Security Experts:

Holiday Cybersecurity Staffing Levels a Difficult Balancing Act for Companies

The effect of reduced staffing levels doesn’t just attract more cybercriminals, it makes the outcome of attacks more severe

It’s difficult to know the extent to which cybercriminals make use of weekends and holidays to launch their attacks; but it is generally accepted that they do. Crime, unlike business, is not a Monday to Friday, 9-to-5 occupation. And business, unlike crime, is understaffed over holiday/weekends. 

Extensive dwell times means an attack may have begun on a holiday, but not become apparent until much later. However, it is much easier to quantify the effect of cyberattacks that were launched and discovered over a weekend – they are generally more severe, harder to redress, and more expensive than weekday attacks.

Both the Colonial Pipeline and JBS attacks, for example, occurred over holiday weekends.

A global study of 1,023 cybersecurity professionals, conducted in September 2022 by Cybereason and titled Ransomware Attackers Don’t Take Holidays, highlights the extent of the attacks and the effect of reduced staffing over holiday/weekends. In the US, weekend and holiday staffing levels are on average less than 50% of normal levels. In Germany, this figure encompasses 91% of organizations. France, UAE, Singapore and South Africa firms are all in the 70% to 80% range.

More dramatically, 21% of the respondents said they cut cybersecurity staffing levels by as much as 90%, while only 7% maintained staffing at 80% or more of normal weekdays.

The effect of reduced staffing levels doesn’t simply attract more cybercriminals, it makes the outcome of the attack more severe. More than one-third of those companies that admitted to a holiday/weekend ransomware attack said they lost more money as a result. This is a 19% increase over a similar study in 2021. Individual sectors fared worse – a 42% increase in the education sector and a 48% increase in the travel and transportation industry. 

When an attack occurred, just over one-third of all respondents said it took longer to assemble the incident response team, took longer to assess the scope of the attack, and took longer to recover from the attack. “Ransomware actors tend to strike on holidays and weekends because they know companies’ human defenses often aren’t as robust at those times,” said Lior Div, Cybereason CEO and co-founder. “It allows them to evade detection, do more damage, and steal more data as security teams scramble to mobilize a response.”

It's a difficult balancing act for companies. While the skills gap continues to be a problem, employers need to retain the staff they already have. Depriving them of family time over holiday/weekends increases stress levels, increases burn out, and increases the possibility of staff looking for greener pastures. Companies are literally caught between a rock and a hard place.

“Eighty-eight percent of respondents said they had missed out on either a holiday celebration or weekend event due to a ransomware attack,” notes the report. “These numbers were higher in the US, Germany, and in the financial services industry, where nine out of ten respondents (91%, 95%, and 95%, respectively) said the same.”

With the probability of having to reduce staff levels at such times, defenders’ only recourse is to increase security. Apart from adequate detection and response defenses – which are of course already required 24/7 – Cybereason offers a few suggestions. One option is to consider transferring the risk to a managed detection and response (MDR) provider. It then becomes the responsibility of the third party to provide full cover over holiday/weekends.

This would be a type of ‘remote working’, and a more imaginative use of remote working, remote resources and staff working from home on stand-by during holiday/weekends could also be explored.

Another option is to lockdown privileged accounts on holiday/weekends to restrict attackers’ lateral movement and privilege escalation before deploying a payload. “Security teams should create highly secured, emergency-only accounts in the active directory that are only used when other operational accounts are temporarily disabled as a precaution or inaccessible during a ransomware attack,” suggests Cybereason.

Meanwhile, and perhaps worryingly, there seems to be a growing perception of the inevitability of becoming a ransomware victim. Twenty-seven percent of respondents said their organization had set up a crypto wallet presumably for rapid payment of a ransom, while another 27% said the organization is learning how to negotiate with ransomware gangs.

Related: Cyber Defenders Should Prepare for Holiday Ransomware Attacks

Related: CISA, FBI Warn of Increase in Ransomware Attacks on Holidays

Related: South Carolina County Suffers Weekend Cyberattack

Related: USCYBERCOM Warns of Exploitation of Atlassian Bug Ahead of Holiday Weekend

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.