During Insider Threat Awareness Month, overcoming burnout is key
When picturing an attack on a specific network or application, many people imagine a hooded figure lurking in the shadows behind a large computer screen. However, recently there has been an increasing amount of people compromising businesses networks and software from inside the organization itself.
According to the Verizon 2019 Data Breach Investigations report, 34 percent of breaches in 2018 were caused by insiders, which is a 9 percent increase from 2017. A Ponemon Institute study from 2018 revealed that the average cost of these incidents is around $513,000 with the cost rising 15 percent from 2019.
Last month, the U.S. National Counterintelligence and Security Center (NCSC) and the National Insider Threat Task Forces (NITTF) declared September to be National Insider Threat Awareness Month. A variety of federal agencies, including the FBI, the Department of Homeland Security and the Department of Defense will be holding events to emphasize the importance of safeguarding our nation from insider threats and to share the best practices for mitigating those risks.
With the month of October being National Cybersecurity Awareness Month, it’s important to remember that not all inside compromises are malicious. The reality is that sometimes it is just individuals who are burnt out who miss something or execute a process the wrong way, causing a data leak to happen.
The Signs of Burnout
As businesses scramble to avoid data breaches, the uncertainty is having a measurable effect on the mental health of the cybersecurity professionals protecting the businesses. Cybersecurity burnout is very real, and it can have disastrous implications to businesses.
A survey published in 2019 by Osterman Research and Nominet revealed that 91 percent reported moderate or high stress, with a quarter saying the job has affected their mental or physical health. In addition, 32 percent of security professionals say they believe they would either lose their job or receive an official warning in the event of a data breach. Even more alarming, 17 percent say that they have turned to medication or alcohol to help deal with that stress.
With the constant onslaught of headlines alerting the world to cyberattacks, cybersecurity professionals feel a sense of responsibility for these attacks, and often feel like they are on the losing side of the battle. This state of defensiveness leads to more stress, which ultimately results in burnout.
Burnout is a phenomenon today’s professionals are becoming well-acquainted with, and even more so for those in the high-pressure industry of cybersecurity. Warning signs of burnout include a gradual or sudden decline in performance, increased intensity during disagreements, more sick days, general exhaustion and reduced concentration during work.
How Burnout Could Lead to a Compromise
With the problematic shortage of workers in security, organizations are consistently operating understaffed, and team members do not have time to train for advanced skills like security analytics. This forces team members to pick up the slack, adding to job fatigue and stress.
In the cybersecurity industry, hyper-awareness, vigilance and attention to detail are all top of mind every minute of the day. On the job, these characteristics aid in overcoming cyberattacks and protecting businesses. However, when professionals are feeling burnt out and overwhelmed, organizations are at risk of attack.
Many organizations plan for the worst-case scenario, and the threat of an attack weighs heavily on teams. Team members therefore need to be alert and prepared for the worst-case scenario and work every day to avoid it, which is why burnout can have disastrous implications.
How to Overcome Burnout
- Talk about stress and require time off
Stressed-out workers need to be validated and understood that their professions face extreme consequences and stress. Teams need to discuss how they’re feeling, develop strategies for worst-case scenarios and receive empathy from team members and organizational leaders.
In addition, professionals need time to unplug and their teams should require a certain amount of time off each year to allow individuals to disconnect and unplug from the stress. The feeling of responsibility can weigh heavily on practitioners, so a requirement of unplugging should be implemented for teams.
- Turning to AI, Machine Learning and DevSecOps
In regards to securing applications, using a DevSecOps approach can help. Bridging the gap between security and DevOps helps build communication, collaboration and integration among teams. By uncovering and remediating security vulnerabilities, professionals can solve problems before they arise, minimizing the extra burden on the security organization of having to bolt security on at the end.
Moreover, with technologies such as AI and machine learning, some of the burden is taken off of security team members, and professionals can solve problems before they arise, minimizing the extra burden of security.
- Education and Certifications
If the goal is to rid applications of potential vulnerabilities before they are released, then training has a major role to play. Many developers have not received education in spotting what secure code looks like, and many more aren’t fully aware of the more than 1,000 categories of security mistakes that developers can make.
Since many security teams operate understaffed, it is difficult to find the time for further education in order to empower teams to incorporate security within the DevOps approach. Fortunately, there are many resources available to gain certifications. There are many programs available on the market.
With burnout on the rise, cybersecurity professionals, teams and organizations must prioritize their mental health and take steps to ensure they are well-equipped to handle the daily risk of cyberattacks. Professionals must be alert and vigilant, so implementing helpful technologies, turning to education/certifications and self-care techniques can better enable the entire profession to be prepared for the worst-case scenario.