“There was a bit of PTSD every time I walked through the office door.” This is a quote from the 2024 Journal of Cybersecurity. It was shared by Lukas van der Merwe, associate director for cyber security sales and client development at Cybercom, during his presentation about the psychological impact of cyber attacks at the ITWeb Security Summit in Cape Town.
Van der Merwe shared four real-world scenarios to outline how different leaders handle and respond to a cyber incident, and to highlight how this affects their teams psychologically.
In the first scenario, a small auditing and accounting firm suffered a denial-of-service (DoS) attack and ended up getting locked out of its Microsoft tenant about 10 days before the end of the tax season. They were well prepared, everyone on the executive team knew what to do and, as a result, they handled the situation quite well.
In the second scenario, a research organisation was hit by a ransomware attack. Unfortunately for this particular business, members of the executive team were on leave at the time and the executive in charge was newly responsible for IT, which resulted in uncertainty regarding how to handle this big cyber event. They were well and truly thrown in the deep end, he explained.
Scenario three saw a business that thought it was secure being targeted by a ransomware attack that brought it to its knees within 8 hours. The business leader responded to the incident with blind rage and treated everyone he interacted with terribly. His response had an incredibly negative impact on his team, who lost all their confidence and couldn’t make any decisions as a result.
Finally, in scenario four, Van der Merwe ran a simulation with a company that suffered a security breach in 2021. Several members of this team showed physical signs of distress years later – putting their heads in their hands and shifting nervously in their seats when Van der Merve even mentioned the incident.
“This team became the catalyst for this conversation. They were the reason that I tore up all our triage scripts and rewrote them because they showed me just how important it is to treat these situations with a lot more empathy and a lot less judgement.”
Cyber scars
Van der Merwe went on to outline some of the factors that can leave teams who fall victim to an attack with cyber scars. These include poor leadership, inadequate preparation and ineffective communication. Conversely, when a business has strong leadership and robust plans in place and when they prioritise employee welfare during and after an attack, the chance of people walking away from a breach with lasting psychological scars is far lower.
Until we create communities to share, leaders will continue to face attacks in isolation and the digital wounds will remain.
“You wouldn’t send someone to war without giving them basic training. So why would you expect corporate citizens to be able to deal with something like this without giving them the right tools and equipping them with the skills they need to handle the situation well?”
Van der Merwe closed his presentation by sharing a quote from someone he recently interviewed about the psychological impact of cyber crime. She said: “Knowledge prepares you, but experience transforms you. A cyber attack reveals how vulnerable your business is but it tests more than your systems. It tests your leadership and your people. What struck me was the silence around cyber attacks – there's very little open dialogue and no shared playbook or community where people can discuss their experiences. As a result, we felt alone in making certain critical decisions. Until we create communities to share, leaders will continue to face attacks in isolation and the digital wounds will remain.”
Share