Not only is cybercrime bad for business, but employees also pay the price.
Researchers have identified a correlation between the spectre of cybercrime and employee health and wellbeing. Stress, fear, and uncertainty are leading to poor health, such as burnout, hypertension, strokes, and posttraumatic stress disorder and these concerns deserve attention.
This situation is not limited to security teams, even though they are under the greatest pressure. Cybersecurity responsibilities, disappointment when failing to prevent an attack, and the general uncertainty around cyber risks affect all employees across organisations.
“Security teams are under tremendous pressure,” says Gerhard Swart, chief technology officer at Performanta. “They are the last line of defence, battling against motivated human criminals using large-scale digital attack tools. A few mistakes can cause massive damage to their companies, yet they have to make sense of complicated systems and a stream of security alerts.
“But the pressure of cybersecurity reaches other people as well. Security needs everyone’s support. But that also means everyone feels that pressure to a degree,” says Swart.
The Impact of Cybercrime on Health
Humans are the best line of defence because they can spot strange and unusual activities, but they also experience the stress of this responsibility. There are four main ways cyber risks affect employee health: vigilance, siege, failure, and morale.
* Vigilance is to watch out for cybercrime attempts. While this is an excellent way to prevent successful attacks, it requires focus and diligence. Measured vigilance is good, yet constant vigilance can take a toll, especially if the company culture is very harsh about security mistakes.
* Siege is when criminals target an employee, usually through provocative means such as phishing attacks (fake emails that trick users into taking the wrong action). These cyberattacks are designed to evoke a type 1 response, a neurological term for a very reactionary and automatic response. It’s a common tactic to promise great gains or predict big disasters, provoking the person to click a link that clandestinely installs malicious software.
* Failure happens when a siege is successful. Someone was coerced to aid the attack, often unknowingly. That person is likely to feel guilt because of their failure. A punitive corporate culture can worsen this, blaming one person for a more elaborate situation. Some studies indicate that up to a quarter of phishing victims were fired or changed jobs.
* Morale problems can cause a lot of harm. People invest their time and minds in their jobs, and disruptions can severely affect their ability to perform. If a cyberattack occurs, it will stop operations and projects, spiking stress among those teams. Poor communication about the attack leads to more stress, uncertainty, and doubt about their jobs or the organisation’s future. Those who face customers must often answer delicate questions to try and mitigate reputational damage.
Reactionary, punitive and secretive corporate cultures often amplify these issues, says Swart.
“Imagine you are travelling to an important destination, but the road is twisting and full of blind curves, and the bus rattles and makes strange noises. You can become quite worried about the situation, especially when you know your actions can help prevent or cause a breakdown or accident. Even if the bus doesn’t break down, you can never quite relax because relaxing too much is risky,” says Swart.
“I think companies often spend too much effort talking about the bus and its importance, and forget to talk to the passengers and see how they are doing or if they know what they need to talk to others about the bus, the road, and the journey.”
Improving Health and Happiness while Facing Cybercrime
Employee wellbeing has become a more crucial topic, opening the doors for conversations and interventions that reduce cybercrime’s impact on people’s health. The most crucial step is to move away from a culture of blame to one that encourages cooperation.
You won’t get far if your people are afraid to even click on anything, a phenomenon called click paralysis. It’s tempting to immediately point fingers at who is to blame, but an attack is rarely that simple. Mistakes happen, and proper security systems will catch those mistakes. Regular security training and testing will help set a standard, while a supportive attitude towards cybercrime victims can avoid employee churn and unnecessary damage to morale.
The second crucial step is to establish good communication. If there is a threat of attack, inform the appropriate employees and be open to answering questions. These messages shouldn’t come exclusively from your security teams, as they are rarely equipped to relate the issue suitably. Involve employee-focused parts of the business, such as human resources and line managers. Equip leaders to explain security questions to the people they are responsible for.
Thirdly, make sure your security teams are well-resourced and supported. The average corporate team can receive a thousand security alerts daily, excluding other work such as patching, security tests, and studying threat trends.
Invest in services and partners that increase visibility and information coherence, automate security processes, and create proactive visibility and response – these steps take significant pressure from those teams. It also better equips them to work with the rest of the organisation and create a more inclusive cybersecurity culture.
Happy employees make a company stronger. But the fear, uncertainty and doubt that cybercrime stokes can erode those positive moods. Fortunately, a little focus on transparency, communication, and support can keep your people’s minds content, healthy, and on the job.