The hidden threat to CNI security – staff burnout
Raise the topic of burnout in relation to power and energy grids, hospital wards or transport infrastructure and most people think of failing hardware or scorched transformers. There is however another kind of burnout that afflicts Critical National Infrastructure, and it is among the professionals who maintain it. New research from Bridewell has found that right across the CNI sector, which includes health and utilities, burnout among cyber security professionals is endemic.
Nearly half of IT professionals in the sector are suffering from unsustainable stress, pushing them to the point of burnout. The research also found that more than four-in-ten (41%) have been absent because of burnout, while almost a third (32%) are looking for another job and more than a quarter (28%) have resigned.
A number of factors contribute to the pressure that causes these problems among IT staff. This includes a growing number of cyber-attacks, the increased complexity of cyber security compliance, greater interconnectivity of systems, the need to understand new technologies, and the expansion of cyber assurance activities. All this points to the need for CNI organisations to increase their resources or have a trusted partner that has the right expertise for the right project or operational activity to provide the right level of protection and resilience against cyber threats.
The expansion of cyber threats
CNI organisations say the top three threats they face are cyber-attacks, malware, and physical security risks. In the UK’s CNI sector alone, 86% of organisations have detected cyber-attacks in the last 12 months and 93% have experienced at least one successful attack.
Notable events in recent months include the Verkada breach which exposed the feeds of 150,000 security cameras across hospitals, schools, police stations and prisons. British energy provider Npower was also victim to an attack that breached customer accounts through compromised credentials.
CNI attacks can be orchestrated by a range of different perpetrators, from lone hackers simply doing it for fun to political hacktivists and nation states waging cyber warfare. The consequences of such attacks can put public safety at real risk and lives in danger. The position is serious enough for global CNI organisations to consider how the internal threat of staff burnout might be impacting their security posture and what they can do to mitigate the risks.
Mitigating the burnout threat
With the research findings in mind, there are steps CNI organisations can take but they need to move quickly. Reducing the burnout threat among IT and security employees is a time-sensitive issue. The majority (84%) of organisations agree the UK’s CNI industry will be impacted by a critical cyber security skills shortage in the next three to five years, so finding cover for staff who have resigned or are taking time out will present further headaches. The importance of having the first line of defence fully staffed and fighting fit cannot be understated.
It’s clear that more needs to be done to alleviate the pressure on CISOs and their teams or security could suffer significantly. The CNI sector needs to attract skilled workers or partner with an expert provider. .
One of the first steps is to spot the signs of burnout. Irritability and fatigue, a negative attitude, disengagement or absenteeism can all be signs. Managers should ensure that volunteer mental health officers are on hand to provide an outlet where under-stress staff can air their concerns.
Allowing as much flexibility as possible in the working day, encouraging regular breaks throughout the mornings and afternoons and varying working hours can also prevent burnout. In times of pressure, allowing staff to take a step back for even ten minutes can help them to gather their thoughts and reduce the feeling of being overwhelmed.
Outsourcing also enables CNI organisations to supplement the expertise of depleted teams. Bringing in external consultants who understand CNI security can plug the gaps quickly and effectively, mitigating the additional risk to security from distracted or below-par staff. By lightening the load on the rest of the team in this way, wellbeing improves.
When it comes to recruitment, organisations need to avoid the common mistake of searching for someone who ticks every box, neglecting the passionate and talented individuals in situ who could be upskilled. Training has an important role to play here, too. Of course, not every CNI organisation has the resources or expertise to perform this vital training in-house, making it another area where the external consultant can help, upskilling promising new starters as permanent team members.
Helping IT and security teams reset
As the research shows, burnout presents CNI organisations with an internal threat they can easily overlook and which they must tackle quickly. If they engage external expertise, these important organisations benefit from the extra experience and support of trusted advisors.
With their broad experience and sector-specific knowledge consultants can both fill the resource-gaps and provide crucial training to existing staff. Another critical benefit of this approach is that is persuades valued employees on the edge of burnout to reconsider leaving the organisation. They recognise that the company has invested to support and develop them inspiring a real change of heart. Right across CNI industry, investment in consultancy and training has a major role to play in boosting the resilience of skilled individuals and complex organisations.