For many business leaders, falling victim to the efforts of hackers is the worst thing they will experience in their professional lives. Millions of words have been devoted to advising businesses on handling disruption, uncertainty, and huge costs arising from such events, but the challenge of handling the emotional and psychological impact felt by leadership teams and employees is rarely addressed.
When an incident first hits, well-prepared organisations will quickly assemble a core team of internal and external specialists. Less well-prepared organisations may take longer to initiate a response. IT professionals, lawyers and communications specialists all have a role to play in responding to a dispute. With the support of skilled individuals most businesses will be able to weather most cyber storms, but few will come out without feeling battered by the experience.
Some of the most important support professional advisors can and should give is not legal, but emotional. This article considers the impact that a cyber attack can have on employee and leadership team wellbeing and what can be done to reduce the harm, both in advance and in the face of an attack.
Facing the fear
The initial reaction to being hit by a cyber attack is likely to be shock and a sinking feeling of horror. At first, an attack may seem like a regular IT incident, the result of a glitch or configuration error. Depending on the severity and nature of the attack it may take time for the true cause to become clear. In some cases, a ransom note appearing on computer screens or even on printers may be the first sign. As it becomes apparent that a third party is responsible for the incident it is common for panic to set in. At that stage drastic action may be necessary to protect systems and prevent further compromise. In the case of a major attack this may mean many or all systems have to be taken offline. Suddenly restricting or removing systems access can be alarming for businesses which are increasingly operating online. Simply getting hold of employees to explain what is happening may be extremely challenging.
In the early stages of a cyber incident the entire workforce may be concerned and fearful for their jobs and this will be exacerbated if they cannot make contact with management. Even if there is little to say, establishing a reliable and secure means of communication will be essential to maintaining staff morale and goodwill.
Setting aside guilt
One of the most challenging aspects of managing a cyber attack is the feeling of guilt experienced by all but the most robust leaders. Faced with fearful employees, angry customers, unsympathetic regulators, and, if you are particularly unlucky, inquisitive journalists, it can be easy to forget that you are in fact the victim of a crime.
If personal data is compromised, as it usually is to some extent in cyber attacks, you are likely to have a duty to tell your data regulator and if you are subject to sector specific regulation, or are a publicly listed company, you may have other reporting obligations too. On top of those duties and depending on the nature and severity of the breach, you could also have the unenviable task of telling impacted individuals, potentially customers, employees and any other stakeholders, that their information has been compromised.
Knowing when to report to individuals, and how much to tell is a real challenge. You may have to decide between issuing a potentially unnecessary warning without much detail and waiting for more certainty, at which point your warning may be too late and individuals at greater risk of harm from fraud, phishing attempts, blackmail or worse. In such cases the expert guidance of legal and communications specialists can be invaluable.
Avoiding exhaustion
Once the adrenaline triggered by the initial crisis of a cyber attack has abated, the reality of what is, effectively, a large and unexpected project of indefinite duration, will loom before you. The prospect will probably be as exhausting as it is daunting.
In particularly disruptive breaches where recovery, and restoration of systems can take days or even weeks, the challenge of keeping the organisation running, maintaining the confidence of staff and customers and dealing with complex IT, legal, and communications challenges can feel insurmountable. The nature of cyber attacks is that resolving them is rarely smooth and predictable.
Many management teams are led by individuals who are tired to the point of burnout even before a cyber attack hits, so hard though it is, pacing yourself is the only viable option.
Although the emotional toll of handling a cyber breach has received little official attention, UK National Cyber Security Centre guidance from 2022 does address the risk of teams becoming overwhelmed. Tired individuals don't always make the best decisions in a crisis and a breach response situation is unlikely to be improved by worn out team members having to step away and be replaced.
Yearning for closure
Possibly the most frustrating thing about handling a cyber attack is that it can seem never ending. Even after systems are restored or rebuilt and data is recovered, letters of complaint and concern, in some cases letters of claim, will keep coming in from data subjects. Clients will demand updates and regulators can be very slow to tell you what, if any action they intend to take against you. Depending on your organisation’s nature and structure you may have investors, trustees or board members demanding to know exactly what happened, who they can blame and what is being done to prevent a recurrence. If you have insurance, premium negotiations are likely to be more involved following a breach.
Following a cyber incident, you are more vulnerable to further attacks by the same and other threat actor groups so any lessons learned in respect of IT security or organisational safeguards need to be actioned swiftly. Any leniency shown by regulators will not be repeated if you fall prey to the same or similar vulnerabilities for a second time. Even if you want to move on and focus on rebuilding your operations, you are likely to find the cyber attack taking up your time for months after it is ostensibly over.
So what should you do?
If you find yourself on the wrong side of a cyber attack there are a few crucial things to remember:
- Don’t victim blame – it’s important to identify the vulnerabilities or failings that left you vulnerable to attack so that you can explain and address them but unless a third party against whom you can bring a claim is responsible, there is little point in focusing on recriminations and apportioning blame. It will not encourage open engagement from staff and will only add to an already stressful atmosphere. This means being kind to yourself too. You are the victim of a crime and even if the lock on your door could have been stronger, someone else chose to break in.
