The vast majority of organisations are well aware of the perils of cybersecurity attacks, whether they take the form of financial, operational, or reputational penalties, and most have therefore taken a stringent approach to combating them early. This is unsurprising when you consider that the global annual cost of cybercrime damage is expected to hit $10.5 trillion by 2025 – an increase of almost $7 trillion since 2015.

However, although the financial and reputational implications are well discussed, there is one real-world repercussion of cyberattacks which can often be disregarded: the psychological impact on both users who are targeted by bad actors, and the mental health of frontline security professionals reacting to the threats. Faced with having to identify and resolve multiple cyberthreats daily, such experienced veterans are reporting increased levels of anxiety, stress, and burnout.

If we fail to acknowledge this little discussed but significant human side of cyber defence, companies could be unintentionally putting their employees at risk while also compromising their ability to manage frontline defence.

Measuring the human impact

The UK defence and security think tank, the Royal United Services Institute (RUSI), reportedin a recent study on the significant psychological and financial problems felt by people targeted by threat actors during ransomware attacks.Such attacks have resulted in lost jobs, shame, self-blame, and linked health implications. For some victims, the trauma they experience as a result of a cyberattack will have a direct and enduring impact on their private lives.

The intense demands of addressing cybersecurity incidents are taking a significant toll on the mental and physical health of cybersecurity professionals today. A 2022 study revealed that despite their strong sense of duty to protect and assist, the continuous stream of incidents negatively affects their mental wellbeing. Consequently, 67% reported experiencing stress or anxiety in their daily lives, leading to insomnia, burnout, and challenges in maintaining personal lives and relationships. Additionally, 81% indicated that the increasing prevalence of ransomware has intensified the already considerable psychological pressures associated with their work.

Concerningly, another study indicated that one in seven security staff felt trauma following an attack, with one in five consequently considering a job change.

Protecting people AND business

Historically, cybersecurity has been focused on technical aspects that demand specialised knowledge, expertise, and tools, none of which apply to the people-related issues that arise when bad actors use social engineering to penetrate defences.

Now gifted with fast-evolving AI power, phishing attacks have the ability to create extremely sophisticated fake emails that can fool practically anyone, regardless of their technical ability. That means we need to think laterally about preparing non-technical users about these tactics to increase organisational resilience.

Furthermore, companies should take additional steps to offset the trauma, guilt, and stigma that accompanies such scams. If they don’t, they risk employees failing to report cybersecurity incidents to management out of a sense of shame and employment implications: recent research shows that over 40% of cyberattacks went unreported.

Encourage a learning-centric environment

Businesses should therefore promote knowledge sharing in order to both help stop attacks and also offset any resulting harm. That’s where employee training and education comes into play, equipping people with the tools to prevent breaches while limiting the psychological implications.

Staff should always be aware of the latest cyberthreats on the scene, while training should use real world scenarios to explore both the attack approaches used by criminals and the resulting post-attack psychological repercussions. This will encourage greater understanding and empathy among users and show that anyone from the post room to the C-suite is a potential victim of cybercrime.

At the same time, when supporting the mental health of security professionals who handle cyberattacks, organisations should offer relevant wellbeing resources and ensure staff are comfortable to ask for additional help when necessary.

Lastly, organisations should evaluate how they can foil social engineering attacks from reaching their intended outcomes. For instance, they can introduce specific process checks and impose restrictions on activities like money transfers, which would reduce the likelihood of these attacks succeeding.

Cybersecurity through a personnel lens

Companies today must foster a proactive and supportive culture, which helps employees handle the personal outcomes associated with cyberattacks. By encouraging a company-wide understanding of the issues involved, cybersecurity incidents can be openly identified, reported, and resolved without hesitation. Once acted upon, collective learnings can be integrated into training programmes to bolster mitigation procedures.

Ultimately, companies that can clearly show their commitment to the wellbeing of all of their employees will ensure that these people feel sufficiently supported to work in an effective and productive fashion. Cyberattacks aren’t going away so it’s time to make sure our teams are well prepared to face them.