Whenever an organisation suffers a cyber attack, there is a significant human impact, which everyday citizens are only now just starting to realise the full impacts and consequences of.
Cybersecurity is no longer something boards and businesses can relegate to the IT department. It has far reaching broader implications on trust, wellbeing and the community.
There are many elements of cyber crime that are easy to quantify, but not the human impact. We can easily measure lost time, count the number of records stolen in a ransomware attack, account for the fees paid in cyber-insurance premiums and to recovery experts. We can even quantify the payments made to recover information from a ransomware attack. But cybersecurity attacks against organisations have a far broader impact.
When JBS Foods suffered a significant ransomware attack, there was considerable human impact. Although JBS is a Brazilian firm, it has a substantial operation in Australia. When the cyber attack hit, about 800 Australian workers were immediately stood down. When they arrived at work they learned they would not be paid for that day, or until the issue was resolved and the plant was back in operation.
While much of the focus of the JBS breach was on the workers who lost wages, the price of meat commodities was affected, which had a knock-on effect on the price of beef for consumers. And an ecosystem of suppliers, logistics companies and wholesalers was affected too.
A major cybersecurity incident at Channel 9 in 2021 resulted in news programs not being broadcast, print runs of The Sydney Morning Herald and Australian Financial Review affected, and staff forced to work from home. Such an incident during a particularly sensitive period, such as during an election campaign, could be devastating to the community. Or perhaps result in important public health advice not being disseminated during a COVID-19 outbreak.
While a cybersecurity incident can have significant and lasting effects on the initial victim, the circle of collateral damage can be devastating. There have been several incidents in Australia, Germany and the United Kingdom of hospital systems being compromised resulting in interruptions in health services and.
Sign up for SmartCompany newsletter.
Free to your inbox every weekday
Maria Bada and Jason R.C Nurse, from the University of Cambridge and University of Kent respectively, say: “Depending on who the attackers and the victims are, the psychological effects of cyber threats may even rival those of traditional terrorism”. And while some of their research focuses on cyber crime focused on individuals — crimes such as identity theft and financial fraud — they note that repeated cyber incidents also have a psychological impact on large populations.
Large-scale attacks can lead to ‘dread factors’ that significantly impact activity and cause some people to limit online activities such as shopping and banking because of a loss of trust. So, while an organisation may see a significant incident through its own lens, there can be a broader impact on the community and this is something board leaders and the c-suite must factor in their cybersecurity programs.
It’s important to not overlook the impact a cyber crime incident also has on the wellbeing of the staff working inside the attacked organisation. When a user is duped into opening a phishing email or tricked into launching an attachment that kicks off a ransomware attack the psychological effect can be extremely damaging.
A recent report from Kaspersky found that almost a third of security managers have missed important personal events in the aftermath of a data breach with over three-quarters saying it impacted on their personal relationships.
It’s easy to see cybersecurity attacks as a purely technical problem that affects faceless organisations that cause some disruption and cost some dollars to resolve. But the truth is that every incident has a human impact — from staff, to customers and to the wider community. It can also have devastating impacts on the brand and trust in an organisation moving forward.
From the end-user that is at the start of the attack chain through to the broader social impact, trust in systems is eroded.
Boards have responsibilities that go beyond shareholders and customers. No organisation exists in a vacuum. Boards and executive leaders need to consider the full impact of a cybersecurity incident. That impact may start at an operational level but it can spread to the staff managing the incident, specific individuals whose systems or credentials were compromised, employees who may lose wages, to customers and the broader ecosystem of your entire supply chain.
It is the responsibility of boards and their organisations — not the IT department — to understand, manage and keep their organisations and the wider community cyber safe.