Why cyber burnout must be a priority for CFOs

Hackers going after hybrid workers

Yesterday (Tuesday 14 October), the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has released its sixth Annual Cyber Threat Report (ACTR), which showed that, in the last financial year, state-sponsored cyber actors were a “serious and growing threat” as they targeted networks operated by Australian governments, critical infrastructure and businesses for state goals.

These actors, the report noted, “have also compromised home devices connected to the internet, such as home routers, to create botnets that support further targeting around the globe”.

Among them is Advanced Persistent Threat (APT) 40, Chinese state-sponsored group, which ASD said “regularly conducts malicious activities against Australian and regional networks that possess information of value” to the People’s Republic of China.

Moreover, the report detailed, malicious cyber actors use vulnerabilities in “edge devices” (critical network components, positioned at the network’s periphery) which connect a private network, such one’s home or work, with a public, untrusted network like the internet.

“The most common edge devices used include home and enterprise routers, firewalls and virtual private network (VPN) products,” the report said.

The message for businesses from the ASD is clear: state-sponsored cybercrime actors are going after those who are working remotely and flexibly.

This said, to be best placed to address such concerns for the workforce, those in the C-suite must also be addressing the potential for burnout regarding all things cyber.

Addressing cyber burnout in such times

David Higgins, CTO at the leading payment fraud prevention platform, Eftsure, spoke with Accounting Times on the growing issue of cybersecurity burnout among Australian organisations, and the threat this poses to the country’s national security.

With widespread fatigue among cyber teams caused by relentless attacks, regulatory complexity, and the challenge of managing third-party risks, 78 per cent of Australian organisations have ongoing issues with cybersecurity burnout, according to new research.

“Cybersecurity burnout has been a pressing risk facing Australian organisations for a while now. However, new data shows that almost eight in ten businesses are grappling with ongoing burnout in their cyber teams.

“Several factors are at play, but third-party risk is a notable one – it compounds an organisation’s workloads and stress levels, which in turn increases third-party risks for their partners and suppliers.

“These risks often manifest as attacks like business email compromise (BEC) or payment redirection scams – and those attacks are usually aimed squarely at finance or accounts professionals. This makes cybersecurity burnout both a strategic vulnerability as well as a serious financial threat.”

Arjun Adhia, the CFO at Eftsure, added that as the role of such C-suite professionals continues to evolve, “those who succeed will address both the financial and human sides of their organisation”.

“They’ll implement systems that streamline repetitive tasks, provide clear guidance, and deliver targeted training on everyday risks. Some may run resilience check-ins to monitor stress and workload, ensuring teams feel supported and capable,” he said.

“Without proper guidance, staff can become overwhelmed, which increases the likelihood of mistakes and creates bigger vulnerabilities to scammers and fraudsters.”

CFOs, Adhia continued, also play a strategic role in mitigating the risks of burnout in other teams, not just their own.

“When IT or security teams experience overload or burnout, including those within other companies, entire supply chains are more vulnerable to malicious actors. CFOs and their teams need to lead anti-cybercrime measures and minimise the risks borne elsewhere in the business ecosystem,” he said.

“They’ll also need to cultivate a broader culture in which employees are never afraid to ask questions, flag anomalies, and even push back against senior leaders if necessary – for instance, when receiving requests to expedite payment processes.”

Ultimately, Adhia concluded, modern CFOs will need to combine financial acumen with operational oversight and people leadership.

“They enable the business to thrive, even under sustained pressure, and are the organisation’s final guardians against financial cybercrime.”