Now more than ever, everyone knows that ransomware is bad. But beyond the growing numbers of people impacted, and headlines about financial cost, the fallout from ransomware attacks has far broader implications across the workforce and society.
That’s the thesis of a new paper from the Royal United Services Institute, a UK defence think tank.
The paper – The Scourge of Ransomware: Victim Insights on Harms to Individuals, Organisations and Society – breaks down the impact of ransomware attacks based on talking to the victims themselves, and breaks them down into three orders of harm that cover the entire gamut from financial loss to physical breakdown.
“There is a real human impact to ransomware attacks that is yet to be fully grasped and measured,” the paper says.
RUSI’s aim is to create a framework that allows policy- and law-makers to better understand ransomware attacks, and be better able to share information about them.
This category of harm looks at direct impact, both on the larger organisation, and on individuals. What RUSI found was that small traders did not distinguish between damage to them, or their business – they’re simply the same. However, RUSI found that the impact on the business and the individual was more divergent in larger entities.
The impact upon businesses can be broken down into four categories: physical or digital harm, where backups and data are encrypted or systems like CCTV cameras fail; reputational harm, where a company’s brand is damaged and it’s dragged through the headlines; financial loss or harm, where business and income are interrupted or intellectual property is compromised; additional financial loss, which covers such things as hiring third-party experts or higher insurance premiums and litigation.
But one item in the additional financial cost to companies speaks volumes to the impact on individuals: “Cost of additional counselling for staff”.
The mental toll is a rollcall of conditions, ranging from simple stress to burnout, guilt, shame, and at worst suicidal ideation. Family life can be disrupted, and isolation can set in. This comes with a raft of physical impacts, too. Sleep deprivation is common, as is weight loss and even the possibility of a stroke.
“One interviewee said ‘there was a terror about what might happen next’,” the paper says. “On a related note, worry was a typical harm experienced by victims, for example, worry about reputational risk,157 but also, while responding to an attack, worry about whether they were taking the right actions. An external counsel noted that ‘it’s a harm in itself of distress and worry of making the wrong decision’.”
Individuals are also prone to financial and reputational harm, as a company in trouble might shed jobs while therapy for work-related PTSD isn’t exactly free for a lot of people. And being perceived as “responsible” for a ransomware attack can be damning for a security professional.
Finally, there’s the strain on social cohesion, both with co-workers and the family.
At this level, the impact of a ransomware attack swings wildly between businesses and individuals. Whereas first-order harms are those that businesses and employees experience directly, these issues are more “downstream”.
In the case of an organisation, other entities in the supply chain can be impacted, and quite severely. All we need to look at is some of last year’s supply chain attacks, which saw hundreds of companies compromised by somebody else’s vulnerability. So these impacts are much the same as the first-order ones.
For individuals, however, the nature of the harms again diverge. Physical harm might be caused by a disruption in patient care or even an impact on housing conditions “due to government backlogs”. Financial harm comes in the form of benefit payments not being made, or individuals being specifically targeted for extortion in the wake of a ransomware attack.
And, again, there are psychological impacts, which may not be quite so severe in the second order of things but can still lead to serious mental health issues and even a lack of access to mental health services.
The one thing that many people worry about – fraud and identity theft on an individual level – is not nearly as widespread as many think, however.
“Although the concrete risk of fraud and identity theft related to data stolen by ransomware threat actors appears to be low, this is not the dominant public perception,” the report says. “As one incident response practitioner suggested, ‘you can’t necessarily reassure [people] who, through no fault of their own, have had all of their details compromised’.”
Finally, RUSI defines third-order harms as those that impact a whole society or state.
Loss of general productivity and supply chain disruptions are, for instance, third-order economic harms, while public safety concerns and loss of trust in essential services and governments are national security issues.
But that loss of trust also has an impact on society itself.
“While it is often challenging to directly link specific developments to a ransomware attack or to put a number on the financial cost of third-order societal harm caused by such attacks,” RUSI concludes, “the interview data has illustrated repeatedly that the harm caused by ransomware attacks has implications for wider society and national security, be it due to the interplay of cyber-criminals and state actors, or to the cumulative effects of ransomware harms on individuals, organisations, the economy and society at large.”
Problems to solve
Looking ahead, RUSI sees several problems that need to be addressed.
The first is that the long-term effects of ransomware are still really not understood. Reporting of attacks is still piecemeal, and there are many outcomes, such as increased staff turnover, that are yet to be measured.
RUSI also feels that the reputational harm of such attacks is somewhat overestimated by its victims. The worst harm in this case often comes from poorly handling and reporting a ransomware incident – customers and clients respect honesty. There’s also not a lot of evidence that data, once exfiltrated and published online, is being widely exploited by criminals, at least in the UK – recent credential stuffing attacks closer to home notwithstanding.
On the other hand, the psychological impact of ransomware is largely “overlooked”, both within organisations and by the wider public.
“To reduce the harm caused by ransomware attacks, addressing the psychological impact on staff (and other individuals) needs to be at the centre of responses to a ransomware incident,” RUSI says. “This would involve not only raising awareness of potential psychological harm, but also ensuring that crisis management best practices focus on mitigating psychological harm.”
The paper also suggests that governments need to start thinking of the bigger social harms caused by ransomware attacks, rather than on the purely economic impacts.
RUSI did make one more alarming observation, and that is the fact that vulnerable groups are disproportionately affected by second- and third-order harms.
“Ransomware attacks start by harming technology and organisations, but ultimately lead to harm to individuals,” RUSI says.
“However, the effects on individuals are not felt equally. As noted above, within organisations, certain members of staff will likely experience more harm than others. Similarly, the external, downstream effects of ransomware may affect certain groups disproportionately. This is underlined by the impact that attacks on schools, hospitals, law firms that hold sensitive data, and local government services, have on vulnerable groups such as schoolchildren, healthcare patients and residents who rely on benefits or social care.”
You can – and should – read the full report here.