UK organisations face a growing operational risk as cybersecurity teams struggle with burnout and alert fatigue, amid rising attack volumes and increasingly complex technology estates.
Industry survey figures cited in a new analysis put the scale of the pressure into context. It said 78% of organisations reported a steady or rising number of attacks, while 88% experienced at least one security incident in the past year. The same analysis linked the trend to talent shortages, reactive security operations and the day-to-day load created by large numbers of security alerts.
Burnout has moved beyond a staff retention issue and into the wider risk profile of companies, the analysis said. It described a cycle in which stretched teams work in crisis mode for long periods. It said that pattern increases the likelihood of human error and reduces organisational resilience.
The analysis pointed to recent high-profile incidents at JLR, Marks & Spencers and the Co-op as examples of the potential disruption that can follow when security signals go unaddressed. It argued that a single missed alert can trigger broader operational impact, particularly when teams have limited capacity and face competing priorities.
Tool overload
The analysis said many organisations treat the deployment of cybersecurity tools as proof of strong security controls. It cited the example of deploying a Security Information and Event Management system or switching on monitoring. It warned that some tools run with inadequate configuration or generate more data than internal teams can manage.
It said this combination creates a false sense of confidence, particularly when fatigue has already set in. It argued that exhausted teams can overlook issues and allow weaknesses to persist across the environment.
It also described the emotional strain created by continuous operational demand. It said security professionals often face expectations to remain proactive and vigilant while handling a constant flow of alerts. It said morale and capacity can decline well before a breach occurs. It added that teams dealing with burnout are less likely to challenge assumptions or investigate anomalies, which can leave indicators undetected for longer periods.
Alert fatigue
Alert fatigue featured as a central contributor in the analysis. It said modern enterprises commonly operate between 40 and 60 security tools. It said those products generate continuous notifications and events. It said analysts must decide which alerts need immediate attention and which can wait.
It noted that severity ratings do not always match business impact. It said high-severity alerts can relate to systems with limited operational relevance. It said lower-profile events can signal emerging threats. It argued that making these calls repeatedly drains cognitive capacity.
The analysis also linked burnout risk to changes in corporate IT footprints. It said users, devices and data now sit across locations and move frequently. It said many organisations lack full visibility into where data resides, who accesses it and which systems create new risks. It said this "borderless" environment leaves teams in reactive mode and pushes them into firefighting activity from multiple directions.
Attack evolution
The analysis said attackers now mix established methods such as malware, phishing and exploiting unpatched vulnerabilities with newer factors including automation, AI-assisted attacks, supply-chain exploitation and cloud and identity compromise. It said that convergence increases pressure on defenders because it expands the number of ways incidents can start and spread.
It also argued that AI now plays a role in automating parts of the attack chain. It said this allows adversaries to scale operations beyond the constraints faced by defenders. It said security teams can find themselves outpaced at the same time their own capacity reduces through fatigue.
Automation and consolidation
The analysis presented greater visibility across systems as one route to reducing noise. It also cited intelligent automation and threat validation as approaches that can reduce the workload associated with triage and repetitive tasks.
It said modern managed extended detection and response and AI-enabled extended detection and response platforms automate certain activities. It cited alert triage, correlation of threat signals and prioritisation of vulnerabilities. It also said natural language tools can simplify threat hunting and investigation. It said guided response workflows can reduce pressure during live incidents.
It also argued for consolidation of security tooling. It described "platformisation" as a way to simplify toolsets and centralise visibility. It said clearer insight can reduce noise that overwhelms teams, and it said a simplified environment can shift activity away from constant reaction.
Leadership focus
The analysis said technical changes alone will not address burnout. It said leadership engagement is necessary and it called for companies to understand their cyber maturity through recognised frameworks, including CAF, CIS and NIST.
It also said organisations need a cyber-aware culture led from the top. It said cybersecurity should have representation at the highest levels rather than sit only within IT. It said accountability at senior leadership level changes how the organisation prioritises resilience.
Tabletop exercises also featured as a practical step. The analysis said simulated breach scenarios strengthen executive understanding of operational and reputational impact. It said exercises also highlight the pressure on internal teams during high-intensity events.
It added that organisations should monitor wellbeing and morale through engagement surveys, workload visibility and regular dialogue with staff. It said those signals should feed into resourcing, training and technology decisions.
Companies will continue to review security tool footprints, board-level oversight, and the use of automation as attack volumes and incident frequency remain elevated, according to the analysis.