IBM: Ransomware attacks take psychological toll on incident responders

Hundreds of cybersecurity incident responders said ransomware attacks are having a dramatic effect on their mental health, according to a survey from IBM and Morning Consult.

Researchers spoke with more than 1,100 cybersecurity incident responders in July about their experiences handling cybersecurity incidents and 81% said the rise of ransomware “has exacerbated the psychological demands associated to cybersecurity incidents.”

Laurance Dine, global lead of incident response at IBM Security X-Force, told The Record that ransomware has changed the stakes because of the immediate disruption and direct financial loss it can cause businesses, as well as the potential public impact.

“On the one hand these are destructive attacks to a business. Every minute a manufacturer’s assembly line is offline its CEO knows exactly how much money the business is losing — and incident responders are made very much aware of it,” Dine said. 

“On the other, targeting has become much more intentional, with critical services high on ransomware actors' target list. When you’re potentially what stands in the way of a malicious actor and someone being able to heat their home, get to work, or stock grocery shelves, the pressure adds up quickly. You know the repercussions would be palpable for many people. These aren’t theoretical scenarios — but fights fought.”

The IBM study found that most incident responders were driven into the cybersecurity industry by an instinct to protect, but that sense of responsibility is also one of the most stressful aspects of incidents. 

About half of all respondents had a “sense of responsibility toward their team/client” and “managing stakeholder expectations” as the top three stressors during cyber incidents. More than three-fourths of respondents said they experience stress and anxiety in their daily lives as a result of responding to cyber incidents. 

About 65% of respondents have sought mental health assistance as a result of responding to cybersecurity incidents. 

The most stressful period of a cybersecurity engagement are the first three days, where more than a third of respondents said they worked more than 12 hours a day.

The average incident response engagement lasts between two to four weeks and about a third said they typically deal with engagements beyond four weeks. It is also common for incident responders to be assigned to two or more incidents. 

Dine added that time has never been a luxury for cybersecurity incident responders but ransomware has heightened the level of urgency even more with the added pressure from potential public exposure as well. 

“Not only are we rushing to find out how they got, what they did while they were in, but also what they took and what category of data it is,” Dine noted.

“The real-world repercussions that cyberattacks now have are causing public safety concerns and market-stressing risks to grow“. Incident responders are the frontline defenders standing between cyber adversaries causing disruption and the integrity and continuity of critical services.”