Ransomware attacks trend up on holidays, weekends
Photo: Tetra Images/Getty
Incident response plans can help healthcare security teams mobilize when incidents do occur, according to Cybereason, a provider of predictive prevention, detection and response cybersecurity tools.
WHY IT MATTERS
According to Organizations at Risk 2022: Ransomware Attackers Don't Take Holidays, it's a lack of contingency plans along with reduced staffing levels in security operations centers (SOCs) that resulted in lengthier investigation and response times as well as increased costs.
Launched last year, the annual, global study looks at the impact of cyberattacks that occur on holidays and weekends. Cybereason conducted an online survey of cybersecurity teams that experienced one or more weekend or holiday cyberattacks in the United States, United Kingdom, Germany, France, Italy, United Arab Emirates, South Africa and Singapore in September and October.
When asked about the type of security incident that SOC teams are most frequently trying to resolve, nearly half (49%) of respondents pointed to ransomware. Supply chain attacks (46%) and targeted attacks (31%) were also cited as the most frequent attack type.
Of those surveyed – more than 1,200 cybersecurity professionals working in companies with more than 700 employees – 88% said they missed celebrating a holiday or participating in a weekend event as a result of a ransomware attack.
However, across industries, 44% of respondents said their SOCs were less than 33% staffed during these times.
While the survey involved a number of industries' security operations teams, 30% of SOC teams in healthcare said it took longer to assess the scope of a weekend or holiday attack.
The healthcare SOC respondents said it took their organizations three to six days (21%), one to two days (19%) or seven to 23 hours (15%) to resolve ransomware attacks.
Only education SOC teams were more likely to report resolution timeframes from one to six days.
Cybereason recommended that all industries explore staffing models that can improve incident response – giving a nod to the healthcare cybersecurity industry.
"Look to hospital emergency rooms and other emergency response organizations for models," the company says.
Additional recommendations include:
- Identifying optimal staffing for weekends and holidays.
- Creating a managed detection and response strategy that augments existing staff with third-party coverage.
- Locking down unused, privileged accounts during off-peak hours.
- Implementing isolation practices for detected intrusions in order to stop the spread.
- Upgrading to next-generation antivirus (NGAV) protection with behavior-based tools that scan across networks and are capable of identifying ransomware attacks in their earliest stages.
Across industries, 38% of respondents are planning to implement new detection capabilities specifically for ransomware while 31% are taking steps to augment staff so their organizations can respond faster to attacks.
Of healthcare respondents, 55% have upgraded to NGAV.
THE LARGER TREND
Taking advantage of known vulnerabilities is not new for cybercriminals. During the COVID-19 pandemic, hospitals and healthcare systems became prime targets for hard-to-detect phishing techniques due to rapid IT deployments, newly launched telehealth programs, untested platforms and employees shifting to a work-from-home model.
And despite promising a "cease-fire" early in the pandemic, bad actors pretty quickly set their sights on vaccine developers and other organizations attempting to grapple with the challenges of COVID-19.
"While there is no way to totally prevent the threat of ransomware, organizations can stop ransomware attempts from impacting their business by implementing a multilayered security approach to thwart future threats," Robert Capps, vice president of marketplace innovation at NuData Security, told Healthcare IT News.
Advances in artificial intelligence are also bolstering cybersecurity programs.
"If an antivirus or next-generation firewall system incorporates AI or behavioral monitoring information, assets with abnormal behavior – signs of infection, abnormal traffic, anomalies – can automatically be placed in a quarantined group, removed from network access," said Robert LaMagna-Reiter, senior director of information security at First National Technology Solutions, a managed IT services company.
ON THE RECORD
"It’s no wonder SOC teams operate so lean on holidays and weekends: Security professionals are experiencing record levels of burnout compounded by a protracted global talent shortage and relentless adversaries," Cybereason says in the new report.
The HIMSS 2022 Healthcare Cybersecurity Forum takes place December 5 and 6 at the Renaissance Boston Waterfront Hotel. Register here.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS publication.