How do leaders deal with the pain of cyberattacks?
By Sonia Blizzard
We all know cybercrime can be financially costly to your business, but have you ever considered the potential impact on your mental health? Anyone that has been burgled will know how devastating it feels. It can make you feel anxious and angry at your own ‘failure’ to prevent it. The stress and extra work it creates adds to the toll on your wellbeing.
Cybercrime is no different, and for business leaders who put their necks on the line only to fall foul of cyberattacks, the emotional impact of picking up the pieces can be overwhelming.
At Beaming, we’ve done lots of research into the financial cost. Our most recent calculation is that UK businesses lost some £17 billion to cybercrime in 2018, with smaller businesses bearing the brunt of the lost time, money, assets and opportunities cyberattacks bring. Now, we have shifted focus to the less discussed psychological cost of such crimes.
Earlier this year we asked an independent research firm to speak to more than 200 senior business leaders whose companies had fallen victim to cybercrime in the preceding 12-month period. Over three quarters (76 per cent) of all business victims questioned reported suffering one or more symptoms associated with emotional distress because of the attack.
A quarter (23 per cent) of those surveyed experienced heightened levels of anger as a result of the attack. A fifth said they felt shocked (20 per cent) or worried (also 20 per cent). One in six (17 per cent) leaders said they panicked after discovering that they had succumbed to a cyberattack.
Beaming’s research mirrors previous studies on the impact of cybercrime on consumer groups. A 2010 survey by Norton showed that around half of victims reacted with anger or annoyance, while more than a third said they felt “cheated” when finding out they were victims. Norton reported that 73 per cent of victims blamed themselves.
Shame is another emotion that is common among victims. A 2018 study by the Department of Computer Science at the University of Oxford said that shame was a perceived coping mechanism in the wake of cybercrime and linked to cases where there was ‘disruption of daily lives’ and a ‘drop in internal organisation morale’.
In 2017, scientists at the University of Haifa in Israel linked cyberattacks to a rise in cortisol – a stress hormone. This investigation came shortly after the ‘cyber-terror’ attacks by the Petya, Wannacry and Dyn viruses that brought thousands of organisations, including the NHS, to a grinding halt.
Cybercrime stress is more common among leaders of larger businesses
The larger the business, the more likely it was for leaders to reference experiencing emotions associated with depression and anxiety following an attack. 89 per cent of leaders at large companies (250 people plus) that had fallen victim to cybercriminals admitted to feelings of anger, shock, worry and despair. Medium-sized businesses (50-249 employees) and small companies (10-49 employees) were not far behind – with 86 per cent and 80 per cent of leaders respectively reporting heightened levels of emotion following their attack.
It is interesting that these larger companies, which have more resources to protect against attacks, came out the most stressed. It is often a difficult and complex challenge for larger organisations to get back to business as usual following an attack. It is also possible that leaders of these companies feel directly responsible to their employees, shareholders and customers in the event of an attack.
By contrast, just half (53 per cent) of leaders at micro-businesses employing fewer than 10 people suffered emotionally after becoming a cybercrime victim. At one-man bands, just 49 per cent said they were affected in some way. The predominant emotion following an attack for these smallest businesses was one of anger. An attack on their business is an attack on them personally.
It was of particular interest to me that – anger aside – one-man bands and micro-business leaders seemed to cope better than their larger counterparts. I don’t think it is because these business owners and managers are more carefree, it is probably because they are used to operating much closer to the edge. Risk is a factor they deal with every day, and to them, a cyberattack could be simply another hurdle to overcome in an ongoing journey of obstacles.
Developing resilience to attacks
Beaming’s study seeks to shine a light on this issue and quantify the immediate psychological impact of cybercrime on business leaders for the time. While more research is needed to identify quite how damaging this can be, it is clear that many business leaders need to improve the resilience of their cybersecurity systems and more to enhance their emotional resilience in the event of a successful attack.
There are easy first steps for businesses to take when addressing this challenge. Small businesses have less data and fewer systems making it easier for them to understand the extent of their IT systems and how they work, so provided they have a backup of it is easier for them to recover. They should also think about strengthening their systems with additional security measures such as managed firewalls and private networking technologies to secure data traveling between locations.
In larger businesses, where extensive cybersecurity systems are often already in place, the problem is more likely to come from human error than structural weakness. Staff at larger companies tend to be more relaxed than the managers. More employee education, clear cybersecurity policies and strong enforcement of those policies is often the key to enhanced resilience.
Back in January we discovered 33 per cent of UK companies fell victim to cybercrime in 2018. That number shot up to just under two thirds in companies that employed between 10 and 49 people. This needs to change. Robust policy, security technology and training schemes can minimise the risk of breaches happening, but all businesses must be prepared to respond quickly and effectively in the event of a failure.
A solid cyber-recovery plan for getting your business back up and running will go a long way to alleviating the initial stress and panic that follows a successful attack. It is this sort of safeguard that will mentally prepare you for the worst and help prevent undue stress if it happens.