The human impact of ransomware attacks: how can businesses protect their security professionals?


By Tony Hasek, CEO at Goldilock

With the annual cost of cybercrime estimated to have cost UK businesses over £30.5 billion in 2023, leaders are constantly reminded of ransomware attacks’ monetary, operational and reputational impact. The halting of business operations, loss of vast amounts of sensitive data and resulting reputational damage are difficult to ignore. With this in mind, business leaders often focus recovery processes around preventing financial harm and returning to business as usual as soon as possible. However, when some of the consequences of a ransomware attack can take months, or even years, to materialise, they can often be ignored, especially when it comes to the human impact of an incident.

According to the CISO stress report, 48% of CISOs said work stress had impacted their mental health, and 35% found their physical health had been affected. With security professionals facing long-term consequences from job pressure, it’s crucial to understand the root causes and explore solutions. What’s driving this stress, and how can business leaders step up to protect their employees’ well-being?

Today’s threat landscape

Undoubtedly, the work of security professionals is high pressure by nature. However, recent changes in the global cyber threat landscape have likely exacerbated mental and physical health problems among security professionals. Emerging technologies like AI and quantum are fuelling a new wave of more targeted and sophisticated ransomware attacks. Just last month, Apple announced a new boost to its messaging app’s security to fend off the looming future threat of advanced quantum computing attacks, and we’re seeing businesses across the board prepare for similar scenarios.

But the truth is many UK businesses lack the correct measures to make them resilient to cybercrime. According to a Microsoft study published this month, only 13% of UK organisations were described as “resilient” to cybercrime. Without this peace of mind, security professionals working for the other 87% of businesses come under great pressure to detect and fend off breaches.

Security professional shortage

With companies consistently reminded that they should assume they will be breached, security professionals are pressured to remain vigilant. This pressure only intensifies as the cyber skills gap grows within organisations: a recent Kaspersky study revealed that over 50% of cybersecurity professionals admit to making early career mistakes with potentially serious consequences directly attributable to a lack of technical knowledge.

With a narrowing talent pool, existing cybersecurity professionals are under pressure to maintain a business’ collective cyber amour, which inevitably increases both workload and intensity for employees.

The human toll of ransomware 

All such factors have contributed to an increase in reports of poor work-life balance for infosec professionals and the decline in their mental and physical health. In recent years, the rate of cybersecurity professionals finding themselves in need of medical intervention due to a decline in their physical and psychological health has increased significantly. A recent report published by the Royal United Services in January found high-pressure attacks often cause high levels of stress, PTSD, and feelings of guilt and shame among employees, forcing many to take prolonged time off work and straining relationships with co-workers and family and friends.

With a significant proportion of security professionals finding their mental and physical health impacted due to their professional lives, it comes down to the employer to better protect their security professionals on the front lines. So, what needs to change?

A cultural shift

When the pressure experienced by security professionals comes down to a fear of speaking out over potential mistakes or security incidents, it’s clear there’s a need for a cultural shift in an organisation. Business leaders should create an open, blame-free working environment that empowers employees to seek help. This can include proposing solutions for workload management and fostering a culture of open communication within the security team.

Training and upskilling are also crucial aspects. Empowering security professionals and employees across departments with the knowledge and confidence to call out potential incidents as soon as possible will ensure a better baseline of security knowledge. For cyber teams, this reduces the number of ‘messes’ they have to ‘clean up’. Dedicated upskilling programmes can also help to address the cyber skills gap head-on, bridging knowledge gaps and equipping professionals with the operational finesse they need to excel.

Disconnecting 

Businesses can also implement a base-line of defence to reduce pressure on employees and prevent breaches. Put simply, anything connected to the internet is at risk of a ransomware attack. And with businesses operating on an ‘always on’ basis, with networks and IT infrastructure permanently connected to the internet, these systems remain always at risk.

This is where air gapping comes in, a process that involves the physical isolation of a device or network, preventing it from establishing an external connection, in this case from the internet. As a society, we have become so accustomed to being connected to the internet that we assume it’s always necessary. Making the default for sensitive areas of a business’s network to be disconnected will give security professionals and business leaders peace of mind that resources that aren’t in use are switched off and, therefore, not exposed to attack.

C-level executives should take ownership of their employee’s welfare by having a ‘kill switch’ to hand. Air gapping also does not require a physical presence or connection to the internet. The choice to disconnect can be made remotely, instantly, and without an internet connection, meaning executives can take the lead and choose to disconnect when faced with the threat of a ransomware attack. These processes can provide security professionals with peace of mind that systems are better protected and remove a certain amount of responsibility from their hands.

Ensuring employee well-being 

As cyber threats continue to evolve, it will be more critical than ever for businesses to prioritise the well-being of their security professionals. When IT security staff feel burnout or stressed, the likelihood of mistakes is higher, with 83% of IT professionals saying that burnout causes data breaches, according to a 2023 study. The solution here is two-fold. Creating a working environment that encourages openness among employees and takes systems offline when they do not need to be. By following these steps, business leaders can give themselves and employees peace of mind while protecting staff well-being as well as digital assets.



Source link