HR leaders today are aware of the pressing need to protect their organizations against cyberattacks and breaches. They largely recognize the legal, financial, reputational and compliance risks—but may overlook the less acknowledged, intangible threats, such as the negative emotions employees may experience after a cybersecurity incident.
Cyberattacks have a profound emotional impact on employees, generating feelings of distress, anger, guilt, fear and frustration. According to recent research, one in seven employees whose organizations have been hit by a cyberattack may experience sleeplessness and anxiety—for months or even years after the incident.
In the long run, this emotional toll can have far-reaching consequences for organizations—even more so than financial losses—because employee wellbeing shares a direct connection to productivity, profitability, job satisfaction and retention.
3 proactive HR efforts to reduce emotional impact
Cyberattacks are no longer a question of if but when. It is important that HR collaborates with employees to boost their emotional readiness and strengthen their coping aptitude. Here are some steps that can help:
1. Train employees regularly
Threat actors frequently exploit human vulnerabilities such as greed, impatience and curiosity to break into organizations. Through regular security training and phishing simulation exercises, HR teams can strengthen behavioral responses and reduce susceptibility to cyberattacks that take advantage of employee emotions.
2. Allow employees to make mistakes without penalty
Human error is inevitable and is a leading cause of breaches. Obviously, organizations mustn’t ignore it, but it also doesn’t mean they should punish employees for being faulty (especially during training sessions). When employees are penalized, they may feel humiliated and demoralized, and it can invoke vengeance and retaliation.
HR teams must instead promote a culture where employees are allowed to fail if lessons are learned. Such actions display empathy and help build trust, commitment and accountability among employees toward security.
3. Prepare and practice an incident response plan
It’s natural for employees to feel a roller coaster of emotions and lose their ability to think clearly when a security incident occurs. A well-rehearsed incident response plan (IRP) can remove the guesswork in favor of assigning job duties. As a result, employees feel more certain of what to do and how to respond. This translates to faster response times during mitigation and better decision-making when a crisis hits.
4. Foster a culture of openness
HR teams should create an atmosphere where it’s OK for employees to ask questions, seek guidance or express opinions. When employees see that the organization is transparent, honest and empathetic towards them, they will feel more valued and trusted. When employees feel more trusted, they are more likely to exert extra effort in keeping the organization secure.
HR’s work post-cyberattack
In the wake of a cyberattack, it’s incumbent upon HR to manage employee emotions with great care and sensitivity. Let’s explore some recommendations that HR teams can adopt to get a handle on employee wellbeing during or after a cyberattack:
1. Communicate transparently and regularly
When an attack happens, emotions run high. It is the duty of HR to deliver accurate and up-to-date information (via email, live Q&A, etc.) to mitigate stress and a panicked response. If feasible, designate a member of the HR team to serve as the main contact point for all HR-related concerns and queries. Now would also be a good time to implement an HR-related incident response plan.
2. Extend support and resources
HR must offer employees access to various resources to help better manage their wellbeing. These can include counselors, employee assistance programs (EAPs), stress-management workshops, online webinars and peer support groups.
3. Provide recovery support
After a cyberattack, HR teams can encourage employees to enroll in wellbeing initiatives (preferably sponsored by the employer) and allow them some time off to recover. They can provide tips on how employees can cope with stress and pressure, encourage employees to take breaks and acknowledge them for demonstrating teamwork during and after the cyberattack.
As “custodians” of people, HR must recognize that cyberattacks may cause upset to the health and wellbeing of their people. Following the above best practices during the pre- and post-phases of a cyberattack, HR teams can not only prioritize employees but also greatly enhance the organization’s ability to react, respond and recover from such incidents.