Report: Ransomware Attacks Cause Psychological Trauma for Victims

A new study conducted by the Royal United Services Institute (RUSI) examines the “significantly overlooked” psychological impact on victims of ransomware attacks, particularly small businesses.

‍

The study found that some small business owners even experienced suicidal thoughts following a successful ransomware attack, with at least one company contracting with post-traumatic stress disorder experts to help employees.

‍

“Some members of IT teams can feel particularly responsible, often because they feel that they knew about potential system problems and did not raise them sufficiently, subsequently blaming themselves and burning themselves out working on the ransomware response,” The Record reports.

‍

“This is particularly regrettable, as in some instances stress on staff is so significant that it leads to other harms such as burnout or other sickness, leading personnel to leave their jobs or to be absent temporarily on sick leave.”

‍

Takeaway: It’s no surprise that ransomware attacks are causing psychological trauma for incident responders and business owners, as the potential consequences of a successful attack can mean millions in losses – something that represents an existential risk, especially for smaller organizations.

‍

This is particularly true for those that lead security teams, particularly CISOs who have long endured the brunt of the “blame” for successful attacks regardless of their efforts to get more funding to improve the security posture of the company.

‍

We should also be considering the psychological pressure that a dysfunctional legal and regularity landscape is going to put on CISOs and other security team leaders who, according to the study, are already under tremendous pressure to protect the organization while being denied the resources they need to be successful.

‍

In the very recent past, while ransomware attacks were still very disruptive to organizations, at the end of the day everyone went home. Most CISOs know that they can only expect to keep a job for a few years, as there has always been volatility for the position – but everyone went home.

‍

Today, when you look at the legal actions taken against the former CISO for Uber and the more recent cases brought against SolarWinds executives including the CISO, we are witnessing a significant sea change regarding where liability lands for security-related decisions.

‍

Today, executives and Boards of Directors are increasingly in the crosshairs, and we will likely be seeing the victims of ransomware attacks being prosecuted and potentially serving jailtime following a successful ransomware attack – especially if sensitive or regulated data was compromised of exfiltrated in the attack.

‍

Why? The government is failing to protect organizations from ransomware attacks, this makes them look inept and ineffective, and the government does not like to look inept and ineffective, so they know they have to do something.

‍

So what do they do? They re-victimize the victims of these attacks so they can pat themselves on the back and say they are doing something to address the problem. In reality, they are just making the problem worse for the victims.

‍

Take the recently enacted reporting rule implemented by the Securities and Exchange Commission (SEC) in December. The new rules require publicly traded companies to disclose a “material” security event within four days or face regulatory actions.

‍

While more visibility and accountability regarding security-related events at public companies is a good thing on its face, we need to be careful to not confuse disclosing information about a cyberattack with actually informing investors as to why an attack should be considered in their investment decisions.

‍

Forensic investigations are difficult, and they take time – a lot of time. The disclosure rule set by the SEC has the potential to create a situation where an attack is disclosed but the details are murky because it could be weeks or months before the organization can adequately assess the information the SEC is requiring be reported.

‍

The company's leadership would then be in a position where they trickle out incomplete information over time as the investigation progresses, and simply end up dying by a thousand cuts.

‍

Remember what happened to Okta when they tried to be timely and transparent about a breach event? Their stock was hammered, and the CEO was heavily criticized for how they handled the disclosures.

‍

The inability to provide concrete answers immediately will likely create confusion and anxiety for investors and attempts to be forthright and transparent will result in contradictory or escalating disclosures, creating more legal liability for the organization and its leadership.

‍

And there are more issues that can arise, as there is also the potential impact that the regulatory actions against victim organizations and their leadership will have on security culture within an organization.  

‍

A punitive regulatory stance by the government will likely create top-down pressure on CISOs and security teams to be less forthcoming with the C-level and BoD when faced with a security event.

‍

It’s not hard to see that security teams will feel pressure to not report events to leadership unless they absolutely have to, and this has the potential to negatively impact security operations.

‍

All of these factors add up to one thing: organizations who were already struggling to defend themselves against the threat from ransomware and data extortion attacks now also have to face the threat of being re-victimized by an overzealous regulatory landscape.

‍

And while the C-Level and BoD are increasingly at risk of legal and regulatory actions, it is most definitely the CISO or equivalent who is at most risk of getting thrown under the bus following a successful attack.

‍

In this environment, it’s not unlikely that we may see CISOs and/or security team leaders potentially face jail time following an attack. It’s any wonder that anyone would want to take on the thankless job of CISO if they are just going to take the blame for organizational decisions.

‍

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.