Burned out workers are less likely to follow security guidelines

Workers in every industry are increasingly burned out, leading to apathy and a lower guard toward workplace security. To understand this burnout phenomenon, 1Password released a report based on a survey of 2,500 adults.

The report explores how workforce burnout has opened businesses to attacks, with trends such as remote and hybrid work, the “Great Resignation” and, most surprisingly, significantly worse behavior by cybersecurity professionals as the driving forces behind this new threat to business success and longevity.

“Pandemic-fueled burnout–and resultant workplace apathy and distraction–has emerged as the next significant security risk,” said Jeff Shiner, CEO at 1Password.

“It’s particularly surprising to find that burned-out security leaders, charged with protecting businesses, are doing a far worse job of following security guidelines – and putting companies at risk. It’s now a business imperative for companies to engage the humans at the heart of security operations with tools, training and ongoing support to create a culture of security and care that helps us all stay safe at work.”

Burnout bad behavior

The research found that a whopping 84% of security professionals and 80% of other workers are feeling burned out, which has led to serious backsliding around security protocols.

• Burned out workers ignore the rules: They’re a third less likely to follow their company’s security guidelines (59% for burned out vs. 80% for not burned out).
• Burnout is fueling a shadow IT renaissance: Sixty percent more burned-out employees than non-burned-out employees are creating, downloading or using software and apps at work without IT’s permission (48% vs. 30%).
• Security pros feel the heat: Security professionals are twice as likely as other workers to say that due to burnout, they are “completely checked out” and “doing the bare minimum at work” (10% vs. 5%). And significantly burned-out security professionals are more than twice as likely to say security rules and policies aren’t worth the hassle, compared to those who are only somewhat burned out (44% vs. 19%).

As good as gone

Burnout is also fueling the Great Resignation, in which employees leave their jobs in search of different careers, greater flexibility, deeper purpose or higher salaries. The research reveals that these “ready to resign” employees are a significant security risk for companies.

• One foot out the door: 64% of respondents said they were actively looking for a new job, on the verge of quitting or open to the idea of switching jobs. Meanwhile, security professionals are nearly 50% more likely than other workers to be actively looking for a new job (13% vs. 9%).
• Done with it: “Ready to resign” employees are 50% more likely to say convenience is more important than security at work (24% vs. 16% who remain loyal to their current job).
• What are you going to do, fire me: Nearly 50% more employees looking to switch jobs are creating, downloading or using software and apps at work without IT’s permission (49%), compared to those with no interest in a job change (34%).

Security pros: “Do as I say, not as I do”

While 89% of security professionals say they favor security over convenience, security pros are far more likely to ignore their own best practices and engage in risky digital activities at work compared to other workers at an organization – burned out or not.

• Above the law: Security professionals are more likely than other types of workers to say they work around their company’s policies because they are trying to solve their own IT problems themselves (37% vs. 25%) or because they hate the software their company provides (15% vs. 5%).
• All in the family: Nearly four times more security professionals than other workers say they let family members, roommates or friends use their work computers (22% vs. 6%).
• The great installation: Four times more security professionals than other workers say they install apps or browser extensions the company hasn’t recommended or approved (29% vs. 7%).

Emerging threats: Ransomware hype, phishing bite

Looking beyond the new security threat of burnout, the report also explored security professionals’ perceptions of top threats at work, both for the previous year and in the year ahead. Security professionals cited ransomware as the top threat they’ve heard about (55%) and worry about (42% put it in their top three worries), though it falls far lower on the list of actual threats encountered last year as just 20% of security pros actually faced ransomware at work.

• Everyday attacks: Sixty percent of security professionals say their company encountered an emerging security threat last year, ranking the top threats as social media spoofing (32%), sophisticated phishing (32%) and a DDoS attack (32%).
• Go phish: Phishing is a top 3 concern for 1 in 4 security professionals. Phishing is especially dangerous because it manipulates human psychology by mimicking friends or coworkers in need of help–or companies or colleagues seeking to offer protection and assistance.
• Too good to be true: 57% of employees say they’ve recently encountered an email which they weren’t sure was phishing or not.

“Digital communication should help, not hinder, remote workforces from communicating with clients located all around the globe. As email-based attacks continue their mercurial rise, so too must rise the priority given to the tools, knowledge and expertise employees need to effectively avoid falling for these types of traps,” Mike Ginsberg, CEO at Echoworx, told Help Net Security.