Employees are being paid by hour, so they wouldn’t care at all. Customers - true, this might cause delays for them, if the company decided not to pay the ransom. It’s still just a delayed cost, though.
> Employees are being paid by hour, so they wouldn’t care at all
Sorry, but that's just not correct. It's always someone's job to clean up this mess, and that falls on individuals. If they have to clean up a stressful mess, they definitely do care. A lot.
I've had to clear up messes in the past, and it severely negatively impacts my mental health. Never, ever think that it's a victimless crime. They might not feel the force of the actual crime itself, but there are most definitely employees out there where the second-order effects on their wellbeing are starkly negative.
Again, for customers, you never know what those second-order effects of the delayed cost would be. I'm not going to whip up slippery slope arguments, but again, you're assuming that customer interactions with companies are all one-sided "I can do this later" kinds of interactions.
We shouldn't hand-wave away bad things because they only impact some faceless "company". Companies are made up of individuals, most of whom don't want to be there, but most definitely care when they're forced to do more work by some bad actor.
Of course it’s always somebody’s job, but that’s it: it’s their job, they are paid by an hour. There is no “more work”, it’s just the planned work will be delayed.
I've seen this happen more than once, where IT spells out the risks and recommends tighter security practices, more security hardware/software, more backups and redundancy, a bigger security team so they're not just running around fighting fires all the time and have some resources to improve security, etc, but these requests are denied because there's not enough budget for them or they're too inconvenient (as security is almost always a tradeoff against convenience).
Then there's a security incident and suddenly money materializes out of nowhere and they'll pay whatever it takes to get back online, making the security and IT teams work nights and weekends until the incident is resolved.
At the same time, security look like incompetent idiots for letting the incident happen in the first place, with everyone conveniently forgetting that multiple requests to tighten security were denied.. and many other people in the company don't even know about what happened, but consider the security team to have screwed up.
So security often wind up looking like idiots, though it's not their fault. Or maybe there really was a screwup by someone who's no longer with the company. Dealing with gigantic legacy systems and endless complexity that no one fully understands is common.
When the security incident blows over, those security budgets shrink again and the importance of security dwindles as other parts of the business take precedence, until the cycle repeats again and again.
Or security really is taken seriously at some companies, and then the security teams are often seen as the "no men", and widely despised because they stand in the way of getting work done.
These reasons and more is why I don't like to work in a security role. Let someone else take the blame.
The lost productivity and general _stress_ due to well-intentioned but ultimately counterproductive software being introduced by IT after a ransomware attack was the last straw for at least two highly qualified engineers I know personally. They left their employer after that. Being blocked from doing your job is highly stressful for people who are motivated by the utility of their work to society, a description which I believe fit these engineers. This is an example of direct human cost - the transformation of a desirable, fulfilling job to one less so.
Now, sure, the IT dept in question could have handled this a little better. Maybe. But the presence of these advanced threats forced IT's hand here.
Because the employer isn’t fixing the problem they’re deploying bandaids that are known not to work. I wouldn't want to work like that either and companies need to learn how to effectively secure software. What if companies paid like BM probably pays? I bet most people would do the work in a less grey fashion. But companies don’t value security so this is the result.
I'm not sure we're going to get much further here if you're arguing on the dichotomy of checked out employees punching a clock vs exploitation by the employer.
Suffice to say, this crap has impact on real people, in the real world. To imply it's just some neutral action doesn't reflect the reality we live in.