- Listen to experts – you know your organisation best and, if the buck stops with you, no one can make decisions for you but it is a very good idea to take expert advice. Some organisations have internal experts in IT forensics, crisis communications and breach response legal support, but most will need external help. Specialist cyber attack response professionals see issues every week that most business operators will be unlucky to see more than once in their careers, and they are used to dealing with them without the heightened emotions and levels of stress that impact those on the front line of an incident. Trust their judgement.
- Don’t overcommit but do stick to your promises – if you promise regular updates to staff and impacted individuals you will have to deliver them or risk losing their confidence. Be realistic about how frequently you can communicate and don’t commit to be in touch if you may have nothing new to say. If you have offered a helpline make sure it is properly staffed. If you are arranging credit monitoring services for impacted individuals, make sure they are available for all who need them.
- Take a break – ensure that everyone involved in the breach response takes regular breaks and bring in external support if necessary to avoid burnout and exacerbating an already stressful situation. If you are leading the response it's essential that you practice what you preach. Stop checking messages after a certain time at night and instruct your team to call you in the event of an emergency so you won’t feel the need to constantly look at your phone. During the day, try to take a walk and shift your focus off the breach for a period of time. This may sound impossible in a crisis but you will achieve more if you step back and take an occasional deep breath.
- Appoint someone to manage the long tail – after a certain period of time when the most urgent matters are resolved it will be tempting to focus on getting back to business as usual rather than dwelling on the lingering effects of the attack. Appoint a team member to oversee breach-related follow up activities and to learn necessary lessons from the incident. Have that person report to leadership on a regular basis. This may include managing long term regulatory engagement, litigation arising from the breach, customer liaison, IT security improvements or training and policy updates. Don’t miss the opportunity for improvement that a crisis can bring.
A stitch in time…
Assuming you are not in the middle of a cyber incident right now, what can you do to put yourself in a better position if you do fall victim to one?
- Cultivate a no-blame culture–- before anything has gone wrong, support people to share their concerns. Try to offer in-person cyber and data training and encourage everyone to air any security worries as part of those sessions. In a culture where people feel able to voice their misgivings and identify potential failings you will be far less likely to fall victim to attack, and if you do it may be less severe. Whatever happens you will be better placed to retain the trust and support of your staff as you respond because you listened to them in the first place.
- Get breach ready – preparing for a data breach may seem counterintuitive but time spent on breach response plans, incident simulation exercises and identifying the members of your core response team can save hours or even days at the start of a cyber attack when time is precious and any delay may be critical. The impact of seemingly small things like ensuring that everyone listed in your response team has a named deputy, setting up a WhatsApp group so you can communicate if your emails are down, and making sure you list the contact details of your external advisors (and their alternates), may save you untold amounts of unnecessary stress. If possible, set up text message communications with your workforce so you can send a text to their personal devices if company IT fails. When you have finished your breach response plan don’t forget to print it – in an increasingly paperless world your carefully curated step-by-step procedures will be useless if you have no access to your digital systems. Print off two copies and take one home to store safely – you’ll thank us later.
- Invest in IT - if preparing for a breach is counterintuitive then investing in IT is painfully obvious. But it’s not just about how much you spend. It's hard to mark our own work and it's unfair to put your IT team in charge of identifying their own mistakes. Often we can't see them when they're right in front of us. It's not unusual for businesses to spend huge sums on IT security projects but fail to spot simple vulnerabilities that render the most sophisticated protections pointless. Devote some of your security spend to an external security audit and be prepared to challenge the internal status quo when you receive the results.
- Insure what you can, if you can – for a while, cyber security insurance premiums were so high and the policy exclusions so broad that it was a legitimate or even sensible choice to opt out of insurance and invest the premium in security enhancements instead. Given the significant and increasing cost of responding to a cyber attack, insurance should be a part of breach preparedness where you can identify an appropriate policy. Products are diversifying and both traditional and challenger brokers are working harder to match clients with policies. Make sure to check your policy when preparing your breach response plan – your insurer may provide specific support or require you to use its own pre-vetted experts.
We're here to help
As we hope this article demonstrates, we are not just 'suits' (not that we wear them much these days). We do understand the emotional stress that can come with a cyber attack and can support on that front as well as with the legal issues.
We've put together a selection of services to help organisations get 'breach ready'. This includes carrying out an incident preparedness audit, providing recommendations on how to improve policies or safeguards (where appropriate) and carrying out a breach simulation exercise to test your organisations response to an incident. We can also review your insurance position, contractual rights with third parties you've hired to help you with cyber security and provide training sessions on how to protect your reputation during a crisis. If you would like to hear more about this series of training sessions, please get in touch with us!