Cyber incidents not only impact companies, but also employees. As anyone who has ever dealt with identity theft knows, it’s stressful and takes time to resolve, mostly during normal business hours. According to the Federal Trade Commission (FTC), there were twice as many reports of identity theft in 2020 as 2019, and reports of fraud and other malicious activities also increased. We also know that in the “new normal”, companies are considering employee’s personal lives, allowing for flexible work schedules and benefits that help reduce stress and increase mental health to ensure employees can support their families. However, there has been little discussion about how the two changes interact and how to manage their impact on business operations.
As we move through 2021, it’s clear that more employees will continue to work from home and cyber attacks will continue to rise. As such we need to recognize the impact cyber incidents have on the time, focus, and mental health of your employees. Doing so demonstrates that you care about your employees and their families. Simultaneously, it simultaneously helps to build loyalty and to increase the quality of an employees’ work.
Employees are affected by two types of cyber incidents – those that impact their company and those that impact them personally. The first includes everything from phishing emails to ransomware that can disrupt business operations for weeks. The latter includes a much wider range of activities from personal identity theft to ransomware incidents at K-12 schools that leave schools closed and students home, as well as medical emergencies unable to be serviced by local hospitals. Of course, it’s possible that the two may be related if an employee is responsible for an attack on the business, such as after clicking on a malicious link in an email message or using an infected personal device to conduct company business.
In addressing these concerns, start by making sure company leaders understand what will happen if there is an incident. Is there a plan in place for the company to respond? Will employees be able to continue working? Will they be paid, especially if they can’t continue to work? How will you convey this information to your employees during the incident and do you have the ability to answer the questions that will surely arise? (What if you don’t have access to email or the telephone call tree?)
This may sound obvious, but it’s not always as clear cut as you might expect. Some incidents may affect the ability to submit timecards or to provide paychecks. If the incident affects the company payroll service or another provider, it can result in cascading effects that will impact employees and operations. A common variant of the Business Email Compromise (BEC) scam attempts to modify employees’ direct deposit information. If this happens, will the company assume the liability or is it considered the employee’s fault because they clicked on the link or otherwise fell victim to the malware? Companies have responded in both ways. Either way, employees who live paycheck-to-paycheck will be distracted and stressed, reducing their ability to provide the same quality of service as before. If employees are considered liable, it may directly impact their loyalty (and disgruntled employees are one of the key drivers of insider risk.)
If the incident is the result of the accidental actions or inactions of a particular employee or department, how will you respond? Incidents where a particular employee is responsible can have lasting emotional impacts, too. Even if you choose to continue employing them, they are likely to be embarrassed and ashamed. Supervisors may also struggle in deciding how much the incident will impact the employee’s future and performance reviews. Do you have a plan in place to help the employees and their supervisors deal with these emotions, ensure employees are treated consistently, and prevent retaliation from other employees?
Cyber incidents that affect employees personally encompass a much broader range of possibilities that can include home computer and device compromises, loss of financial stability, dependent care issues, and possibly emergency situations. Data breaches are, unfortunately, common and often not the fault of the individuals they impact, but recovering includes hours spent on the phone, filing reports, and attempting to restore their identities. K-12 schools are common ransomware targets, forcing schools to suspend classes for days or weeks while they recover and leaving parents struggling to find care for children. Hospital ransomware incidents have resulted in critical care patients being diverted to area providers. Patients and their family members may be stressed by having to switch to unfamiliar environments away from home and forced into longer commutes to visit their loved ones.
You care about your employees and their families. Taking time to understand and address an employee’s emotional trauma strengthens the company because it ensures that employees are comfortable reporting incidents and asking for help. With the current work-from-home environment, employees personally impacted by cyber incidents are carrying those concerns, and possibly compromised systems, into the workday and company networks. A little compassion and understanding can go a long way in helping employees recover and feel increased loyalty toward the company.