For many business leaders, falling victim to the efforts of hackers is the worst thing they will experience in their professional lives. Millions of words have been devoted to advising businesses on handling disruption, uncertainty, and huge costs arising from such events, but the challenge of handling the emotional and psychological impact felt by leadership teams and employees is rarely addressed.
When an incident first hits, well-prepared organisations will quickly assemble a core team of internal and external specialists. Less well-prepared organisations may take longer to initiate a response. IT professionals, lawyers and communications specialists all have a role to play in responding to a dispute. With the support of skilled individuals most businesses will be able to weather most cyber storms, but few will come out without feeling battered by the experience.
Some of the most important support professional advisors can and should give is not legal, but emotional. This article considers the impact that a cyber attack can have on employee and leadership team wellbeing and what can be done to reduce the harm, both in advance and in the face of an attack.
The initial reaction to being hit by a cyber attack is likely to be shock and a sinking feeling of horror. At first, an attack may seem like a regular IT incident, the result of a glitch or configuration error. Depending on the severity and nature of the attack it may take time for the true cause to become clear. In some cases, a ransom note appearing on computer screens or even on printers may be the first sign. As it becomes apparent that a third party is responsible for the incident it is common for panic to set in. At that stage drastic action may be necessary to protect systems and prevent further compromise. In the case of a major attack this may mean many or all systems have to be taken offline. Suddenly restricting or removing systems access can be alarming for businesses which are increasingly operating online. Simply getting hold of employees to explain what is happening may be extremely challenging.
In the early stages of a cyber incident the entire workforce may be concerned and fearful for their jobs and this will be exacerbated if they cannot make contact with management. Even if there is little to say, establishing a reliable and secure means of communication will be essential to maintaining staff morale and goodwill.
One of the most challenging aspects of managing a cyber attack is the feeling of guilt experienced by all but the most robust leaders. Faced with fearful employees, angry customers, unsympathetic regulators, and, if you are particularly unlucky, inquisitive journalists, it can be easy to forget that you are in fact the victim of a crime.
If personal data is compromised, as it usually is to some extent in cyber attacks, you are likely to have a duty to tell your data regulator and if you are subject to sector specific regulation, or are a publicly listed company, you may have other reporting obligations too. On top of those duties and depending on the nature and severity of the breach, you could also have the unenviable task of telling impacted individuals, potentially customers, employees and any other stakeholders, that their information has been compromised.
Knowing when to report to individuals, and how much to tell is a real challenge. You may have to decide between issuing a potentially unnecessary warning without much detail and waiting for more certainty, at which point your warning may be too late and individuals at greater risk of harm from fraud, phishing attempts, blackmail or worse. In such cases the expert guidance of legal and communications specialists can be invaluable.
Once the adrenaline triggered by the initial crisis of a cyber attack has abated, the reality of what is, effectively, a large and unexpected project of indefinite duration, will loom before you. The prospect will probably be as exhausting as it is daunting.
In particularly disruptive breaches where recovery, and restoration of systems can take days or even weeks, the challenge of keeping the organisation running, maintaining the confidence of staff and customers and dealing with complex IT, legal, and communications challenges can feel insurmountable. The nature of cyber attacks is that resolving them is rarely smooth and predictable.
Many management teams are led by individuals who are tired to the point of burnout even before a cyber attack hits, so hard though it is, pacing yourself is the only viable option.
Although the emotional toll of handling a cyber breach has received little official attention, UK National Cyber Security Centre guidance from 2022 does address the risk of teams becoming overwhelmed. Tired individuals don't always make the best decisions in a crisis and a breach response situation is unlikely to be improved by worn out team members having to step away and be replaced.
Possibly the most frustrating thing about handling a cyber attack is that it can seem never ending. Even after systems are restored or rebuilt and data is recovered, letters of complaint and concern, in some cases letters of claim, will keep coming in from data subjects. Clients will demand updates and regulators can be very slow to tell you what, if any action they intend to take against you. Depending on your organisation’s nature and structure you may have investors, trustees or board members demanding to know exactly what happened, who they can blame and what is being done to prevent a recurrence. If you have insurance, premium negotiations are likely to be more involved following a breach.
Following a cyber incident, you are more vulnerable to further attacks by the same and other threat actor groups so any lessons learned in respect of IT security or organisational safeguards need to be actioned swiftly. Any leniency shown by regulators will not be repeated if you fall prey to the same or similar vulnerabilities for a second time. Even if you want to move on and focus on rebuilding your operations, you are likely to find the cyber attack taking up your time for months after it is ostensibly over.
If you find yourself on the wrong side of a cyber attack there are a few crucial things to remember:
Assuming you are not in the middle of a cyber incident right now, what can you do to put yourself in a better position if you do fall victim to one?
As we hope this article demonstrates, we are not just 'suits' (not that we wear them much these days). We do understand the emotional stress that can come with a cyber attack and can support on that front as well as with the legal issues.
We've put together a selection of services to help organisations get 'breach ready'. This includes carrying out an incident preparedness audit, providing recommendations on how to improve policies or safeguards (where appropriate) and carrying out a breach simulation exercise to test your organisations response to an incident. We can also review your insurance position, contractual rights with third parties you've hired to help you with cyber security and provide training sessions on how to protect your reputation during a crisis. If you would like to hear more about this series of training sessions, please get in touch with us!
Disclaimer: This article was written with the help of AI but also by Michael Yates, Andi Terziu and Alisha Persaud.
1 of 6 Insights
Martijn Loth and Dominique Lensink look at incoming EU cyber security rules for connected devices.
3 of 6 Insights
Prachi Vasisht and Debbie Heywood compare the UK's Product Security and Telecommunications Infrastructure Act with the EU's draft Cyber Resilience Act.
4 of 6 Insights
Nicholas Crossland and Charlotte Witherington look at what the EU's Digital Operational Resilience Act means for UK businesses and at similar UK initiatives.
5 of 6 Insights
Paul Voigt and Alexander Schmalenberger look at Germany's progress on NIS2 implementation.
6 of 6 Insights
Back to