User fear has an accelerating effect on any cyber attack. Contingency plans must include not only a technical response, but also a communication response.

Monitoring systems and analyzing vulnerabilities are what makes it possible to detect and prevent threats, but sometimes we forget to take into consideration the effect of these threats on user behavior, both before and after an attack

In one of the Cuatroochenta’s podcast editions – Beware of hidden macros – Román Ramírez, cybersecurity consultant and founder of one of the most important cybersecurity events in Europe, RootedCON, mentioned the psychological aspect of cyberattacks, beyond the importance of technology in their development.

Fear as a weapon

“We all respond with a cognitive bias, and by taking advantage of this bias, people can be manipulated […] attackers know how to handle these biases”. Cyber attackers know when a phishing attack can be more effective and with which messages, they know which emails are more “trustworthy” and which are less” – Román Ramírez, cybersecurity advisor and founder of RootedCON

Maybe that’s why they seek to cause as much damage as possible to the companies through the psyche and user behavior, and get a quick and urgent response to their requests involving the ransom payment.

As an example, the lastest attack on the National Bank of Pakistan (NBP) on Nov. 2, 2009, in which a large part of the systems and the ATM infrastructure were rendered inoperative, the attack was contained in just a day and a half. During the weekend, the bank was able to reopen and start up the mobile applications, but panic had already spread among users, causing a chain reaction.

Although press releases were sent out informing about the attack’s end and the return to normality, the following Monday the chaos was clear with images of users crowded in ATMs trying to withdraw their deposits.

The concern of users and several fake news shared on social networks and local media, in which there was talk of more banks affected and lost funds, caused a rapid increase in the situation. To calm the atmosphere and prevent financial chaos, the Pakistan government had to issue an urgent announcement to prevent the flight of deposits from the country’s banks.

Communication and behavior are essential

In any cyber-attack, fear plays an accelerating role. In those cases where there is no predefined and worked plan and the response is improvised, the human component can lead to worsen the situation.

No matter if it is for users and customers or in response to the cyberattackers, communication control is crucial. And it is here that we are faced with a curious contradiction: we should not provide any additional data to the attackers that would allow them to estimate how their attack has affected us, but at the same time we must communicate to users and customers how the company is doing and the evolution of the return to normality, if we don’t want panic to aggravate the situation and also if we don’t want to break the law (it is mandatory in some countries). 

This is the case of a company that recently told its story on Xataka’s website, in which they wrongly decided to negotiate with the attackers to prevent the losing of the data. In this case, all the systems had been encrypted, but the information had not reached the attackers: they didn’t know the size and revenue of the company, or the level of damage inflicted, which allowed the company to avoid further damage. The fear of losing everything caused the company to pay the ransom, although this doesn’t ensure that the data will be unlocked and without what are known as “backdoors” or that the company will be targeted again in future campaigns.

In most threats to large enterprises, the preparation of the attack can take months. This is the case of Seguros Mapfre, which in the Cuatroochenta’s podcast explains its security director, Guillermo Llorente, in August 2020 suffered an attack that had already been planned a year earlier, when the authors of the attack bought the domains that were used to execute it.

In any case, the impact of cybersecurity attacks is growing every year; by 2025 the worldwide cost of cyberattacks will reach $10.5 trillion. Every company should contemplate the situation that its cybersecurity is going to be vulnerable at some point, considering the high probability of this happening according to statistics, and in this way avoid improvisation when this happens, preparing a response plan both at a technical level and in the communication of the attack (mandatory in Spain).