As the holidays approach, security leaders planning to give their teams some much deserved extra time off may get caught in a bind. After all, ransomware actors love to wreak havoc when organisations’ human defences are trying to take time off.
Indeed, ransomware attacks that take place on weekends and holidays continue to catch many organisations off guard, resulting in longer investigation times and causing greater damage, according to the results of the latest holiday ransomware study from Cybereason, “Organisations at Risk 2022: Ransomware Attackers Don’t Take Holidays.”
The global study, based on a survey of more than 1200 cyber security professionals, found that attacks occurring on weekends and holidays result in higher costs and greater revenue losses for organisations than attacks that take place on weekdays. More than one-third of respondents who experienced a ransomware attack on a weekend or holiday said their organisations lost more money as a result, a 19% increase over 2021.
The numbers ticked up to 42% in the education sector and 48% in the travel and transportation industry. Overall, ransomware attacks make up nearly half (49%) of all security incidents that SOC teams are most frequently trying to resolve.
Last year’s study suggested that the increase in cost is related to cyber security staffing levels on weekends and holidays, and this year’s results continue to bear that out. Four in ten (44%) respondents indicated that they reduce security staff by as much as 70% on weekends and holidays. One-fifth (21%) noted that their organisations operate a skeleton staff during those times, cutting staff by as much as 90%. Conversely, just 7% of respondents indicated they were 80% to 100% staffed on weekends and holidays.
Impact on attack response
When organisations operate with fewer cyber security resources during off-peak business hours, ransomware attacks take longer to assess and remediate. One-third (34%) of respondents whose organisations had been hit on a weekend or holiday said it took them longer to assemble their incident response team. A little more than one-third (37%) said it took them longer to assess the scope of the attack, and 36% said it took them longer to stop and recover from the attack.
Beyond financial damage
The damage caused by weekend and holiday ransomware attacks is not just financial; it’s personal, too. These attacks disrupt people’s lives outside of work, interfere with their family time, lead to burnout and prompt some cyber *security professionals to leave the field altogether, which only exacerbates the cyber security talent shortage that compels companies to reduce weekend and holiday staff in the first place.
Indeed, 88% of respondents said they had missed out on either a holiday celebration or weekend event due to a ransomware attack. These numbers were higher in the U.S., Germany, and in the financial services industry, where nine out of ten respondents (91%, 95%, and 95%, respectively) said the same.
No rest for the weary: Cyber security is a 24x7x365 job
The survey results highlight the fact that traditional Monday through Friday staffing models are out of step with cyber threats and leave companies vulnerable the rest of the week. Attackers, of course, take advantage of the fact that companies’ human defences aren’t nearly as robust during these off-peak times.
Given that both this year’s and last year’s survey results demonstrate a direct correlation between cyber security staffing levels and attack impact, companies would be wise to consider the following recommendations:
Explore different staffing models for SOC analysts and incident responders. Security leaders can look to hospital emergency rooms as a model for their SOC teams. They also need to identify what level of weekend/holiday staffing is optimal: in other words, what’s the least amount of coverage they can get away with and still reduce risk? Also, ensure that key players can be reached any time of day and have a specific response plan in place and are practiced (prepared) for weekend/holiday attacks.
Pursue a managed detection and response (MDR) strategy. MDR providers deliver threat monitoring, detection and incident response capabilities as a service to customers on a 24/7 basis. While particularly helpful for smaller organisations that lack the budget or staff to build their own internal SOC, many large organisations also rely on MDR providers to extend or expand their existing SOCs. Organisations considering MDR need to select their provider carefully: consider what solutions the provider uses to facilitate detection and response and what facets of the buyer’s IT infrastructure the provider will be able to monitor.
You’ve been warned
With the holiday season fast approaching, security leaders may want to rethink SOC staffing decisions over the next several weeks and make sure their teams are prepared for a worst-case scenario. Security teams need to know how they’re going to mobilise, communicate with one another, work with vendors, and respond to an attack in the event that one takes place.
Two years in a row, our research has demonstrated how unprepared most companies are for ransomware attacks on holidays and weekends. It’s time to change the game.