Ransomware attacks leave small business owners feeling suicidal, report says

Small business owners have been left feeling suicidal following ransomware attacks, according to new research that examines how the criminal ecosystem is causing harm beyond simply the money it extorts from victims.

The new report from the Royal United Services Institute (RUSI) creates a typology of harm for ransomware, including the “significantly overlooked” psychological impact on staff and other people involved in responding to an incident.

According to the report, a ransomware attack on a business in the engineering sector caused so much stress for the staff involved that the company hired a post-traumatic stress disorder support team to address the issue.

In a webinar on Wednesday focusing on the psychological harms covered in the report, one of the think tank’s researchers, Pia Hüsch, recalled a “particularly striking interview that we conducted … with someone who felt suicidal as a result of a ransomware attack.”

Given in the context of other victim interviews that Hüsch and her colleagues had completed as part of the research, she said “this wasn’t just the exception, but it still remains relatively rare.”

RUSI assessed that incidents affecting small business owners can have a greater psychological impact because of how close together the individuals’ personal and private lives can feel.

“If you run your own business for 20 years, that is your personality, that is your only source of income,” explained Hüsch.

Interviewees anonymously told the think tank that “we all blame ourselves” following an attack, and that the incidents they had suffered had caused them to doubt how they had built their business and whether they had run it properly.

Even at large organizations, the stress that ransomware attacks can cause for IT teams “is often overlooked and insufficiently addressed,” warned the report.

“Some members of IT teams can feel particularly responsible, often because they feel that they knew about potential system problems and did not raise them sufficiently, subsequently blaming themselves and burning themselves out working on the ransomware response,” stated the report.

“This is particularly regrettable, as in some instances stress on staff is so significant that it leads to other harms such as burnout or other sickness, leading personnel to leave their jobs or to be absent temporarily on sick leave.”

The study, which was partially funded by the U.K.’s National Cyber Security Centre (NCSC), follows what was almost certainly a record year for ransomware incidents for organizations in the United Kingdom.

During just the first half of 2023, ransomware criminals had already compromised 667 organizations in the country — equivalent to just over 94% of the 706 affected in the entirety of the year prior — according to data trends published by the Information Commissioner’s Office (ICO).

Businesses that suffer a data breach have a duty to inform the ICO, Britain’s data protection regulator, which can fine organizations that fail to report a breach up to 4% of their global turnover.

Despite the reporting requirement, last year the NCSC and ICO published a joint blog post saying they were “increasingly concerned” that ransomware victims were keeping incidents hidden from both law enforcement and from regulators.