The Psychological Impacts of Cyberattacks
This is the second episode of a story related to individuals who, in a matter of moments, transition from “employees” to “rescuers” in the immediate aftermath of a destructive cyberattack.
What I will call the “Heroes”
Which role within a company can become a Hero? And why?
“The fact is, you have to do things before and after. You have to pay attention to people’s sensibilities. Even if we’re in a period of crisis, we mustn’t just have financial objectives, catering objectives or customer recovery objectives. We have to think about the well-being of the teams, to keep as many staff as. There’s a point in getting the business back on its feet if everyone leaves after the crisis.”
Excerpt From the Interview
During the genesis of my book, I have analysed cases where I interviewed people who had been involved in a major corporate cyberattack. I have identified four categories of individuals who are likely to become heroes. I would remind you that being a hero is not necessarily an enviable position. I will now discuss the journeys of these individuals, highlighting the effects on their personal and professional lives.
The Director
Directors are often forgotten, but they are among the positions most affected by cyberattacks. This is because they cannot shirk their responsibilities: it is up to them to allocate the budget, define priorities and create the corporate culture. Furthermore, recent European directives and regulations, such as NIS2 and DORA, insistently remind directors of the fundamentals already described in ISO 27,001. Management’s role is crucial in cybersecurity. They can no longer hide behind the ‘It’s an IT problem’ excuse.
I observed two diametrically opposed attitudes.
A Hero.
One was a director who was not only personally involved in crisis management, but also felt emotionally committed to and in solidarity with his teams. This person was like a captain of a ship ready to go down with their vessel, with their sole concern being the well-being of their crew and the survival of the company. Unlike the second profile, he does not seek to justify himself or to protect himself. Therefore, this individual will experience personal effects during the crisis, including stress, anxiety, and a sense of guilt. Unfortunately, he is likely to struggle to accept, rightly or wrongly, the impact of the cyberattack. As a result, he will resign after everything is back in order. He will leave with a feeling that he was taken advantage of. These events will mark him for the rest of his career.
NOT a Hero.
In contrast, there is a director who knows that they are partly or fully responsible for making bad choices. They will primarily focus on protecting themselves from the consequences, both for their job and their career. During the crisis, they will try to justify their past decisions. Unfortunately, this type of individual will remain in the office even after the crisis. You will easily identify them, as they will be rewriting history on a grand scale.
The IT Manager
A Hero.
This one will endure pain, as they will be both the tool and the object of it. Based on the cases studied, his main concern is being able to take his rightful place. If he goes into crisis management mode, he will probably fall into the trap that crisis communication is almost always destructive. He will also be part of the rescue team, but he will be more or less involved in strategic decisions. There are cases where management will potentially dismiss him and consider him as a mere executor. This is contradictory, since he can contribute the most to decision-making. After the crisis, there will be very mixed feelings. On the one hand, the feeling of not having been considered at his true value, and the fact that he is in management and does not receive the same congratulations as the technical people. And, on the other hand, that he was left with the dirty work. The result is very often great frustration, leading to resignation or burnout. This is damaging for society, because he would be very useful for the post-crisis and reconstruction phase.
The CISO
A Hero.
This one is going to suffer. Because he is going to be both the hammer and the anvil. Based on the cases studied, his main concern is going to be his ability to take his rightful place. If he goes into crisis management mode, he will probably fall into the trap that crisis communication is almost always destructive. He will also be part of the rescue team, but he will be more or less involved in strategic decisions. There are cases where management will potentially dismiss him and consider him as a mere executor. This is contradictory because he is the one who can contribute the most in terms of decision-making. This will result in very mixed feelings after the crisis. On the one hand, the impression of not having been considered at his true value, and the fact that he is in management and does not receive the same congratulations as the technical people. And, on the other hand, that he was left with the dirty work. The result is very often great frustration, leading to resignation or burnout. This is damaging for society, because he would be very useful for the post-crisis and reconstruction phase.
The IT Engineer or Security Engineer
A Hero.
We immediately think of him as the hero. He will work day and night, 24 hours a day. He will forget about his family life. He will not be able to tell them everything, which will have harmful effects. Right after the shock, he will participate in the rescue of society. However, he will face significant disappointment, especially if crisis management is not properly coordinated. They will face harsh consequences due to sudden shifts in direction and constant changes. In addition, he will suffer the double kiss cool effect. His unwavering commitment will increase, but he will also be perceived as a possible perpetrator.
The external consultant will also scrutinize their technical skills. It will be simple for the external consultant to identify what was done incorrectly before the crisis. I have observed in these individuals that the stress and anxiety caused by the crisis often transform into a kind of trauma. The consequences are professional burnout, recurring nightmares, and sometimes physical health issues. More than half of those surveyed either experienced burnout or left their jobs within six months of the crisis.
Stay tuned for the next episode.
And don’t forget:
“Treat cybersecurity like personal hygiene—if you ignore it, sooner or later, things are going to get really messy and start to stink!”
About the Author
Didier Annet is an Operational & Data Resilience Specialist and a Certified Professional Coach dedicated to empowering individuals and teams to navigate the complexities of an ever-changing digital landscape.
Find him on LinkedIn: Didier Annet
Learn more in his book:
📖 Guide de survie aux cyberattaques en entreprise et à leurs conséquences psychologiques: Que fait-on des Héros ? (French Edition) – Available on Amazon
Coming soon: The English version – “What Happens to Heroes”