Cybersecurity teams are reaching their breaking point. We should all be worried

Stress and burnout are having a massive impact on cybersecurity teams, leaving people and businesses more vulnerable than ever.
Written by Owen Hughes, Senior Editor
Man with glasses focusing on computer screen with intense expression
Image: Getty Images

Cybersecurity professionals are "reaching their breaking point" as ransomware attacks increase and create new risks for people and businesses.

A global study of 1,100 cybersecurity professionals by Mimecast found that one-third are considering leaving their role in the next two years due to stress and burnout.

The report found that rising rates of cybercrime and mounting media attention around cyberattacks are placing intense pressure on cybersecurity teams, with many fearing their will lose their jobs as a result of a cyberattack and others struggling to cope with the growing strain.

Mimecast said cybersecurity teams face "a pressure cooker of ongoing attacks, disruption, and burnout" that is making it even more difficult to attract and retain much-needed cybersecurity professionals to keep businesses secure.

Speaking to ZDNET, Johan Dreyer, EMEA CTO at Mimecast, said the impact of under-staffed IT security teams would have a "domino effect" on IT teams "across the whole sector" unless action is taken to address the issues faced by the industry.

Also: Cybersecurity burnout is real. And it's going to be a problem for all of us

Dreyer added that ransomware, payment fraud, corporate espionage, intellectual property theft, and disinformation campaigns had all increased "at an alarming rate" in the past few months alone, leaving businesses and consumers even more vulnerable to cyber criminals.

"The demand for cyber skills is more significant than ever, and a shortage of workers with the required expertise has created a constantly increasing skills deficit within the workplace," Dreyer told ZDNET.

"This comes at a time when the demand for IT roles is soaring. This skills gap has a negative domino effect on IT teams across the whole sector [and] many professionals are reaching their breaking point."

Nearly two-thirds (64%) of cybersecurity leaders surveyed by Mimecast said they had experienced at least one ransomware attack in the past year, while 77% said the number of cyberattacks against their company had either increased or stayed the same since 2021.

These attacks have "personal consequences" for the wellbeing of cybersecurity professionals, Mimecast found: more than half (54%) of respondents agreed that ransomware attacks had a negative impact on their mental health, while 56% reported that their role gets more stressful each year.

Also: The scary future of the internet: How the tech of tomorrow will pose even bigger cybersecurity threats

One-third of teams reported an increased number of burnout-related absences following an attack. In addition, 34% of cybersecurity leaders reported difficulties in recruiting IT staff once an attack has taken place, making it even more difficult for organizations to prevent incidents in the future.

The growth of cybercrime is also driving media interest in the subject, upping the ante for organizations who find themselves in the spotlight. More than half of leaders (53%) surveyed by Mimecast agreed that growing press coverage of ransomware attacks is causing increased pressure to prepare.

Despite this, Mimecast said there are signs that cybersecurity teams often "lack the basics when it comes to attack prevention". When asked what additional resources they need to prevent and prepare for cyberattacks, almost half of cybersecurity leaders said they need up-to-date security systems (46%), while another 46% cited better IT security awareness training for end-users and employees.

Some companies are beginning to increase their budgets in cybersecurity skills training, which Dreyer said is "a step in the right direction" that other businesses must follow if they hope to fill the deficit in IT security training.

Also: Raising cybersecurity awareness is good for everyone - but it needs to be done better

However, he said that more targeted training will be required as hackers begin to add more sophisticated tools to their arsenals. "One of the new cyber threats businesses are contending with is cybercriminals' use of AI; this enables criminals to make their attacks more sophisticated and higher in volume, making it extremely difficult for organisations to stop," said Dreyer.

"To overcome this, companies need to train and upskill their workforce by offering bespoke training. In parallel to training their staff, AI can help optimise systems to alleviate some of the strain on tech teams. As new cyber threats are constantly emerging, training such as this needs to be a continual process and should be more commonplace for all employees, students and trainees."

According to Mimecast, 56% of attacks cost businesses more than $100,000 in total. Given that half of decision makers allocate less than $550k to their cybersecurity budget annually, a single attack could cost 20% of the total budget.

Accountability might be another barrier to greater cybersecurity awareness. Mimecast found that IT security leaders feel less personal accountability when an attack succeeds, with 57% reporting they would feel very responsible in the event of a ransomware attack, compared to 71% last year.

Editorial standards