Employers are aware that cybersecurity incidents pose a substantial threat to businesses, but it is not always obvious to consider the impact on the team members within the company. These attacks can be far-reaching, causing disruptions that affect the organisation’s operations and the well-being of its employees. Here is an at-a-glance view of the difference between an empathy-led cybersecurity delivery strategy and a more one-way driven strategy.
Empathy in cybersecurity is increasingly recognised as an important factor for effective security strategies and positive employee outcomes. Empathy is not an optional soft skill of secondary importance. It directly influences how organisations communicate about risks to their customers as well as employees.
| Aspect | With Empathy | Without Empathy |
|---|---|---|
| Security Training | Engaging, relevant, supportive | Fear-based, alienating |
| Policy Compliance | Higher, as employees feel heard and valued | Lower, seen as burdensome or punitive |
| Incident Response | Faster, with open communication and trust | Slower, as mistakes may be hidden |
| Team Collaboration | Improved across departments | Siloed, with misunderstandings |
| Employee Wellbeing | Supported, with reduced stress and better retention | Increased burnout and turnover |
| Organisational Culture | Inclusive, innovative, resilient | Rigid, compliance-driven, less adaptive |
Cybersecurity breaches can lead to substantial financial losses, and this is something that businesses are often mindful of the impact of operational downtime. For instance, research cited in IBM noted that the average data breach cost reached $4.88 million in 2024. These include ransomware payments, emergency IT services, legal fees, and system recovery expenses. There is also the reputational damage to consider.
Beyond the organisational level, cybersecurity incidents also profoundly impact employees. In fact, over a third of cyberattacks result in job losses (Databarracks, 2024). As a result, psychological distress can extend beyond the workplace, affecting employees’ private and family lives.
The stress and pressure of dealing with these attacks can lead to significant psychological challenges. As one study by the Royal United Services Institute puts it, ransomware can ruin lives for employees, with incidents reported to “have caused individuals to lose their jobs, evoked feelings of shame and self-blame, extended to private and family life, and contributed to serious health issues”. Further, the study noted that nearly two-thirds of cybersecurity incident responders seek mental health assistance due to the demanding nature of their role. Furthermore, the study revealed that one in seven security staff experiences trauma symptoms months after an attack, with one in five considering a job change as a result. The emotional toll includes stress, fear of failure, isolation, and burnout, which can affect job performance and personal well-being.
If your people aren’t all right, the response will be wrong. In my own experience, I have seen the fallout of cybersecurity incidents that have impacted organisations. I often find that members of the IT team leave the company over a period of months, possibly due to the culture of blame that occurred after cybersecurity breaches. The business leaders blame the cybersecurity issues on a move to the cloud, for example, without considering that they had not put everything in place properly.
Cybersecurity breaches becomes political within the organisation. For example, they can reinforce the dissenters and ‘laggards’ who had warned against a move to the cloud, thereby holding the organisation back from potential innovation and progress. As a result, the visionaries and early adopters lose the opportunities to move into different areas of technology to support the business. In the IT department’s view, the cybersecurity incident can provide ‘proof’ that the ‘old’ way of working was better than the business-led innovations.
Fundamentally, organisations find it easier to blame cybersecurity breaches on technology choice. Breaches can provide ammunition for the disconnect between the business and technology teams. However, the reality is that technology adoption throughout organisations can be poor because it is not supported by proper processes throughout the business.
Additionally, there can be issues of overall ownership, which means that no ‘lessons learned’ takes place. Organisations will continue to struggle with the original issues that led to technology changes in the first place, and cybersecurity is a part of that process.
Ultimately, in my experience, IT team members frequently leave the organisation after an incident. Often, it is not their fault; their systems did not have properly implemented technology or proper support in place. But people find it easier to blame technology than their working methods.
To mitigate these impacts, organisations can leverage technology to enhance cyber resilience. Businesses can significantly reduce downtime and maintain continuity by investing in solutions that instantly rebuild cloud applications and infrastructure. This capability effectively minimises the disruption caused by cyber incidents, ensuring that operations can quickly return to normal.
The solution helps the organisation – but it also helps the people. If the entire IT team leaves due to a cybersecurity failure, it is undoubtedly a remarkable failure for an organisation. We need to look after one another as well.
For example, solutions like Commvault allow the organisation to rewind and rebuild its business systems instantly after a cyberattack. Rather than facing lengthy recovery processes, the business is quickly running. This approach protects the company from financial and reputational harm, to name a few benefits. Another unspoken benefit is that it shields employees from the stress and pressure of prolonged and tense recovery efforts.
Empathy is important for understanding how threat actors work. However, research by the ICO shows that it is equally vital to understand the everyday user—the employee. Many breaches occur due to human error, not technical flaws. So, we can help to look after team members before the breach occurs, and help to rebuild and repair a culture of trust after there has been an issue.
Organisations can also reduce the psychological strain on employees by mitigating the impact on business operations. The business and its people need to be protected against the life-changing effects of cybersecurity incidents, which requires a holistic approach to cyber resilience.
Employees are far more likely to engage with security protocols and training when they feel understood and not judged. Empathy-driven communication reframes security as a supportive measure rather than a punitive one. The goal is reducing resistance and encouraging a sense of shared responsibility to a safer organisation.
Traditional fear-based or one-way security messaging can alienate employees, causing them to disengage or hide mistakes. Empathy maps and frameworks such as Think, Feel, Say, Do help security teams tailor messages to address real concerns, which helps to make security relatable and relevant to team members. These strategies can address issues such as fear of failing phishing tests or frustration with complex password policies.
In conclusion, embracing cyber resilience is not optional for modern businesses. It’s more than protecting digital assets; it’s about safeguarding the people who drive those businesses forward. By adopting technologies that enable rapid recovery and rebuilding, organisations can ensure continuity, reduce stress on employees, and maintain a strong, resilient workforce. The choice is clear: investing in cyber resilience is essential for a secure and sustainable future for both businesses and their people.