The Untold Consequences of Cyber Attacks: Stress, Burnout, and Increased Employee Loyalty

More Than Half of U.S. Businesses Experience at Least One Cyber Attack a Year, Reveals Annual Hiscox Cyber Readiness Report

Atlanta, GA – February 3 — Hiscox, the specialist global insurer, has released its annual Cyber Readiness Report, revealing it’s more likely than not that a small-to-medium sized U.S. company will suffer at least one cyber attack a year. The report also reveals the significant mental burden of attacks on employees, with 71% of organizations that experienced a cyber attack reporting that their employees suffered as a result.

This comprehensive report, which gauges businesses’ preparedness to combat cyber incidents and breaches, surveyed 5,750 cyber security professionals at companies with fewer than 250 employees who are responsible for protecting their organizations across eight countries, including 1,000 participants from the United States.

Key U.S.–specific insights include:

  • For U.S. businesses, it’s not a case of if you’ll be attacked, but when: More than half (56%) of U.S. businesses have experienced at least one cyber attack in the past 12 months. On average, each U.S. business has experienced over 2 cyber attacks within the past year (whether successful or not). On a positive note, 81% of respondents feel that their cyber resilience has improved.
  • Paying a ransom is only usually fruitful for one party (and it isn’t the victim): Of the U.S. businesses that had at least one ransomware attack in the past 12 months, organizations paid a ransom an average of 2.24 times to recover from the attack and 88% had to rebuild their data. Following payment of the ransom, 50% did not recover all of their data and 27% sustained another attack.
  • U.S. businesses are wise to the risks their employees pose, but overlook other points of entry for cyber criminals: U.S. businesses now consider employees as their most likely point of entry for cyber attacks (25%). In truth, the first point of entry is usually corporate-owned devices (30%), such as laptops, followed by their supply chain (28%), followed by employees (27%).
  • U.S. businesses suffer a heavy financial toll from cyber attacks: Following an attack, 31% of U.S. businesses suffered increased costs of notifying customers, 29% had bad publicity, 28% had a reduction in business performance and 26% were fined substantially. A quarter (25%) of respondents stated that a cyber attack materially threatened the solvency or viability of their company.
  • There are also hidden emotional costs for the employees involved: As a result of cyber attacks, 71% of organizations have had employees that are stressed (42%), suffering burnout (35%), or face a developing toxic work culture (25%). Surprisingly, there was also a positive emotional impact reported, with 40% reporting increased employee loyalty to the organization.
  • U.S. organizations are both wary and hopeful about AI: While 58% of U.S. businesses think AI is more of an asset than a vulnerability, they’ve already experienced an average of 1.63 AI-related cyber attacks in the past 12 months.

"By now, most of us are aware of the potential business-ending financial costs of cyber attacks. The untold story is the havoc that cyber attacks wreak on the employees that are charged with their resolution and recovery,” said Mike Maletsky, Head of Technology & Cyber at Hiscox USA. “With 56% of U.S. businesses experiencing at least one cyber attack in the past 12 months, and 71% of their employees suffering stress, burnout, or a toxic work culture, the emotional burden is a very real cost that also needs to be accounted for. A holistic cyber security plan should target the financial, operational, legal, reputational and people demands of a potential incident.”

Related Materials

You can read the full report HERE.

About the Study

The Hiscox Cyber Readiness Survey was conducted by Wakefield Research among 5,750 professionals responsible for their company’s cyber security strategy. This included subject matter experts (SMEs) and decision-makers (DMs), defined as being responsible for their organization’s cybersecurity strategy, in the U.S., France, Germany, Spain, U.K., Ireland and Portugal; respondents work at companies with fewer than 250 employees; the following titles qualify: Owner, Principal, Partner (Less than 50 employees) and CIO, CISO, Dir+ Security, Dir+ IT (50-249 Employees); between July 29th and August 8th, 2025, using an email invitation and an online survey.

Hiscox Cyber Readiness Report was first launched in 2016.

About The Hiscox Group

Hiscox is a global specialist insurer, headquartered in Bermuda and listed on the London Stock Exchange (LSE:HSX). Our ambition is to be a respected specialist insurer with a diverse portfolio by product and geography. We believe that building balance between catastrophe-exposed business and less volatile local specialty business gives us opportunities for profitable growth throughout the insurance cycle.

The Hiscox Group employs over 3,000 people in 13 countries and has customers worldwide. Through the retail businesses in the UK, Europe and the USA, we offer a range of specialist insurance products in commercial and personal lines. Internationally traded, bigger ticket business and reinsurance is underwritten through Hiscox London Market and Hiscox Re & ILS.

In the USA, Hiscox small business Insurance is underwritten either by Hiscox Insurance Company Inc., a Chicago-based insurance company, or a Hiscox Syndicate at Lloyd’s, London, which is available on a surplus lines basis through licensed surplus lines brokers. Hiscox USA currently provides a variety of admitted or specialty risk solutions, including a broad spectrum of errors & omissions, general liability, cyber and data security, media liability, management liability, crime, entertainment, and terrorism insurance products.

Our values define our business, with a focus on people, courage, ownership and integrity. We pride ourselves on being true to our word and our award-winning claims service is testament to that. For more information, visit www.hiscoxgroup.com.

This communication is for informational purposes only. The content of this communication is not intended, nor shall it be deemed business advice, legal advice, or a solicitation of insurance with regard to any particular or specific person or entity. For information on the full dataset or to inquire further about the methodologies and sources used, please contact [email protected]

Media Contact

Lucy Baines
Hiscox USA
+1 646 560 9399
[email protected]