External Threat Notifications: A Strategy for Response
A practical framework for organisations to evaluate and respond to external cyber threat notifications based on source reliability and information actionability.
Why so many people leave organisations after a cyber incident
When organisations face cyber incidents, the immediate focus naturally falls on technical recovery, minimising customer impact, and limiting reputational damage. But another effect often emerges in the months following an incident: the departure of staff who were involved in the response.
Of course, there’s natural attrition in any organisation, but both statistics and our direct experience working with post-breach organisations indicate that organisations face significantly elevated departure rates after serious security incidents.
It’s not just IT or security workers affected - an incident can ask a lot of a workforce that is asked to do more, to go without systems they depend on, be on the receiving end of customer pressure, face questions or concern in social settings, and may be victims of the breach itself.
Senior management and executives
Leadership roles - particularly CISOs and IT executives - face unique pressures during and after incidents. They face accountability from the board and executive management, lead the effort to re-establish trust with counterparties and clients, and are responsible for teams of professionals who have worked intensely and are facing down an ever growing to-do list.
The professional risk to their careers can be substantial, even if they had previously raised concerns about security resources or capabilities (A 2018 Ponemon study showed 45% of CISOs feared losing their job after a cyber incident). All of this falls on the shoulders of leaders who under ordinary circumstances are still working more than 54 hours a week on average in Australia, according to CISO Lens.
Security, IT, and compliance teams
These frontline responders often bear the immediate burden of incident response and the often lengthy rebuilding efforts that follow afterward. Extended periods of high-pressure work, combined with the psychological impact of defending against active threats with adversaries that try to maximise damage can lead to health issues, a loss of trust, and burnout. These teams can also experience dread as they consider a long tail of remediation activities, demands for immediate risk reduction and changes to established systems and processes, and an ever-growing backlog of tasks from before the incident.
Customer-facing staff
Customer service teams and account managers face intense pressure during incidents. They become the human face of the organisation's response, dealing directly with frustrated customers while often lacking complete information about the situation and what the organisation is going to do for their customers.
Other staff
For organisations who have experienced a significant incident that has become public, all employees can experience a level of pressure. In an incident where malicious activity or containment measures affect the availability of systems, employees may have to fall back on manual processes that they’re less familiar with and find stressful to operate. They can be frustrated by a lack of certainty on when things will return to normal, and may question if their personal information has been affected.
An (excellent) 2024 report by Northwave cyber security investigated the symptoms experienced by staff who were not directly involved in a ransomware response. 35.1% of these staff had trouble sleeping, 30% felt fatigued, and 8.2% of non-involved staff required clinical help following an incident.
Loss of trust
Beyond immediate crisis management, incidents often expose underlying organisational issues. CISOs and other executives can lose trust in their peers and executive management over perceived assignment of blame, reflections on the nature of teamwork during the response, or uncertainty about the future direction of cyber security post-incident.
Staff may lose confidence in leadership's commitment to security, particularly if the incident revealed long-standing underinvestment or ignored warnings. According to a 2022 survey by Encore, 54% of workers would reconsider working for a business that had recently experienced a cyber breach.
Burnout and stress
The emotional toll of incident response extends well beyond the immediate crisis. Post-incident trauma can manifest months and years later, affecting both professional performance and personal well-being. Interviewees of Northwave’s study described sleeping problems that continued for months post-incident, emotions that recurred whenever the incident was raised, and mental exhaustion for teams of workers that persisted for months.
Notably, one company who declined to have their employees interviewed said in their response: “The ransomware has indeed had quite a mental impact on the organisation and employees. We have now lost quite a few employees (probably because of this). We would rather not bring it up again. Both for ourselves and for the employees, this is not wise.”
Fear of recurrence
Staff who've experienced a significant incident often develop ongoing anxiety about future attacks. This can be particularly acute for those who feel personally responsible for security measures or customer data. Particularly for larger organisations, it is challenging to rapidly address the many weaknesses that are surfaced during an incident response and the forensic investigation that accompanies it.
Lack of support
During incidents, organisations often focus on external stakeholders at the expense of internal communication and support. This can leave staff feeling undervalued and isolated, particularly during extended response periods. Direct responders in roles that have limited internal capability (e.g. a sole privacy manager), can feel that there is no backfill for them, and their view wasn’t heard or respected.
Career opportunities
The market for cybersecurity professionals means staff with real-life incident experience are particularly valuable. Wily employers will seek out staff that it believes would bring valuable experience at a time when those staff may be questioning their loyalty to their employers.
Next week, we’ll conclude this article with strategies to limit attrition caused by incidents.
