Let’s not sugarcoat it: the cyberthreat landscape is intensifying. In Singapore, ransomware and infrastructure breaches are climbing. In the Philippines, the final quarter of 2024 alone saw around 700,000 data breach cases. Yet while we invest in new tools and map out disaster recovery plans, we continue to overlook the human firewall: our cybersecurity teams.
And they’re running on empty.
Sophos’ Future of Cybersecurity in Asia Pacific and Japan report surveyed nearly 1,000 cybersecurity professionals across the region and found what many of us already knew: burnout is rampant. A staggering 86% of respondents said their teams are suffering from fatigue. Globally, the number of professionals who report “frequent” burnout jumped from 16% to 42% in just a year. We’re not talking about a wellness issue anymore. This is a business continuity crisis.
Burnout isn’t just bad for morale, it’s a security vulnerability
Tired teams make mistakes. Fatigued analysts miss indicators. Stressed responders take longer to act. That’s how ransomware gets through. That’s how data walks out the door.
The causes of burnout are no mystery: escalating threats, tighter regulations, and under-resourced teams. In Singapore, advanced attackers like UNC3886 have been targeting critical infrastructure, and in Malaysia, cybercrime losses reached nearly half a billion US dollars in 2024. If that isn’t a wake-up call, what is?
Shadow AI: The new headache
Just as teams are being pushed to their limits, along comes shadow AI (tools used by staff without oversight). Yes, AI has the potential to automate the boring stuff and boost detection, but unmanaged, it introduces more risk. Many businesses have no idea what AI platforms their employees are using or what data is being fed into them.
Add that to an already stretched team, and it’s a recipe for disaster.
Lost time, lost capability
Burnout is more than just a productivity drain; it’s a strategic risk. The report also found that APJ organisations are losing an average of 4.6 hours per week per person to burnout. That’s time not spent patching, monitoring, or responding. In a region where speed is everything and digital transformation is in full swing, this kind of downtime is a risk.
And while some companies are adopting AI-powered security tools or outsourcing detection and response, others are still dragging their feet. Meanwhile, the skills gap grows. APJ’s cybersecurity talent shortage widened by more than 26% in just one year. That’s more than half of the global shortfall. You can’t plug that with another dashboard.
Governance matters, especially for AI
AI is here to stay, and used well, it can absolutely help. But it needs clear rules of engagement: who’s allowed to use it, what they can do with it, and how it’s monitored. Treat AI tools like third-party vendors: scrutinise them, audit them, and don’t give them a free pass.
What needs to change
Business leaders need to stop viewing burnout as an HR issue and start treating it as a cyber risk. Here’s what that shift looks like in practice:
- Prioritise wellbeing: Build realistic shift rotations, enforce rest periods, and encourage a culture where it’s okay to say, “I need help.”
- Invest in people: Upskilling, career pathways, and certifications reduce attrition and boost engagement.
- Automate the grunt work: Use AI and automation to handle the repetitive stuff so your team can focus on threats that need a human brain.
- Govern AI properly: Know what’s in use, establish boundaries, and educate staff on the risks of unmanaged AI tools.
- Embed this thinking at the top: Boards need to factor human capacity into cyber risk discussions.
The organisations that get this right invest in their people as much as they do in their platforms. They’ll build teams that are alert, engaged, and ready to face whatever’s next.
At the end of the day, cyber resilience doesn’t come from technology alone. It comes from people who have the capacity and clarity to use it properly.
