The hidden threat to CNI security – staff burnout
Raise the topic of burnout in relation to power and energy grids, hospital wards or transport infrastructure and most people think of failing hardware or scorched transformers. There is however another kind of burnout that afflicts Critical National Infrastructure, and it is among the professionals who maintain it. New research from Bridewell has found that right across the CNI sector, which includes health and utilities, burnout among cyber security professionals is endemic.
Nearly half of IT professionals in the sector are suffering from unsustainable stress, pushing them to the point of burnout. The research also found that more than four-in-ten (41%) have been absent because of burnout, while almost a third (32%) are looking for another job and more than a quarter (28%) have resigned.
A number of factors contribute to the pressure that causes these problems among IT staff. This includes a growing number of cyber-attacks, the increased complexity of cyber security compliance, greater interconnectivity of systems, the need to understand new technologies, and the expansion of cyber assurance activities. All this points to the need for CNI organisations to increase their resources or have a trusted partner that has the right expertise for the right project or operational activity to provide the right level of protection and resilience against cyber threats.
The expansion of cyber threats
CNI organisations say the top three threats they face are cyber-attacks, malware, and physical security risks. In the UK’s CNI sector alone, 86% of organisations have detected cyber-attacks in the last 12 months and 93% have experienced at least one successful attack.
Notable events in recent months include the Verkada breach which exposed the feeds of 150,000 security cameras across hospitals, schools, police stations and prisons. British energy provider Npower was also victim to an attack that breached customer accounts through compromised credentials.
CNI attacks can be orchestrated by a range of different perpetrators, from lone hackers simply doing it for fun to political hacktivists and nation states waging cyber warfare. The consequences of such attacks can put public safety at real risk and lives in danger. The position is serious enough for global CNI organisations to consider how the internal threat of staff burnout might be impacting their security posture and what they can do to mitigate the risks.
Mitigating the burnout threat
With the research findings in mind, there are steps CNI organisations can take but they need to move quickly. Reducing the burnout threat among IT and security employees is a time-sensitive issue. The majority (84%) of organisations agree the UK’s CNI industry will be impacted by a critical cyber security skills shortage in the next three to five years, so finding cover for staff who have resigned or are taking time out will present further headaches. The importance of having the first line of defence fully staffed and fighting fit cannot be understated.
It’s clear that more needs to be done to alleviate the pressure on CISOs and their teams or security could suffer significantly. The CNI sector needs to attract skilled workers or partner with an expert provider. .
One of the first steps is to spot the signs of burnout. Irritability and fatigue, a negative attitude, disengagement or absenteeism can all be signs. Managers should ensure that volunteer mental health officers are on hand to provide an outlet where under-stress staff can air their concerns.
Allowing as much flexibility as possible in the working day, encouraging regular breaks throughout the mornings and afternoons and varying working hours can also prevent burnout. In times of pressure, allowing staff to take a step back for even ten minutes can help them to gather their thoughts and reduce the feeling of being overwhelmed.
Outsourcing also enables CNI organisations to supplement the expertise of depleted teams. Bringing in external consultants who understand CNI security can plug the gaps quickly and effectively, mitigating the additional risk to security from distracted or below-par staff. By lightening the load on the rest of the team in this way, wellbeing improves.
When it comes to recruitment, organisations need to avoid the common mistake of searching for someone who ticks every box, neglecting the passionate and talented individuals in situ who could be upskilled. Training has an important role to play here, too. Of course, not every CNI organisation has the resources or expertise to perform this vital training in-house, making it another area where the external consultant can help, upskilling promising new starters as permanent team members.
Helping IT and security teams reset
As the research shows, burnout presents CNI organisations with an internal threat they can easily overlook and which they must tackle quickly. If they engage external expertise, these important organisations benefit from the extra experience and support of trusted advisors.
With their broad experience and sector-specific knowledge consultants can both fill the resource-gaps and provide crucial training to existing staff. Another critical benefit of this approach is that is persuades valued employees on the edge of burnout to reconsider leaving the organisation. They recognise that the company has invested to support and develop them inspiring a real change of heart. Right across CNI industry, investment in consultancy and training has a major role to play in boosting the resilience of skilled individuals and complex organisations.
Legend: John McAfee
John McAfee is credited with starting the entire cybersecurity industry. In 1987, he set up McAfee Associates and released VirusScan. Previous antivirus programs had been released, but McAfee’s was the first with mass appeal and was soon a day zero (or at least day one) installation for Windows users as well as corporate clients.
But McAfee was also a hugely divisive character. He dismissed his own software, claimed he never used it, and rejoiced when Intel bought McAfee and took his name off “the worst software on the planet.” He was anti-tax, pro-drugs, anti-war and pro-free trade. He was also a tireless crusader for cyber awareness, and set up a political party called the Cyber Party in order to make a bid for the office of president of the US.
“I am now everlastingly grateful to Intel for freeing me from this terrible association with the worst software on the planet”
McAfee: born in the UK
McAfee was born in Gloucestershire, UK, but moved to Salem, Virginia, where his American father (his mother was English) shot himself when McAfee was 15. McAfee worked at NASA, Univac, Xerox, Computer Sciences Corporation, Booz Allen Hamilton and Lockheed. It was while working at the latter he was given a copy of Brain, the first computer virus for PC, and began to engineer a defence.
Controversy dogged McAfee. He was implicated as a ‘person of interest’ in the search for a neighbour who had been shot. He married a prostitute. He claimed a cocaine baron was writing his biography. He was arrested for possession of an unlicensed weapon and for manufacturing drugs in Belize (later released without charge). There were various other arrests (mainly weapons related) but not much would stick until McAfee’s anti-tax stance caught up with him.
He fled the US as tax authorities turned up the heat on at least four years of non payment of tax and was arrested (again) in Spain in October 2020 at the behest of the US Department of Justice. Charges for fraudulently promoting cryptocurrencies were soon added and he was formally indicted in March 2021. In June 2021, the Spanish National Court authorised McAfee’s extradition to the US, and McAfee was found dead in his cell just hours later in what is widely believed to be a suicide.
Even in death, McAfee courted controversy, having announced that if he was ever found to have committed suicide, it would mean he had been murdered. A slew of conspiracy theories mushroomed in the hours after his death was announced. It’s just what he would have wanted.