One careless click and suddenly the entire company is paralyzed. Not only does this mean high downtime costs, such a crisis in the company also has an enormous impact on the mental health of employees, especially those responsible for security. How can you protect your own company from such an event? Resilience is the answer!
But what does (organizational) resilience mean and how can it be made possible?
Resilience is the ability of a person or an organization to recover quickly from difficulties and to adapt to change. Resilient organizations can therefore provide solutions even in crisis situations and continue to exist; resilient people make the best of the situation, however difficult it may be.
For a company, resilience can be made possible through good emergency and crisis management, which in turn is based on risk analyses and solid risk management. In the event of an attack, a concrete plan of action, controlled and tested procedures and processes and a suitable crisis team are needed to minimize business interruptions and thus the damage. An effective business continuity management system (BCMS) helps to avoid production downtime, for example, so that the company does not stand still.
The company should therefore integrate preventive and reactive measures. By identifying vulnerabilities in the risk analysis, they can also be eliminated before they become a problem. There are concrete action plans for the emergency itself in order to clarify responsibilities and avoid panic among employees.
Why is it so important to have a regulated procedure in the event of a crisis?
A cyberattack not only results in financial losses but can also have an enormous impact on the psyche of employees and especially those responsible for security (see Schwarz Cyber Security Report 2024). CISOs in particular are under great pressure to perform and bear a great deal of responsibility, as their actions can have an enormous impact on organizations and people – especially in the area of critical infrastructures. At the same time, this relatively new professional group often encounters little understanding on the part of management and there are often unclear responsibilities and access regulations that make their work more difficult. Complicated communication channels, a misleading flow of information and an unclear distribution of responsibilities also make the work of IT security personnel more difficult, both in normal and crisis situations.
However, these processes can be critically questioned and optimized, redesigned and tested in order to improve communication between departments and responsibilities in the run-up to a crisis. An appreciative corporate culture is also an important cornerstone – both for employee satisfaction and to enable a good security culture. If there is a positive error culture, i.e. if employees can make their mistakes transparent without having to fear sanctions, this promotes the motivation of employees to continue to develop – because, as we all know, you learn from your mistakes! In the event of a cyberattack, it is extremely important that employees who have fallen for a phishing email admit this and inform the IT security department.
To promote mental health in the workplace before, during and after a crisis, for example, psychological first aiders and counsellors are available to support employees and managers, particularly in personal or organizational problems.
A positive working atmosphere as the foundation for resilience
In order to establish a positive working atmosphere and thus a good security culture, it is worth taking a look at employee motivation: One of the best-known models is Maslow’s hierarchy of needs (Maslow 1943), which shows that only when physiological needs (sleep, food) and the basic need for safety (health, security) and social recognition (belonging, esteem) have been satisfied can further individual needs and the need for self-actualization be pursued. In order to motivate employees, all basic needs must first be clarified and fulfilled and, in addition, an appropriate framework for self-fulfilment must be provided.
According to Herzberg’s Two-Factor Theory of Motivation, a distinction is also made between motivators and hygiene factors: While hygiene factors create a working environment that prevents dissatisfaction (such as salary increases, flexibility and interpersonal relationships), motivators can actually increase satisfaction and therefore also motivate (Herzberg et al. 1959). These intrinsic factors, such as recognition of work, opportunities for growth and development and co-determination, relate to the work itself and not to the working environment.
The four-stage model of psychological safety according to Clark (2020) also refers to this: Clark distinguishes between four phases, which he describes as inclusion, learner, contributor and challenger safety. These four stages range between respect and permission (in the sense of responsibility) – this is where either exclusion and therefore demotivation or innovation and therefore motivation takes place. The insight from this is that employees not only feel emotionally stable and secure in the company when they are granted respect and authority. Rather, the expansion of employees’ scope for action also leads to a higher sense of self-esteem and thus to greater employee motivation (Rosen 2016).
The resulting trusting and cooperative collaboration enables better handling of changes in behavior (e.g. in terms of a security culture) and increases the resilience of individual employees – and thus organizational resilience as a whole. This is because in the event of a crisis, individuals are caught up in a network of trust, cooperation and respectful interaction. When nerves are frayed after the first few weeks of a cyberattack, this support should not be underestimated. In addition, mental health first aiders and health managers can help those affected to find a balance and remind them to take time out and recover. After all, even if a state of emergency has been successfully overcome, it can have long-term consequences.
Why is cooperation, trust and stability important for risk management and therefore for resilience in the company?
In order to be able to disclose and assess risks, communication and trust are needed first. In a second step, cooperation and stability are required to eliminate these risks. This also makes the structures sustainable, as everyone knows what to do and who to contact in an emergency. In this way, a cyberattack can also have a positive impact because it provides insights into company processes and highlights the need for their further development.
Finally, these changes can also have positive psychological consequences for employees in the medium and long term: This is because successfully overcoming a crisis situation through good preparation, establishing transparent communication and internal mutual support can increase a sense of self-worth and togetherness, as people feel reassured that they can also overcome difficult situations together (Northwave 2022).
It can therefore be seen that organizational resilience can be strengthened through suitable strategies for coping with crises – and that companies are therefore better prepared for cyberattacks and crisis situations in the long term.
Sources:
Clark, Timothy R. (2020): The 4 Stages of Psychological Safety. Defining the Path to Inclusion and Innovation. Oakland: Berrett-Koehler.
Herzberg, F. I., Mausner, B., & Snyderman, B. (1959). The motivation to work (2nd ed.). New York: John Wiley.
Maslow, A. (1943). A Theory of Human Motivation. New York.
Northwave (2022): After the crisis comes the blow – the mental impact of ransomware attacks.
Rosen, P.H. (2016). Psychische Gesundheit in der Arbeitswelt – Handlungs- und Entscheidungsspielraum, Aufgabenvariabilität. Bundesanstalt für Arbeitsschutz und Arbeitsmedizin.
Schwarz Digital GmbH & Co. KG (2024): Cyber Security-Report 2024. https://cyberconference.schwarz/