The cybersecurity of most companies is on shaky ground, according to researchers at Rubrik. The company suggests that most organizations experienced a cyberattack in the past year. Nearly every IT executive faced psychological consequences as a result of an attack, ranging from concerns about job security to fear of losing face.

Rubrik specializes in data security. The organization regularly surveys the industry. The most recent report is troubling. When we discuss cybersecurity, we typically talk about mistakes in systems and human actions. Feelings of stress and fear are just as relevant, but the psychological side of cybersecurity is often underexposed.

Rubrik interviewed roughly 1.600 security and IT professionals in ten countries, including CISOs, CIOs and VPs. Nearly every respondent (98 percent) experienced a cyberattack in the past year. 96 percent said they experienced significant emotional or psychological consequences as a result of the attack, ranging from concerns about job security to loss of trust among colleagues.

Job security concerns

The damage of cyberattacks is typically expressed in financial loss, downtime and reputation. When reporting on the course of an attack, we tend to talk about bits, bytes and buffers. It’s easy to overlook the chaos that follows the discovery of an incident. “People on the front lines take a psychological hit”, said Steven Stone, head of Rubrik Zero Labs.

About one-third of the respondents said that the management of companies changes as a result of cyberattacks. Once an organization falls victim, executives fear for their jobs. Sometimes, they wind up paying for the incident.

“Both criminals and state actors try to elicit emotional responses during attacks, as evidenced by the increase in extortion campaigns”, said Chris Krebs, former director of CISA and Founding Partner of the Krebs Stamos Group. “In the end, both IT and security leaders get blamed.”

Uncertainty across the board

Most respondents are uncertain about their company’s cybersecurity. Only 7 percent said they were able to restore business continuity within hours of discovering an attack. For the rest, systems remained offline for extended periods of time.

Nine in ten fear that their company would not be able to guard continuity after an attack. Most would consider paying the ransom in the case of ransomware. 11 percent said vulnerabilities from past attacks have not been adequately addressed.

Despite the results, Rubrik is optimistic. “The good news is that we also see that pragmatic, proven security strategies are paying off”, Stone said, referring to security measures like zero trust and observability. “We can build on those approaches.”

“One of the most effective techniques I’ve seen is to accept that at some point you’re going to have a bad day, and your job is to make sure it doesn’t become an even worse day”, Krebs concluded.

Tip: ‘Most incident response professionals face mental health problems’