The Physical Ramifications of Cyber Response
Human beings need to sleep. Adults, specifically, need seven to nine hours of sleep to feel recharged and to prevent serious health problems.
When people don’t get enough sleep, there are ramifications. They are less alert, their memory doesn’t function as well, their relationships might feel stressed, and they’re also much more likely to be in a vehicle crash.
“In otherwise healthy adults, short-term consequences of sleep disruption include increased stress responsivity; somatic pain; reduced quality of life; emotional distress and mood disorders; and cognitive, memory, and performance deficits,” according to research published by the National Library of Medicine. The long-term consequences are even more significant, including hypertension, cardiovascular disease, and metabolic syndrome.
Yet, when a security incident occurs, many incident responders feel the need to work extreme hours to help their organization mitigate the damage and move forward in the recovery process.
“I’ve seen horrendous instances of people not sleeping for three days,” says Laurance Dine, global lead of incident response for IBM Security X-Force. “It’s very simple to say that after the first 24 hours without sleep, you’re useless. You’re not helping anybody.”
To understand the pressure that incident responders are under and to provide resources to managers to better equip and support their teams, Morning Consult conducted a study on behalf of IBM Security that was published Monday, 3 October 2022. While the study highlighted the physical and mental toll that incident response has on practitioners, it also revealed that many feel supported by their organizations and are continuously attracted to their work because of a sense of duty to help protect others.
The survey of more than 1,100 cybersecurity incident responders across 10 markets found that most practitioners feel a sense of duty to help and protect others, and that the continuous ability to learn and engage in problem solving keeps them engaged.
But, these factors—combined with an increasing sense of responsibility to protect their organizations and manage stakeholder expectations—mean incident responders have increasingly demanding jobs that affect their personal lives.
After the first 24 hours without sleep, you’re useless. You’re not helping anybody.
Sixty-seven percent reported experiencing stress or anxiety in their daily lives, while others said they experienced insomnia (30 percent), burnout (30 percent), and impacts on their social life and relationships (29 percent). Some incident responders also reported physical reactions to their work such as weight gain or loss (18 percent) and panic attacks (17 percent).
These effects may be especially prominent immediately after an incident occurs when more than one-third of respondents said they would work 12-hour days, according to the report.
“The first three to five days are the most stressful period of any incident,” Dine explains. “There are a lot of reasons behind that. But it’s also because we’re running into the fire…we’re running towards the issue and taking it head on. There’s lots of stress involved in that.”
And while those first days will fly by, odds are the incident will continue to require personnel to respond to it.
“The average incident response engagement is two to four weeks, according to 48 percent of respondents,” the report found. “And nearly 30 percent say an incident response engagement lasts more than four weeks on average. The overwhelming majority states it’s common to be assigned to respond to two or more incidents that overlap.”
The rise of ransomware attacks has also taken a toll on incident responders, with 81 percent of those surveyed saying the attack method has “exacerbated the stress/psychological demands required during a cybersecurity incident response,” the report explained.
One reason that the mental toll may be worse during a ransomware incident is individuals may feel responsible for the infection, Dine says. Additionally, incident responders may be concerned about the impact to the organization—or society at large—if they are unable to get the business back up and running quickly or of making mistakes that could exacerbate the situation.
With ransomware, “there’s a huge, immediate impact on the business,” Dine adds. In manufacturing, for instance, “they can’t produce anything, so not only are they losing money because they’re not able to meet demand,” he says.
Additionally, Dine says that even incident responders brought on as consultants to handle an issue may feel under “immense pressure” to get the client the right information to take the appropriate actions to get them back up and running.
“Over 40 percent of cybersecurity incident responders say they have experienced extreme or considerable mental strain as a result of responding to a major cybersecurity incident, with those in Brazil (65 percent), India (77 percent), and Spain (57 percent) more likely to express this sentiment,” according to the report.
When asked what the most stressful aspects of responding to a cybersecurity incident were, managing expectations from multiple stakeholders (50 percent), a sense of responsibility toward the team or client (48 percent), pushback on recommended response (45 percent), and the fear of missing something or getting something wrong (45 percent) topped the list.
That’s a failure of the business if you’re the only person who knows how to do something.
While these stressors and their effects are significant, 95 percent of those surveyed said that their senior leadership provides the necessary support structure for them to be successful. Additionally, 64 percent of responders said they had sought mental health assistance as a result of responding to an incident, and 84 percent of incident responders said they had adequate access to mental health support resources.
These last two findings stood out to Dine—in a good way, he says, adding it’s positive to see that incident responders feel they have support from leadership and for their mental wellbeing.
The report itself made two major recommendations for organizations to help incident responders be more successful.
The first recommendation is to create detailed incident response plans and playbooks, which will enable the business to account—in advance—for resources necessary to respond to a security incident. The second recommendation is to rehearse and test the incident response plan under pressure, so organizations and security teams can experience what it’s like respond while under stress.
Beyond those suggestions, Dine says it’s especially important for managers to establish a work–life balance as part of the incident response. Managers need to have a plan in place to allow people to take breaks, get adequate rest, and have other team members fill in—which will allow the whole team to perform better.
“I’ve seen people refuse to leave because they feel they need to be there to answer a question,” Dine explains. “That’s a failure of the business if you’re the only person who knows how to do something.”
It’s also important for leaders within the organization to talk about mental health and measures available to support employees.
“Myself, personally running the global team, I mention mental health on my calls and encourage people to talk to someone, as well as putting a work–life balance approach in place while responding to an incident,” Dine adds.
“I’m a keen runner—I do that for stress relief. And I always talk to people about the parallels between running and an incident,” Dine continues. “The first three or five days is like a sprint, then you get into the marathon. I do marathons and ultra-marathons. You have to pace yourself. There is a long tail on these things.”