For company HR departments, employee burnout is not a new thing. But burnout flies under the radar of most security departments. After all, burnout is mainly a management and HR problem, isn’t it?

Doing more with less, high workloads, limited resources, and chronic stress are often just part of the makeup of companies and their industries. But in recent years, the “daily grind” crossed a line from manageable to burnout. The Great Resignation, beginning in 2021, was a response to burnout after the COVID pandemic. Then came the Quit Quitting of doing the minimum to get by in a job. In 2021, approximately 75% of office workers felt they were burned out. Today, that number has increased to 80% (with security people citing 84%) burnout. In the least, employee burnout affects staffing churn, morale, and employee actions. Over time, burnout could lead to a security issue.

Security’s Old Nemesis – Insider Threat

And how is burnout Security’s problem and not solely HR in keeping people happy and not leaving?

With about 64% of people looking for their next job while working in their current one, and up to 80% of workers feeling overwhelmed, things like flawed decision-making, oversights, and human errors are on the rise. Up to 40% of employees who have left their company report that they still have some form of system access, often for several weeks after leaving. Minor errors here and oversights there lead to an increased risk of breaches (human error is estimated at over 90% as a factor in breaches). The insider threat, either through burned out, possibly disgruntled employees leaving, or preventable mistakes, could be the weak link in the time, effort, and budget spent by Security to reduce risk.

To cope with high workloads or reduce chronic stress, employees often ration their efforts and energy, unknowingly increasing security risk and the potential for a breach:

• As much as 40% of employees use and/or install unauthorized software that helps them work faster, giving rise to shadow IT. Almost 49% of ready to quit workers use unauthorized apps.

• Burned out employees often do not log out of online systems at the end of a workday, leaving an “open door” to hackers, and also skip system updates, restart programs, etc.

• To deal with stress, employees may surf the Internet more, increasing the chances of encountering malicious content (eg ransomware).

• On average, employees with burnout are 5% more likely to choose easy to hack passwords.

• Employees may not disclose mistakes, incidents, or identify policy violations to avoid conflict.

• Despite security training and awareness, exhausted employees may accidentally forward sensitive information, click on malware, open junk mail, or fall to phishing attempts amid the flood of emails received daily (57% of workers report recent phishing).

• Burned out employees are over 40% more likely to circumvent security policies and rules that they see as a hassle or a roadblock to sharing data or software access. Project deadlines often lead to circumventing security policies and standards (in 2025, approximately 69% of employees ignored some type of security guidance).

While the Security department is working harder and harder with the increased challenges of new malware, AI enabled attacks, and growing data protection regulations, employee burnout has the potential of eating away a company’s gains, resulting in breaches and exposed systems and data.

What Can Security Do to Counter Employee Burnout?

While employee burnout is a corporate cultural issue that needs time to fix, the Security organization can do its part to help reduce the security risks from burnout.

• Make the security culture positive and user-oriented. Focus on only essential alerts so workers are less likely to ignore them. Look for tools and processes that make the secure way the easy way. Be sure to use Single Sign On (SSO) across applications; it makes user logon fast n easy and is more secure. Consider NIST’s recommendations for longer but easier to remember password phrases that allow fewer password changes over time.

• Acknowledge successful identification of phishing simulations.

• Use transparent and open communication to build trust with employees and management. Look to be a problem solver and not the “no department”. Be pragmatic and practical when addressing cyber threats and put yourself in the mindset of those affected by Security policies and direction. It will help foster good relations between experts and users.

• Champion a program of continuous improvement that involves departments in security goals.

• Simplify, simplify, simplify. Streamline your security policies and procedures to be concise, clear, and actionable. Employees often have to make numerous decisions about manual actions, so implement easy-to-follow workflows that automate actions as much as possible. Reducing the number of decisions or actions made encourages safety while reducing complexity.

• Streamline your file shares to make collaboration and finding information easier. Consolidate information according to sensitivity, putting in place stronger security only where warranted.

• Reduce data leakage with better Data Loss Prevention (DLP) tools and email security features and attachment blocking. Make encryption, phishing reporting, and other tools easy to find and use.

• Document the procedures for onboarding and offboarding employees and contractors. Be sure that process checks ensure that HR and IT coordinate efforts. Use a central ticketing system (eg Zendesk) to capture actions and status, integrating with the procedures.

