Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there’s the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing.

Amidst these growing concerns, cybersecurity professionals continue to report staffing shortages worldwide. These shortfalls can have a negative impact on incident prevention and response alike. Short-staffed security teams must respond to cyber incidents whenever they happen, no matter the size of the team. Working with such limited resources increases strain and stress with each new incident, creating a vicious cycle of attrition.

Threat Actors Ignore Business Hours

Cyber criminals tend to launch attacks during off-peak hours in the hopes of scoring big while the staff is absent. As a result, incident responders often must work outside of regular business hours, sometimes during or just before major holidays. The first 72 hours of an incident are usually the most critical. It’s during this time when incident responders must find the primary attack vector, contain the intrusion and begin remediation.

Incident response does not stop until the situation is contained, which is hard on incident responders. Security professionals work long hours during an incident, oftentimes longer than 12 hours per day according to a recent study. 48% of responders report an average of two to four weeks of engagement, while 30% say incident engagement lasts even longer. It’s also common for responders to work on more than one incident at a time, further compounding the time and attention required.

Responsibility After the Incident

After an incident, it’s not uncommon for security professionals to feel at fault. They may feel an intense duty to protect and prevent the inevitable. CISOs in particular may feel obligated to bear the burden of responsibility.

Privacy attorney Alexandra Vesalga highlights the additional strain CISOs must navigate after recent litigation in the aftermath of an unreported cyberattack.

“CISOs are under tremendous daily pressure,” Vesalga said. “The cyber threat landscape is changing constantly, and many organizations expect their security teams to be omniscient superheroes, anticipating and preventing any and all threats.”

Cyber incident response missteps may personally affect CISOs. Vesalga continues, “Within these high-pressure cultures, CISOs often feel personal responsibility for cyber incidents. Pouring gas on the fire, there is a new trend toward personal liability for cyber incidents —  just last month, Uber’s former CISO was found guilty on criminal charges for his actions in response to a 2016 breach. He awaits sentencing and could face jail time.”

Negative Effects of Prolonged High-Stress Situations

Incident responders feel a sense of duty to continue working well beyond their physical limits. In some cases that might include working through one (or several) nights without sleeping. That lack of sleep can negatively impact decision-making, problem-solving and impulse control, all of which are crucial during an incident response.

Total sleep deprivation — 24 or more hours without sleep — takes an even greater toll on mood, decision-making and attention. A recent study of elite martial arts athletes revealed an increase in depression, confusion, fatigue and anxiety after 24 hours of wakefulness. Study participants’ physical performance was significantly impaired in a sleep-deprived state compared with their normal sleep performance.

Unsurprisingly, many professionals feel intense negative effects after a cyber incident. The effects of high stress over a long period of time can lead to higher levels of anxiety in everyday life, a symptom more than two-thirds of responders reported in a recent study. Incident responders also report significant sleep disturbances and back pain as a result of an incident.

Remediating Employee Stress Following a Cyber Incident

A recent study found trauma symptoms last for months after a cyber incident. Burnout is common and often leads to high turnover. Human resource management offices typically don’t have a specific protocol for cyber incident responders in place. Responders also reported a desire to change jobs or leave the cybersecurity profession altogether. Even without dedicated programs, incident responders seek mental health resources and report adequate access to these services.

Prevention is the best solution. Cybersecurity incident response is a serious role that can be difficult to step back from. BlackBerry’s Keiron Holyome urges organizations to craft their response expectations with a focus on ensuring teams know what to expect.

“If the past two years have proven anything, it’s that no organization in any industry is immune to cyber crime,” Holyome said. “Cybersecurity teams are critical to sustaining business continuity, they cannot afford to switch off and leave organizations at risk — especially because that risk isn’t limited to working days or business hours.”

Holyome goes on to discuss how long hours and stressful working conditions affect security teams. “Alert fatigue and the push to make important decisions with limited experience, knowledge or context can weigh heavily. When a cyberattack strikes, having a process to follow that reduces pressurized decision-making, and knowing that support is at the end of a phone call, can be a big step towards creating a healthier environment for those working in IT and security roles.”

Avoiding Burnout with Planning and Practice

The threat landscape is constantly changing and will require new approaches. While teams stay vigilant for the next incident, they need the support of their companies throughout the entire process.

Companies can start by addressing incident responder burnout, and other symptoms of a high-stress work environment. Allowing incident responders time away to rest and heal from the heightened stress of cyber incidents will help keep teams healthy and prepared for the next attack.

In addition, a well-planned response is only effective when staff has the opportunity to run through exercises to understand who is responsible for what. Practicing tabletop exercises helps staff mentally prepare for incident response. Working from the familiar removes the stress of the unknown, so staff can focus on response and remediation. This time can be used to reiterate the importance of and process for taking breaks from the work.

Senior leaders can’t ignore the importance of taking care of incident responders. Better working conditions will lessen turnover rates and keep talented professionals in the chronically understaffed field.

More from CISO

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…

To Cybersecurity Incident Responders Holding the Digital Front Line, We Salute You

Over the course of two decades, I’ve seen Incident Response (IR) take on many forms. Cybercrime’s evolution has pulled the nature of IR along with it — shifts in cybercriminals’ tactics and motives have been constant. Even the cybercriminal psyche has completely rebirthed, with more collaboration amongst gangs and fully established ransomware enterprises running. When I was first starting off, I never would’ve guessed “ransomware as a service” would be a thing. I certainly wouldn’t have thought my job would…