‘The most stressful four hours of my career:’ How it feels to be the victim of a hacking attack
Much of the analysis of cybercrime tends to focus on the financial costs or the technical aspects involved. That means the psychological impact of falling victim to hacking, ransomware or other cyberattacks tends to be ignored.
There’s a widespread perception that cybercrimes don’t have as bad an impact as some physical crimes, said Professor Mark Button, director of the Centre for Counter Fraud Studies at the University of Portsmouth. But his research has found that computer misuse crime can have a similar impact to crimes like burglary, and in some cases worse.
Button’s team interviewed 52 victims of computer misuse for a report commissioned by the Home Office to assess the impact of computer crime, including anything from hacking, intentional virus infections to denial-of-service attacks and ransomware. Computer crime accounts for around 10% of all reported crime.
SEE: How to become a cybersecurity pro: A cheat sheet (TechRepublic)
Some victims feel violated like it’s a physical attack, said Button. Many victims reported psychological impacts such as anger, anxiety, fear, isolation and embarrassment.
“It is stressful, it is frightening in lots of ways. And it’s very distressing that something you could work on for two years, can just, in a heartbeat, disappear,” said one victim, a small business employee, who was interviewed for the report.
Of the 52 cases, only four led to a criminal conviction. In the majority of cases there was no interest from the police — only 13 received some form of police response such as a telephone call, a visit or other communication.
The survey victims experienced financial losses ranging from £2 to £10,000. In one case, an SME incurred over £80,000 in costs dealing with the consequences of the incident. Another lost £40,000 and 70% of its customers as a result of a hacking attack.
But the impact was not simply to do with the financial impact of an attack.
“In some cases they didn’t lose any money at all, but the impact was quite devastating,” Button said. For example, one small business owner whose PCs were frozen by by ransomware decided to go back to using paperwork because he felt very uneasy afterwards.
“That was probably the most stressful four hours of my career. And I came in, in the morning, fully expecting to get sacked because at the end of the day it’s my web server, it’s my responsibility to ensure that this, you know, doesn’t happen,” said another victim of hacking at a small organisation.
One small business responded angrily to an attempted ransomware attack: “The other impact of course is a feeling of anger, I suppose, that someone would put you through such inconvenience in an attempt to extort money from you”.
Some victims struggled to get the police to take on their case, even when there was clear evidence of a crime. The research found that SME ransomware victims were most likely to receive a visit, but in most cases there was little the police could do.
In many cases, there aren’t enough police officers trained to deal with cybercrime — and even then, these crimes are difficult to investigate and unlikely to be cleared up because the criminals will probably be abroad and out of reach.
“It’s both an attitude and a resource issue, and this type of crime is only going to get bigger, so it really does need to be addressed,” Button said.
A lot of victims also require technical support but don’t know where to get it, Button added.
Among the report’s recommendations is that Action Fraud should be renamed the ‘National Fraud and Cyber Crime Reporting Centre’ to make its role clearer. The report said that all police officers dealing with victims should be better trained in what constitutes computer misuse crime, and that Action Fraud and the police should do more to ensure that victims receive timely information on what has occurred in relation to their case. Police should also dedicate greater resources towards tackling computer crime, the report said.