top of page

Ransomware Attacks Increase During Holidays & Weekends--When Security Teams Are Least Prepared

Incident response plans can help all organizations’ security teams mobilize when incidents do occur.


Recently, a cybersecurity research group, Cybereason, published its findings in a white paper titled Organizations at Risk 2022: Ransomware Attackers Don't Take Holidays, and according to their research over the past year, the primary causes of costly security breaches—and longer investigation times—is a combination of insufficient security operations centers (SOCs) staffing and nonexistent or untested Incident Response Plans (IRPs).

shocked Santa clause, surprised

Last year was the first of the now-annual, global studies this organization is conducting to examine the impact of cyberattacks—primarily those that occur on weekends, holidays, and other times in which organizations have even lower staffing than usual. Cybereason surveyed cybersecurity teams that endured weekend or holiday cyberattacks in a number of countries around the world, including the United States, United Kingdom, South Africa, United Arab Emirates, Germany, France, Italy, and Singapore.

Nearly half (49%) of respondents indicated that ransomware is the type of attack they are most often working to prevent and manage; the other major types taking up attention include supply chain attacks (with 46% of the attention) and targeted attacks (at 31% of the attention).

More than 1,200 security professionals said they missed celebrating a holiday or having a weekend free due to ransomware attacks. Additionally, taking all industries covered into account, an average of 44% of respondents responded to say their SOCs were staffed at less than 33% normal personnel volumes during the same times.

Emergency Room Doctor, Nurse, patient on stretcher

The recommended mitigation of the issues takes a page from the healthcare industry, with Cybereason stating that companies should, "Look to hospital emergency rooms and other emergency response organizations for models."

Below are the specific recommendations as cybersecurity management best practices—which are reinforced by the Cybereason report:

  • Implement containment policies, processes, and tools to reduce the ability malware has to spread.

  • Adopt modern anti-malware solutions having behavior-based tools—rather than simple malware signature analyses—for network-and system-level monitoring and automated response (e.g., quarantining, eradication, etc.) so that ransomware attacks are identified in their earliest stages.

  • Study the company resource usage trends to identify ideal staffing for off-peak hours, taking into consideration the prevalence of attacks during those hours.

  • Augment existing staff with third-party coverage using security as a service and managed detection and response services.

  • Where possible, disable unused, privileged accounts—and disable infrequently used privileged accounts during holidays and weekends.

Advances in artificial intelligence (AI) can also support security program operations, and solutions should be sought out that integrate AI with other detection and response capabilities.

As Robert LaMagna-Reiter, Sr. Director of Information Security at a managed IT services company, First National Technology Solutions, explained, "If an antivirus or next-generation firewall system incorporates AI or behavioral monitoring information, assets with abnormal behavior – signs of infection, abnormal traffic, anomalies – can automatically be placed in a quarantined group, removed from network access."

"If an antivirus or firewall system incorporates AI, assets with abnormal behavior can automatically be placed in a quarantined group, removed from network access."


Sad Woman in Red, tired, burned out

One major reason SOC teams operate so leanly during off-peak hours holidays is that security professionals are experiencing record levels of burnout, which is made worse by a long-lasting shortage of security talent and non-stop attacks.

A lack of well-defined security response policies leaves security personnel with no sure guidance on how they should respond when incidents do occur.

We can help! Supplement your security team using the experts at Webcheck Security, which maintains a team of highly experienced vCISOs (virtual Chief Information Security Officers) and penetration testers—and also provides managed vulnerability detection solutions. Reach out to Webcheck today to schedule a free discussion of your organization’s needs!

23 views0 comments


bottom of page