• Put in place access controls that reduce the chance of accidental data integrity loss or deliberate data confidentiality loss. Define job roles that map to specific access permissions.

• Provide regular and interesting security training to improve retention and reduce the potential for human error. Several provides gamify training sessions and use animation instead of “death by PowerPoint”.

• Adjust how risk assessments view risk to include aspects of human behavior that could introduce or impact risk. Involving HR and expertise from human factors engineering/interaction could lend insights into how people, processes, and software systems interact and introduce risk.

What Can Security Do to Counter Employee Burnout?

While employee burnout is a corporate cultural issue that needs time to fix, the Security organization can do its part to help reduce the security risks from burnout.

• Make the security culture positive and user-oriented. Focus on only essential alerts so workers are less likely to ignore them. Look for tools and processes that make the secure way the easy way. Be sure to use Single Sign On (SSO) across applications; it makes user logon fast n easy and is more secure. Consider NIST’s recommendations for longer but easier to remember password phrases that allow fewer password changes over time.

• Acknowledge successful identification of phishing simulations.

• Use transparent and open communication to build trust with employees and management. Look to be a problem solver and not the “no department”. Be pragmatic and practical when addressing cyber threats and put yourself in the mindset of those affected by Security policies and direction. It will help foster good relations between experts and users.

• Champion a program of continuous improvement that involves departments in security goals.

• Simplify, simplify, simplify. Streamline your security policies and procedures to be concise, clear, and actionable. Employees often have to make numerous decisions about manual actions, so implement easy-to-follow workflows that automate actions as much as possible. Reducing the number of decisions or actions made encourages safety while reducing complexity.

• Streamline your file shares to make collaboration and finding information easier. Consolidate information according to sensitivity, putting in place stronger security only where warranted.

• Reduce data leakage with better Data Loss Prevention (DLP) tools and email security features and attachment blocking. Make encryption, phishing reporting, and other tools easy to find and use.

• Document the procedures for onboarding and offboarding employees and contractors. Be sure that process checks ensure that HR and IT coordinate efforts. Use a central ticketing system (eg Zendesk) to capture actions and status, integrating with the procedures.

• Put in place access controls that reduce the chance of accidental data integrity loss or deliberate data confidentiality loss. Define job roles that map to specific access permissions.

• Provide regular and interesting security training to improve retention and reduce the potential for human error. Several provides gamify training sessions and use animation instead of “death by PowerPoint”.

• Adjust how risk assessments view risk to include aspects of human behavior that could introduce or impact risk. Involving HR and expertise from human factors engineering/interaction could lend insights into how people, processes, and software systems interact and introduce risk.

Is There More That Can be Done?

Many companies are realizing that several approaches are needed to relieve employees from feeling overwhelmed, and that’s certainly true for Security professionals. When 80% of employees identify as feeling overwhelmed and burned out, the number for Security professions is higher.

Here are just a few tips to reduce burnout that work in Security and across the organization. A company’s HR or employee wellness programs have more ideas:

• A little recognition goes a long way. Identify when good work or progress is made, even if the gains are small. Its about continuous improvement and not competition between people.

• Over 80% of employees check email after work hours. While employees might find it harder to unplug from work, encourage them to at least idenify time periods where they strictly unplug from work. For the Security team, using a notification method like a smartphone pager app and rotating team members on-call can help with disconnecting from work and staff coverage.

• Work with HR to ensure that Security team members are aware of the company options and information available for financial, mental, and physical wellness and encourage them to use these benefits. The more an employee feels well in their personal life, the more they can focus at work.

• Encourage skills training, whether through an official employee program or unofficially through some of the free resources online. Gaining new skills or certificates is not only satisfying but may help with an employee gaining skills they can use to not feel overwhelmed in their role.

Reducing Burnout Risk is All About Adding Balance

While employee burnout in an organization will always be a risk, reducing the risk to acceptable levels can be done by adding balance through Information Security’s practices and approaches when engaging employees. The Security discipline has always had to find ways to gain the trust and acceptance of employees while enlisting their support and participation. When confronting burnout, Security can help by aiming to simplify, streamline, and improve its policies, tools, and asks to employees. The result will not only reduce insider risk but strengthen good will and partnership between Security and the employees needed to practice it