The human toll of ransomware: how IT pros suffer during incidents

Over the last decade, ransomware has become a living nightmare for victims of all shapes and sizes. Attacks can bring operations to a standstill, damage reputations with customers and even force businesses into administration.

Given this, when a ransomware attack hits, the attention of senior management typically focuses on preventing financial harm. The aim is to keep the business running or to return to business-a-usual as quickly possible, while attempting to mitigate reputational risk and managing client and customer relations.

This focus on the bottom line makes it easy to forget the human impact of ransomware. For the past 18 months, we have been trying to rectify this by interviewing staff at organisations affected by ransomware as part of a joint research project with the University of Kent. The results are sobering.  

In the simplest terms, ransomware attacks are harming the mental and physical health of staff.

Working on a ransomware incident creates considerable stress and anxiety. In severe incidents, those involved in the response often work extended hours for weeks and even months on end. Sleep deprivation is common, with staff sometimes forced to sleep at the office or consume copious amounts of caffeine to function. Given this, it is perhaps unsurprising that mental stress can turn into burnout and physical illnesses. Several victims we interviewed were forced to take sick leave, seek therapy and, in one case, even contemplated taking their own life.

More often than not, this burden is especially felt by IT and cyber security staff – a phenomenon that is rarely addressed despite calls to “talk more about burnout”. 

This is partly because of the tendency to treat ransomware as primarily a technical issue, which one IT manager described to us as the belief among senior management that “magical IT will come and sort it all out”. In such circumstances, IT staff and cyber security staff put themselves under additional pressure, often fuelled by a sense of guilt or feeling like they could have done more to prevent the incident.

In toxic working environments, senior management or board members may look to scapegoat staff to shift blame or find a sacrificial lamb. This can create a feeling of shame among affected IT and cyber security professionals that can linger for a long time after an organisation has recovered. Overreactions from senior management can also create a culture of fear about the possibility of future incidents, leading to staff experiencing a sense of ‘PTSD’ every time they receive a suspicious email.

This is not helped by the broader culture in the cyber security community and media of sometimes publicly shaming the cyber security practices of victims, or governments’ reproving victims who choose to pay. Don Gibson, who was a systems architect at Travelex when it suffered a ransomware attack in January 2020, has spoken powerfully on the Ransomware Files podcast about how being publicly named and shamed by cyber security vendors and practitioners on social media during the incident affected him. While it is right to scrutinise organisations who may have been negligent, encouraging transparency about ransomware also requires empathy.

Given all this, it is critical that any preparation for or response to a ransomware incident takes into the account the need to protect the physical and mental health of staff.

Recognising that ransomware response is often a marathon, not a sprint, is key here, especially to avoid burnout. Senior management should plan to ensure IT and cyber security staff get enough time to sleep and recharge and spend time family. Offering dedicated counselling sessions or therapy could also help staff cope with their experiences. Organisations should also prioritise using external incident response firms that are adept at the ‘softer’ aspects of crisis management.

Of course, there are moments of crisis where all hands are needed. In these instances, seemingly small gestures and contribute to morale and wellbeing. One victim we interviewed recalled a board member contributing a freezer for IT staff to have ice cream during the response. Others highlighted employers providing staff with accommodation near the office to avoid long commutes at the cost of sleep.

At the most basic level, staff wanted to be acknowledged by senior management and know that their wellbeing is important.

Ultimately, this matters for all of us – the wellbeing of IT and cyber security professionals affects societal cyber security and resilience. Where IT members feel stressed, tired or burned out, they are more likely to make mistakes. A recent study, for instance, showed that 83% of IT professionals say that burnout causes data breaches. Protecting our digital infrastructure and protecting the physical and mental health of those tasked with maintaining and protecting go hand in hand.

Pia Hüsch is a research analyst at the Royal United Services Institute (RUSI) defence and security thinktank.

Jamie MacColl is a research fellow in cyber threats and cyber security at RUSI.

Gareth Mott is a research fellow in the cyber team at RUSI.