In April of 2025 Co-op was hit by a devastating cyber attack. Thanks to quick reactions from the IT team, who acted decisively to take the entire company's IT systems offline, they avoided a punishing Ransomware attack. Nevertheless - customer data was compromised. The criminals stole personal information of all 6.5M Co-op customers.
In an interview with the BBC, Co-op CEO Shirine Khoury-Haq apologised for the data loss. During the interview, she had a chilling recollection of the early hours of the attack. She said:
"Early on I met with our IT staff and they were in the midst of it. I will never forget the looks on their faces, trying to fight off these criminals."
When we think about cyber attacks, we often frame the conversation in terms of business impact - financial loss, reputational damage, disruption. Rarely do we frame cyber threats in terms of the emotional impact - but this line shows that cyber attacks like Ransomware are not victimless crimes. They have a profound impact on the people affected by them.
In this article, we discuss the emotional and mental impact of one of the most devastating forms of cybercrime - Ransomware. We'll discuss how it impacts businesses and the people who work there, and why it truly does pay to invest in cyber defences.
Ransomware is a form of malware designed to encrypt files or lock users out of systems until a ransom is paid—usually in cryptocurrency. The entry points vary: phishing emails, remote desktop protocol (RDP) vulnerabilities, compromised credentials, or infected third-party software. Once in, attackers move fast, encrypting and even stealing data, disabling backups, and dropping ransom notes. Often, they’ll also threaten public exposure of sensitive data.
What’s different today is the target profile: Medium-sized firms—especially those with £20-50M in revenue—are now prime targets. Why?
They have enough cash to make payment worthwhile
But have comparatively lower investment in cyber than large/enterprise businesses
They frequently rely on lean internal IT teams
They sit within high-trust supply chains (manufacturing, legal, healthcare, logistics)
Yet while many firms prepare technically—installing endpoint protection, securing backups, or outsourcing to MSPs—they remain unprepared for the emotional and psychological crisis that follows an attack.
In a ransomware attack, time is the enemy. Decisions must be made in minutes, often without full visibility:
Do we pay the ransom?
What data has been leaked?
Are customers or regulators already aware?
How do we notify staff, the board, and the media?
Will this destroy trust in our brand?
For C-suite leaders, especially CEOs, CIOs, and COOs, this pressure is profound. There’s reputational risk, legal liability (especially under GDPR), and the career-defining weight of leadership in crisis. One wrong move—delay, disclosure, negotiation—can snowball.
This can lead to analysis paralysis. Without clear plans or rehearsed scenarios, executives often freeze or default to reactive posturing. Without strong leadership and a clear plan, delayed action can rapidly and exponentially magnify the impact.
The emotional strain can’t be understated. Anxiety, self-doubt, burnout, and post-incident fallout—this is the human cost of ransomware that few prepare for.
Ransomware is emotionally brutal on IT and cybersecurity teams. In many midmarket organisations, these teams are small, under-resourced, and stretched thin even during normal operations.
Once ransomware hits, they’re suddenly:
Working 18+ hour days
Dealing with executives, legal counsel, and insurers
Handling external forensic investigators
Wrestling with guilt over perceived “failures”
The culture of blame can quickly take hold—especially if no pre-incident tabletop exercises have prepared the business. Key staff may burn out, resign, or suffer lasting mental health impacts.
In most ransomware events, internal communications collapse. Staff can't access email, files, payroll systems, or even HR contact details. They’re left confused, frustrated, and in the dark. The longer the outage, the more severe the fallout.
Common reactions include:
Fear: “Is my personal data safe?”
Anger: “Why weren’t we better protected?”
Distrust: “Are leaders telling us the full truth?”
Anxiety: “Will this affect my job or our clients?”
Worse still, vague or overly legalistic communications can heighten panic. For midmarket businesses—where close-knit cultures are the norm—this emotional breach can damage morale, productivity, and trust well after systems are restored.
Externally, ransomware is a brand destroyer. A single attack can lead to:
Lost contracts
Breach of trust with partners
Media scrutiny
Regulatory investigation
Long-term customer churn
The emotional resonance of being seen as “unsafe” or “untrustworthy” is hard to reverse—especially if sensitive data (client details, IP, payroll) ends up on the dark web.
A recent, highly publicised article highlighted the story of a 160-year-old haulage firm who were put out of business when a ransomware attack encrypted critical financial data - halting operations. As a result of the attack, all 730 employees lost their jobs overnight.
Speaking about the attack, Paul Abbott, a member of the board at the haulage firm said:
"We felt we were in a very good place in terms of our security, our protocols, the measures we'd gone to to protect the business"
Mr Abbott had a stark warning for other bosses to check their IT systems: "There are hundreds of businesses being compromised. The issue is the reputational damage. Whatever you think you've done, seriously get it checked by experts. People don't think it's going to happen to them."
The standard recovery playbook—restore backups, secure entry points, engage insurers—is only half the equation. True resilience requires cultural investment.
This includes:
Crisis rehearsals with execs and IT leads
Clear ransomware communication protocols for employees, clients, and press
Psychological safety: Make it okay to report issues early, without blame
Post-incident support: Debriefs, counselling, and HR-led recovery sessions
Many companies are still far too exposed to cyber threats. Most still mistakenly believe that installing Endpoint Detection (EDR) on their computers will be enough to protect them.
The truth is, effective cyber defences require a holistic approach. A great starting point is the cyber essentials accreditation, which really should be the baseline for all businesses trading in the UK.
READ HERE: Why your business needs cyber essentials.
A typical holistic cyber approach for mid-sized companies taking cyber seriously includes:
As a business leader in a midmarket company, you should consider cyber risk not just in terms of operational impact, but also in terms of the emotional or mental impact faced, not just by your employees, but by you.
As individuals, we all want to take measures to impact our own personal security - think locks, cctv, insurance. But we often have a blind spot when it comes to the risks to our businesses. Yet - the risks are very real. For Mr Abbott, mentioned earlier, one cyber attack eradicated the business he dedicated 16 years of his life to, and eradicated the jobs of his 730 staff.
Cyber criminals are highly organised and highly motivated, and any cyber expert will tell you that no business is safe. A Ransomware attack can happen without warning. If your defences are weak, the impact will be greater.
Our advice is to never take a chance with your cyber security. Take steps to protect yourself, starting with a full audit of your IT systems using the Cyber Essentials framework - enlist the help of an MSP to guide you through this process.
Read More: entrustIT recommends a number of cyber defence measures