Organizations should prepare for an onslaught of ransomware during the holidays as cyber crews take advantage of lower security staffing levels and subpar defenses, security provider Cybereason said in a new study.
Ransomware attacks that take place on weekends and holidays hit organizations when they are most vulnerable, resulting in longer investigation times and causing greater damage, according to Cybereason’s global study of 1,200 cybersecurity professionals, Organizations at Risk 2022: Ransomware Attackers Don’t Take Holidays.
Ransomware Attacks Account for Nearly Half of Incidents
It’s not just weekends and holidays where short staffing paves the way for hackers. Traditional Monday through Friday staffing models are out of step with cyber threats and expose companies the rest of the week, the report said.
Here are some key findings:
- More than one-third of respondents who experienced a ransomware attack on a weekend or holiday said their organizations lost more money as a result, a 19% increase over 2021.
- The numbers ticked up to 42% in the education sector and 48% in the travel and transportation industry.
- Ransomware attacks make up nearly half (49%) of all security incidents that SOC teams are most frequently trying to resolve.
- Four-in-ten (44%) of respondents indicated they reduce security staff by as much as 70% on weekends and holidays.
- One-fifth (21%) noted that their organizations operate a skeleton crew during those times, cutting staff by as much as 90%.
- 7% of respondents indicated they were 80% to 100% staffed on weekends and holidays.
Weekend & holiday staffing levels by country (per Cybereason)
- Germany: 91% typically staff at 50% or less
- UAE: 75% typically staff at 50% or less
- South Africa: 73% typically staff at 50% or less
- France: 72% typically staff at 50% or less
- Singapore: 71% typically staff at 50% or less
- Italy: 65% typically staff at 50% or less
- US: 50% typically staff at 50% or less
Weekend & holiday staffing levels, by company revenue (per Cybereason)
- Under $100,000: 50% typically staff at 50% or less
- $100,000 - $999K: 58% typically staff at 50% or less
- $1M - $9M: 69% typically staff at 50% or less
- $10M to $49M: 65% typically staff at 50% or less
- $50M to $99M: 61% typically staff at 50% or less
- $100M to $499M: 73% typically staff at 50% or less
- $500M+: 68% typically staff at 50% or less
- When organizations operate with fewer cybersecurity resources during off-peak business hours, ransomware attacks take longer to assess and remediate.
- One-third (34%) of respondents whose organizations had been hit on a weekend or holiday said it took them longer to assemble their incident response team.
- A little more than one-third (37%) said it took them longer to assess the scope of the attack, and 36% said it took them longer to stop and recover from the attack.
- In the U.S., 44% of respondents said it took them longer to assess and respond to a weekend/holiday ransomware attack, a 19% increase over U.S. results from last year’s survey.
- The numbers were also higher at larger organizations with more than 2,000 employees, as 43% said it took longer to assemble incident responders. Also, 48% said it took longer to assess the attack scope, 40% said it took them longer to stop the attack, and 36% said it took them longer to recover.
Security Advice from Cybereason
Cybereason offered the following recommendations for organizations to better protect against weekend and holiday ransomware attacks:
- Explore different staffing models for SOC analysts and incident responders. Security leaders can look to hospital emergency rooms as a model for their SOC teams. They also need to identify what level of weekend/holiday staffing is optimal.
- Pursue a managed detection and response (MDR) strategy. MDR providers deliver threat monitoring, detection, and incident response capabilities as a service to customers on a 24x7 basis.
- Consider locking down privileged accounts on weekends and holidays. The usual path attackers take to propagate ransomware across a network is to escalate privileges to the admin domain level and then deploy the ransomware.
- Ensure clear isolation practices are in place. This will prevent attackers from making any further ingress on the network and from spreading the ransomware to other devices.
- Make prevention and detection technologies work harder. All respondents had experienced a ransomware attack despite running some combination of traditional antivirus, next-gen antivirus (NGAV), or endpoint detection and response (EDR) products.
- Shifting staffing, moving to MDR, and switching to behavior-based technologies are far more effective and sustainable approaches to combating ransomware than some of the approaches survey respondents said their organizations were taking to combat the heightened threat.
“There’s no reason organizations can’t have contingency and incident response plans in place to quickly mobilize their SOC teams, IR teams, and partners when a holiday or weekend attack occurs,” Cybereason said.