Cyberattacks can cut to the core of any organisation and have the potential to severely impact its reputation, performance and finances. Cumulatively, the cost is truly enormous, with one recent estimate putting the global annual cost of ransomware alone at US$10.5 trillion by 2025. However, there is also a worrying and often overlooked human element that can have serious personal consequences for those involved. Parisa Bazl, Head of User Experience at Commvault, talks about the importance of addressing the psychological impact of cyberattacks.
The financial, operational and reputational risk posed by cybersecurity threats and the importance of fortifying defences means that boosting cyber-resilience is now top of mind for today’s senior decision-makers.
In recent years the rising global cost of cybercrime, which is anticipated to hit US$10.5 trillion by 2025, has led to a tightening in regulatory cybersecurity demands. As a result, cybersecurity risk management has become a priority for board members who are duty-bound to oversee, assess and monitor the enterprise-wide cybersecurity strategy.
For most organisations, reducing the risk of exposure means designing cybersecurity programmes that protect systems, networks and data from digital attack. However, the emotional wellbeing of employees in the context of cyber-risk is, more often than not, underrated.
With Gartner predicting that nearly half of all cybersecurity leaders will change roles by 2025 thanks to work-related stress, organisations need to look beyond the financial, legal and compliance aspects of planning for cyber-risk. Because the negative emotional impact of security incidents also poses a significant risk to the collective wellbeing and performance of the workforce, by not addressing this important human aspect of cyberdefence, organisations put their people and their ability to maintain digital frontline defences at risk.
The psychological consequences of cyberthreats
Traditionally, the primary focus for cybersecurity has been centred on implementing specialist tools, technologies and organisation-wide incident response plans. However, by overlooking the human consequences of cyberattacks, organisations put one of their most valuable resources – their human capital – at risk.
For example, the social and psychological impact on employees who are targeted and manipulated by threat actors can be profound and long lasting. According to a study from the Royal United Services Institute (RUSI), employees who fall foul of clever social engineering tricks that lead them to click on malicious links or download attachments experience a whole range of negative emotions including fear, guilt, shame and humiliation. Over time, this distress can result in long-term psychological, physical, reputational and social problems, which in turn results in decreased productivity, increased workplace absences, and in some cases even job loss.
In terms of workforce wellbeing, the current ransomware crisis is exacting a heavy toll on the mental health of employees. With phishing attacks accounting for more than 80% of all cybersecurity incidents, front line staff are expected to be constantly vigilant yet are often not supported or equipped to handle cyberthreats effectively. For those that unintentionally instigate a security breach, the consequences can be devastating on both a professional and personal front.
Understanding the impact on cybersecurity teams
Similarly, the rising volume of cybersecurity incidents is also negatively impacting the wellbeing of security professionals. According to data published last year, nearly two-thirds of cybersecurity incident responders sought out mental health assistance due to the demanding nature of responding to cyberattacks. Meanwhile, a 2022 study revealed that one in seven security staff experiences trauma symptoms for months after an attack, with one in five considering a job change as a result. A further 81% went on to state that the ongoing ransomware crisis has only served to exacerbate the already-pressing psychological demands posed by cybersecurity incidents.
Given the current shortage of cybersecurity talent, organisations can ill afford the manpower attrition that results from the elevated stress levels and burnout currently being experienced by this key cohort of personnel.
Rethinking resilience: taking a people-centric approach
With organisations facing hundreds of intrusion attempts every day, understanding the dangers and risks to the workforce itself should also be part and parcel of any cybersecurity and resilience strategy.
Organisations that take steps to positively support personnel and implement measures designed to prevent security breaches will not only boost employee engagement and retention; they will also elevate their ability to withstand and bounce back from cyberincidents.
For example, by ensuring that processes are in place to prevent social engineering, organisations can help protect non-technical employees from potential vulnerabilities that will expose them – and the business – to external threats. This could include implementing checks and limitations on actions such as money transfers that narrow the scope for phishing attacks to succeed.
Similarly, given that today’s AI-powered phishing attacks are now capable of generating highly sophisticated fake emails and deep fakes that can fool anyone, irrespective of their technical know-how, organisations need to think laterally about how they prepare non-technical employees for these types of attacks. That includes taking steps to support and mitigate the stigma, fear and guilt that personnel often experience if they fall victim to such scams.
Failing to take steps to shield personnel or counter a fear-dominated workplace culture can have significant and unintended consequences. According to research, last year over 40% of cyberattacks went unreported to internal management because employees were fearful of the repercussions that would result. A further 75% of those who failed to report an incident admit that they subsequently felt guilty as a result.
Preparing for security incidents – fostering a supportive environment
Everyone working in today’s digitally-centric organisations is potentially vulnerable to the impact of a security incident. With this in mind, education and training will play a key role in helping to prevent breaches and minimising any psychological impact on those involved.
In addition to keeping personnel informed of the top cybersecurity threats they are likely to encounter, training programmes should feature real-world scenarios that detail the attack mode employed by cybercriminals and the psychological post-attack consequences for victims. This will help promote greater understanding and empathy among all employees while ensuring that everyone is aware of the potential pitfalls they need to stay alert for.
When it comes to supporting the security teams responsible for attack mitigation and recovery activities, organisations need to ensure these personnel get the help they need to bounce back and recover faster. That means encouraging open communication and dialogue about mental health issues and providing counselling resources that will enhance overall team resilience.
Adopting a 360-degree view
The battle against cyberthreats is not just a technical one. It’s a human one too. To thrive and survive in today’s digital battlefield, organisations need to provide comprehensive cybersecurity training for all staff, foster a security mindset and initiate appropriate support for those affected by cyberthreats.
By doing so, they will be able to help ensure that cybersecurity incidents are openly disclosed and reported so that mitigation actions can be triggered faster and collective learnings from incidents can be harnessed and shared.
Finally, and perhaps most importantly of all, from a human capital perspective, organisations will be able to demonstrate that the wellbeing of their personnel is a top priority. All of which will help create more secure organisations and healthier, happier workplaces.