as a classic case of alert fatigue, the 3CX case in retrospect, could have been completely averted had warnings been heeded. In the first instance – when the first infected code was implanted – users had been well-advised to discontinue the use of the application. In the second attack, with the malware spreading, cybersecurity firm Sentinel One⁽²⁾ had sounded an alert, which 3CX deemed a ‘false positive’ after running the report by an antivirus aggregation website and getting a green signal.

The 3CX response is typical of the reactions seen in cybersecurity executives who are being overwhelmed by a surge in cyber threats. Proofpoint⁽³⁾ describes alert fatigue as ‘a phenomenon that occurs when cybersecurity professionals are inundated with such a high volume of security alerts that it leads to a diminished ability to react effectively to and investigate real threats.’

Cybersecurity systems today are known to generate considerable amounts of alerts and notifications based on unusual network activity, data breaches, suspicious user activity, malware and virus detection, ransomware, and malicious code. For overburdened cybersecurity teams, the sheer volume of these are proving to be daunting. Very often too, these alerts and notifications prove to be false positives or lack the necessary serious content to merit attention.

The Ponemon Institute’s report titled “The Cost of Malware Containment” found, on an average, organizations receive roughly 17,000 malware alerts in a work week, but only 19% of those alerts proved to be reliable. It stands to reason that high alert volumes will ultimately result in some alerts being ignored and overlooked. IDC estimates⁽⁴⁾ that cybersecurity teams at companies with 5,000+ employees wind up ignoring about 23 percent of their alerts. For companies with 1,500-4,999 employees, it is estimated that figure may be in the range of 30%.

The cause? Alert fatigue – a growing tendency on the part of cybersecurity teams to discount or ignore alerts.

Though the 3CX breach was not disastrous considering its scale, the implications of alert fatigue are serious: data, financial and reputational loss, legal and compliance issues, increased costs and workload, demoralized cybersecurity teams, delayed threat responses, and a false sense of security.

Workplace stress

The sheer burden of ensuring the safety of the organization in the face of overwhelming workloads, relentless threats and alerts, and a growing sense of under-appreciation for their contributions, is apparently taking its toll on cybersecurity teams. A fair indicator of the crisis is evident from 2022  VMware’s Global Incident Response Threat Report⁽⁵⁾ which showed almost 51% of cybersecurity professionals experienced symptoms of extreme stress or burnout in a 12-month period. Such was the impact according to the survey that 67% of these had to take time off work because of it, and 65% considered leaving their jobs altogether.

Problems of mental health – a phenomenon common to other industries as well – have also been observed. Many cybersecurity professionals have gone on record to speak on mental health issues they themselves experienced during their careers, with some taking the unprecedented step of leaving the industry for other professional pursuits.

Executives are not the only ones who are experiencing stress. CISOs too are feeling the heat. In a recent press release, Gartner⁽⁶⁾ predicted that by 2025, nearly half of cybersecurity leaders will change jobs, with 25% opting for different roles due to multiple work-related stressors. The National Cybersecurity Center⁽⁷⁾ said that 2023 will witness the ‘Great Resignation phenomenon’ with anywhere between 32% and 44% of CISOs considering leaving their jobs due to an absence of work-life balance.

Experts say the levels of stress have become alarming. Stressors such as lack of adequate appreciation, failure to be accepted, heavy workloads, shortage of specialists, inability to be understood, and constant pressure are making the stress unsustainable.

Burnout

The World Health Organization (WHO) defines “burnout” as “a syndrome conceptualized as resulting from chronic workplace stress that has not been successfully managed.” It identifies three typical symptoms:

• Feelings of energy depletion or exhaustion
• Increased mental distance from one’s job, or feelings of negativism or cynicism related to one’s job
• Reduced professional efficiency

In the face of relentless pressures, cybersecurity professionals today are experiencing unprecedented burnout.  A Mimecast study⁽⁸⁾ revealed that 84% of cybersecurity professionals in North America were experiencing burnout. A survey by Promon (via VentureBeat)⁽⁹⁾ revealed that 66% of cybersecurity professionals experienced burnout in 2022, with the increased workload being one of the main reasons.

The reasons for this are not hard to discern. They include:

• Exceedingly long work hours and heavy workloads
• Incessant work pressures
• Inefficient work processes characterized by a surfeit of cyber tools and poor staff communications
• Debatable HR policies to address talent attrition, staff shortages, and work-life balance of employees

Employee burnout is not to be taken lightly as it can have serious consequences like lack of motivation and disinterest, an error-prone workforce, job attrition, and ultimately, in a vicious circle, further or pernicious burnout.

Fighting the stress

Already tasked with overcoming unprecedented employee-related challenges like social engineering, generative and shadow AI^(10), and insider threats, the cybersecurity industry will need to pull out all stops to overcome this hurdle. Organizations will need to take concerted measures to stave off this looming threat. Some of these measures could include:

• A review of the organizational culture with a view to making it more people-centric
• Adopting a holistic approach to cybersecurity by increasing its ownership and making it more strategic and business-focused
• Improving processes especially those involved with alerts and threat notifications
• Adequate staffing
• Leadership programs for cybersecurity leaders with an emphasis on programs involving the management of stress
• Adopting a transformational role for cyber teams in the organizational matrix
• Address employee stress and burnout through work-life balance initiatives, job rotation etc.

Conclusion 

It would be wishful thinking to believe that deep-rooted issues like stress and burnout can be eliminated overnight. Organizations are definitely in for the long haul and need take concerted and focused steps to address these endemic issues. Perhaps a good starting point lies in acknowledging the importance of the role of cybersecurity in the organization. Human Resources will undoubtedly play a pivotal and transformational role in the process.

Going forward, there is no reason to believe that the disconcerting trend that is plaguing the cybersecurity industry will not be reversed. Especially since everyone is painfully aware of it. Until such time however that things improve, organizations will necessarily have to live with these game spoilers, the solutions to which lie in their own hands.

Discover the unstoppable power of DEFEND and PlurilockAI, the ultimate AI-generated tools that crush security threats.

Get in touch with sales@aurorait.com or call (888) 282-0696 to experience the unmatched protection that Aurora, a proud member of the Plurilock family, delivers through these groundbreaking solutions.

References

1. https://www.wired.com/story/3cx-supply-chain-attack-times-two/
2. https://www.crn.com/news/security/3cx-attack-shows-the-dangers-of-alert-fatigue-for-cybersecurity
3. https://www.proofpoint.com/us/threat-reference/alert-fatigue
4. https://cybersecurityventures.com/alert-fatigue-the-enemy-within-cybersecurity-professionals/
5. https://www.msspalert.com/cybersecurity-talent/burnout-in-cybersecurity-is-a-huge-problem-here-are-some-ideas-on-how-to-fix-it/
6. https://www.gartner.com/en/newsroom/press-releases/2023-02-22-gartner-predicts-nearly-half-of-cybersecurity-leaders-will-change-jobs-by-2025.
7. https://www.forbes.com/sites/stuartrlevine/2023/03/20/cybersecurity-is-no-longer-an-issue-reserved-strictly-for-cios-and-cisos/?sh=5003b19c515b
8. https://www.mimecast.com/blog/how-to-combat-cybersecurity-burnout–and-keep-your-company-secure/
9. https://www.forbes.com/sites/forbestechcouncil/2023/05/18/burnout-the-unspoken-toll-of-rising-cybercrime/?sh=243256492aa5
10. https://aurorait.com/2023/08/31/shadow-ai-the-new-insider-threat/