Burnout: the new security risk for companies

The widespread stress on the workforce and, in particular, cybersecurity professionals, is opening a new breach that leaves organizations even more vulnerable. In addition to the effects of the pandemic, the growing wave of cyberattacks is undermining the mental health of employees, who report symptoms of the so-called burnout syndrome (extraordinarily high attrition). This scenario ultimately leads to apathy and consequently low guard, producing new opportunities for malicious actors.

To understand this phenomenon of burnout, the privacy, and people-centric security firm 1Password has produced its first report, The Burnout Breach, which gathers information from 2,500 North Americans who work full-time mainly in front of a computer. The aim was to explore how workforce burnout has opened up organizations to cybercriminals.

“The burnout resulting from the pandemic – and the resulting apathy and distraction in the workplace – is emerging as the important new security risk. It is particularly surprising to find that leaders charged with protecting companies are having difficulty following their own security guidelines and putting companies at risk,” says Jeff Shiner, CEO of 1Password. 

The 1Password survey revealed that a staggering 84% of security professionals and 80% of employees in other areas are feeling burned out, leading to serious backlash over security protocols. And employees in various areas with burnout were three times more likely to say that security rules and policies “didn’t make up for the inconvenience” – a view expressed by 20% of those with signs of burnout versus 7% in the group of non-stressed professionals. Very burned-out security professionals, meanwhile, were twice as likely to say that security rules and policies were not worth the hassle, compared with those who were only slightly burned-out (44% versus 19%).

Burnout syndrome is also fuelling a wave of layoffs. Professionals are leaving their jobs in search of different careers, more flexibility, other life purposes, or higher salaries. Almost two-thirds (64%) of respondents said they were looking for a new job, on the verge of resigning, or at least open to the idea of changing jobs. Security professionals, in particular, were 50% more likely to say they are actively seeking a new job (13% versus 9%). 

The 1Password survey highlights that these layoffs also represent a significant security risk for companies. 

More alarming was the finding that professionals who resigned also posed a security threat to their former employers. A quarter of them said they had tried to access their work accounts after leaving their jobs, and more than 80% of this group said they had succeeded. Three out of four who had access to their old accounts were able to do so for weeks or longer. 

Mais alarmante foi a descoberta de que os profissionais que se demitiram também representavam uma ameaça de segurança para os seus antigos empregadores. Um quarto deles disse ter tentado aceder às suas contas de trabalho após terem deixado os seus empregos, e mais de 80% deste grupo disse ter tido êxito. Três em cada quatro que tiveram acesso às suas antigas contas puderam fazê-lo durante semanas ou mais.

Burnout aside, the study indicates that user-friendly software that can meet or exceed employee expectations can have a big impact on security. Some 45% of remote and hybrid employees, who don’t follow their companies’ security rules and policies to the letter, said they probably would if they had automation technology tools.

Emerging threats 

The survey also assessed security professionals’ perceptions of the top threats at work, both in the past year and in 2022. Ransomware was the top threat cited (55%). However, only 20% of this group faced this type of problem in 2021. 

Phishing is one of the top three concerns for one in four security professionals. For the study, this technique is particularly dangerous because it manipulates human psychology by posing as friends or co-workers seeking or offering help. More than half (57%) of employees said they had recently received an email that appeared to be phishing. 

Six in 10 security professionals said their companies had encountered a new threat in the past year – social media spoofing, sophisticated phishing, and DDoS attacks were the most common.