Endless cyber-threat pressure could leave security staff burnt out. Here's what you need to change

Businesses need to act to boost their cybersecurity but they also need to help staff who are working with increased stress, says NCSC.
Written by Danny Palmer, Senior Writer
Image: Getty/Jay Yuno

Businesses should be prepared for an extended period of heightened cyber threats and they need to take action to prevent their cybersecurity staff from being overworked, the National Cyber Security Centre (NCSC) has warned. 

While the UK's cybersecurity body says the UK hasn't experienced severe cyberattacks in relation to Russia's invasion of Ukraine, it also warns "now is not the time for complacency".   

The NCSC has previously issued cybersecurity advice around dealing with the risk of cyberattacks related to the war, but now it's warning that the conflict is set to go on for some time and that this reality needs to be considered both when it comes to protecting against cyber threats and protecting against staff burnout because of the ongoing pressure

SEE: The unrelenting threat of ransomware is pushing cybersecurity workers to quit

"From the start of the conflict in Ukraine, we have been asking organisations to strengthen their cyber defences to help keep the UK secure, and many have done so," said Paul Maddinson, NCSC director for national resilience and strategy.  

"But it's now clear that we're in this for the long haul and it's vital that organisations support their staff through this demanding period of heightened cyber threat."

The NCSC warns that organisations might find it difficult to maintain a strengthened cybersecurity posture for a long period of time, particularly because increased workloads for cybersecurity staff can "can harm their wellbeing and lead to lower productivity", which could result in a rise in "unsafe behaviours or errors".  

It's why the NCSC has issued advice on several steps that organisations can take to avoid cybersecurity staff burnout, which leads to an increased risk of cyber threats.  

This includes what the NCSC describes as 'getting the basics right' by ensuring that security patches are applied, access to accounts is secured with complex passwords and multi-factor authentication, and that backups are regularly updated and tested. 

It's also important for organisations to regularly visit risk-based decisions – if temporary measures were applied to deal with a situation, decision makers might need to consider if they need to be made permanent if the threat continues.  

Organisations should also look to improve their long-term cyber resilience, because accelerating plans for hardening networks will relieve pressure on the workforce in the long term – it's better to be prepared to defend against an attack before it happens, rather than when hackers are in your network. 

SEE: Cybersecurity: Let's get tactical (ZDNet special report)

But it isn't just about the technology – businesses and decision makers need to make the right decisions for staff too, ensuring that they're able to do their jobs as efficiently as possible.  

According to the NCSC, one of the ways to achieve this standard is by delegating day-to-day decision-making processes to appropriate levels. This strategy will allow decision makers to focus on medium-term priorities, while also enabling frontline staff on the ground to be more agile with their own decision-making processes because they don't have to present them to management first. 

It's also vital to spread workloads evenly because relying on the same members of staff for everything will result in them quickly becoming overwhelmed, which could lead to errors and mistakes.  

The NCSC suggests that organisations can be more resilient if they spread cybersecurity workloads across a wider pool of staff, allowing personnel to take breaks and time off, enabling employees to relax and decreasing the risk of burnout. The NCSC also suggests that this approach can provide development opportunities for less experienced staff to build up their skills on the job

But even ensuring that cybersecurity staff can take breaks and relax might not be enough because the nature of the job means responding to incidents can expose them to harmful or distressing content, difficult decisions, or high-pressure situations that affect their wellbeing.  

The NCSC suggests that managers and colleagues should look out for signs that they or their colleagues are struggling, and ensure that they are equipped with the resources to respond 

"We have produced guidance to help organisations do this, and I would encourage them to follow our advice to help sustain their strengthened cyber posture," said Maddinson.  


Editorial standards