Perry Carpenter is Chief Evangelist for KnowBe4 Inc., provider of the popular Security Awareness Training & Simulated Phishing platform.
As the CEO of a midsized organization, you are eagerly anticipating a long-overdue family vacation that is only a week away. However, your plans are abruptly disrupted when you receive an unexpected phone call from IT and the security team. They inform you that your company has fallen victim to a ransomware attack, leaving employees worldwide locked out of their computers. To make matters worse, the attackers gained access to sensitive information such as customer data, emails, and confidential documents. They are threatening to release this data unless a multi-million-dollar ransom is paid. The chaos that ensues is overwhelming — your production line grinds to a halt, communication with key partners and suppliers is severed, employees are left bewildered, and the thought of disappointing your family by canceling or postponing the vacation weighs heavily on your mind. Situations like these not only cause immense stress but also evoke a whirlwind of negative emotions in everyone involved.
Why The Emotional Well-Being Of Employees In The Context Of Cyber Risk Is Underrated
Emotions are what drive us. Employee emotions can play a vital role in productivity, job satisfaction and retention. Unfortunately, most organizations only focus on financial, legal and compliance aspects when planning for cyber risk; they tend to ignore the psychological consequences and negative emotional impact a security incident can inflict on employees.
My company’s survey found that online scams can lead to feelings of distress, anger, frustration, fear and guilt in employees. What’s worse is that research shows the emotional trauma people experience can linger for months afterward. Those affected by a data breach may even suffer from negative thoughts, sleeplessness, anxiety, depression and PTSD. Research from IBM and Morning Consult (via The Record) also found that about 65% of incident responders have sought mental health assistance as a result of responding to cybersecurity incidents. In the long run, my company’s survey found that the emotional toll of online scams in particular may be more impactful than short-term financial loss.
How Organizations Can Get A Better Grip On Employee Emotions
Although they cannot control employees’ emotions, organizations can learn to better manage negative employee experiences. Here are some tips to help you get started:
1. Train Employees Well So That Bad Actors Cannot Exploit Their Emotions
According to research from Stanford University Professor Jeff Hancock and Tessian (via Security Today), human error is responsible for 88% of data breaches. Threat actors regularly target human frailties such as fear, greed and impatience, using clever social engineering tricks to manipulate people into downloading malicious attachments, clicking on malicious links, and visiting malicious websites. Through regular security training and social engineering simulation exercises, organizations can foster security-conscious employees who are less susceptible to being duped and use human intuition to identify phishing attempts. This approach aids organizations in mitigating cyberattacks and shielding employees from emotional distress.
2. Celebrate A Culture Of Trust And Openness
Make sure there’s an open and upfront atmosphere where employees can freely express their feelings. When they see that transparency, honesty and empathy are valued, they’re likely to feel more invested in keeping the company secure. Of course, it’s not always easy for employees to open up about their emotions. That’s why it could help if leaders lead by example and share their own thoughts. This can help employees feel less exposed when they share their own experiences.
3. Allow Employees To Make Mistakes
Errors are of course inevitable, and while they shouldn’t be ignored, they should not result in punishment. Penalizing employees can demotivate the workforce and elicit negative emotions (enmity, shame and humiliation). It’s also important to realize that not all employees have the same level of security maturity or competency. This is why it’s important to set clear expectations and communicate these via guidelines and policies; build relationships and offer personalized support when needed.
4. Prepare For Security Incidents
When an attack goes down, it’s tough for employees to keep a clear head. It’s natural for them to be stressed and ride an emotional roller coaster. But if organizations have a solid incident response plan that’s been rehearsed and adequately established, employees won’t feel as vulnerable. They’ll have more control over their actions, decisions, and emotions. Having a good incident response plan in place can also dial down anger, panic, frustration, and confusion among the team. That means the organization can bounce back and recover faster.
It’s hard to measure and put a number on the emotional impact of a cyberattack on a company. Yet organizations should start taking it seriously as a significant risk factor. By doing better planning, preparing ahead of time with awareness training, and practicing for such situations, they can improve productivity, job satisfaction and retention while also creating a more resilient and secure environment for employees.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here