When a substantial ransomware attack hit the city of Oakland in early 2023, it wasn’t just networks that went dark. Without access to public services, medical records, and myriad basic needs, many of the city’s residents were left in a state of confusion, distress, and eroding trust. Cybersecurity teams saw a technical breakdown. But for the 22 million people affected by the more than 600 gigabytes of their confidential information published on the dark web, it was acutely personal.
This isn’t just a cautionary tale, it’s a wake-up call.
Cyberattacks today aren’t isolated IT events. They ripple through lives, businesses, and communities. And yet, many Incident Response Plans (IRPs) still treat them like system failures to be patched, leaving emotional and reputational damage to linger unchecked.
It's time to pivot. A people-first IRP doesn't just protect infrastructure—it protects integrity.
Why People Must Come First in Cyber Incidents
Here's a truth we don't talk about enough: You can reboot a server overnight. Rebuilding trust? That’s a marathon.
According to cybersecurity strategist Sarah Armstrong-Smith, speaking on the latest episode of Trust.ID Talk, “When things go wrong, it’s the people behind the technology who feel the consequences most.” Whether it’s employees facing job insecurity, customers panicking over potential identity theft, or public sector workers left with no access to essential systems—real people feel the shockwaves.
And the impact goes deeper than frustration. In cases where sensitive customer data is compromised, especially in sectors like healthcare, law, or education—the downstream damage can include fraud, identity theft, and disrupted public services. The NHS ransomware scare remains a sobering example of how cyber incidents can endanger lives through system paralysis.
Trust, especially digital trust, is no longer a soft asset—it’s foundational.
Key Components of a People-First Incident Response Plan
- Preparation:
Empathy isn’t just a soft skill, it’s cybersecurity muscle. Train your team using simulations that factor in psychological stress and emotional responses. Build stakeholder maps that prioritize humans, not just hardware. - Detection and Analysis:
Don’t just assess technical severity, score the human fallout. Include HR, communications, and customer support in your response strategy from day one. The incident isn’t siloed, so your team shouldn’t be either. - Containment, Eradication and Recovery:
Recovery isn’t just operational, it’s emotional. Communicate quickly, clearly, and often. Internally, lead with transparency to ground employees in reality. Externally, speak to your customers as if their trust is your most valuable currency—because it is. - Post-Incident Review:
Skip the vanilla debrief. Go deeper. Collect feedback not just from logs but from people. What felt chaotic? What could have helped? Emotional post-mortems are your IRP's hidden superpower.
Balancing Human Impact with Financial and Reputational Risk
IBM pegs the average cost of a breach at $4.45 million. That’s steep. But when customers walk away, or worse, your partners publicly question your reliability, your business could bleed far longer.
Armstrong-Smith notes that SMEs, in particular, face a harsh reality:
“In reality, 80 to 90 percent of ransomware targets are companies with fewer than 500 employees.”
With limited in-house security capabilities, the decision to pay a ransom can feel like survival. But what’s often overlooked is the reputational cost. Panic-driven payments can backfire, amplifying distrust and inadvertently fueling organized crime.
In the aftermath, it’s not just about how fast you recover, it’s about how humanely you do it. Fast, empathetic responses protect brand equity in ways dollars simply can’t.
Want more proof? Click here to learn why safeguarding digital trust begins with strong website security.
10 Best Practices for People-First IRPs
- Prioritize People Impact First
- Be Transparent Early and Often
- Make Communications Simple and Empathetic
- Include HR and Internal Comms in Every Response
- Pre-designate Calm, Trained Spokespeople
- Balance Financial and Human Recovery
- Treat Employees Like Partners, Not Liabilities
- Empower Cross-Functional Teams (IT + HR + Legal + Comms)
- Legal and Financial Recovery Comes After People
- Include Emotional Feedback in Post-Mortems
From Recovery to Resilience - The Trust-First Approach
Every business has an IRP, but very few have one that leads with empathy. It’s time for organizations to take a hard look at their playbooks and ask: “Are we protecting our people—or just our profit?”
Cyber resilience isn’t just technology-deep. It’s trust-deep. And that starts with the mindset Sarah Armstrong-Smith champions: “Security, privacy, and resilience must be built into how you do business, not patched in after the fact.”
You don’t need to overhaul everything overnight. Start small. Start with empathy. Start today.
Hear it straight from the source, listen to the full Trust.ID Talk episode with Sarah Armstrong-Smith below.
