School’s out for the summer and this means many staff, including cybersecurity professionals, will be taking time off for a well-earned break and some quality time with family. However, mixed with the need for rest and relaxation, are concerns that staff fluctuations in security teams leave organizations more vulnerable to cyber-attacks. This issue is exacerbated by the well-publicized cyber skills gap, meaning many security teams are already understaffed.
Brian Honan, CEO at BH Consulting, spoke to Infosecurity about the issue: “Organizations do need to consider how well they are prepared in the event an attack does happen when their key security staff are on holidays/vacation.
“When those people are on holidays, they may not be immediately contactable, they may be on holidays in areas that have poor connectivity, and they may be abroad and unable to physically access the systems that are compromised.”
Chris Cooper, CISO of Six Degrees, and member of ISACA’s Emerging Trends Working Group, noted that the opportunistic nature of cyber-criminals will lead them to target organizations they know are understaffed. "If they perceive a business is more vulnerable during the summer holidays, they will try to leverage that," he said.
Here are four top tips on how organizations can make themselves more resilient to cyber-attacks during the summer holiday period:
1. Promote Cross-Skilling
Honan noted it is important cyber professionals’ holidays, vacations and rest days are unimpacted wherever possible. Being on call 24/7/365 “places a huge responsibility on individuals which in turn can lead to burn out and that person leaving the organization, which then puts the organization in an even worse situation,” he said.
He advocates “cross-skilling” within security teams meaning that there is less reliance on one or two individuals. For example, ensuring wider members of the team are trained in incident response practices and processes.
This is also an approach supported by Johanna Baum, CEO and founder of S3. “If proposed vacation schedules may result in a significant gap in availability of resources to investigate these incidents, you may consider if you have enough resources to manage your landscape. This is typically an indication of a lack of cross-training or a single point of failure for resource knowledge,” she said.
2. Effective Incident Response Plan
Incident response plans should be created and practised that cater for key security personnel being absent, according to Honan. These should encompass “step by step runbooks on how to deal with various types of incidents, and regular testing and training of those plans and runbooks should be conducted without the key people taking part so the effectiveness of the plans and runbooks can be determined,” he said.
Baum advised that organizations develop an emergency incident response plan that draws on “supplemental resources across departments or with an external partner when absolutely necessary.” These include establishing a relationship with specialist consulting and security provider firms so they can quickly provide additional assistance with attack mitigation amid staff absences.
“Build a plan to manage the potential gap before the gap occurs,” added Baum.
Cooper highlighted key considerations that must underpin these emergency plans: "Who is on shift at any given time? How will they be contacted/alerted? Do they have access to all necessary tools and playbooks? And, are they authorized to make decisions and escalate incidents?" he outlined.
3. Reinforcing a Culture of Cybersecurity
Building a culture of cybersecurity throughout the wider organization is also crucial to preventing cyber-attacks during the summer holidays. The Verizon Data Breach Investigations Report (DBIR) 2023 found that 74% of breaches involved the human element, including social engineering attacks, errors or misuses.
Baum noted that social engineering tactics “are especially effective during this time and result in a higher risk of attacks.” Common lures used by malicious actors in the summer include holiday travel deals and Amazon Prime Day.
In addition, she observed that many organizations use seasonal workers during this period, who have less knowledge of security policies within the organization.
As a result, there needs to be routine reminders of employees’ roles in supporting company objectives, including the protection of information they have access to, said Baum.
“By ensuring that employees are aware that security threats can occur daily, they are more prepared to support policies and procedures daily. This encouragement is easily depicted in job expectations and periodic employee evaluations to ensure attention to security related activities is embedded into everyday activities,” she added.
Read here: How to Create a Culture of Incident Reporting
4. Embrace the AI Revolution
Another action organizations can take to reduce the impact of fluctuations of security staff is to explore how emerging technology can reduce the burden on the rest of the team. “See if certain tasks and processes can be automated to reduce the reliance on one or two individuals,” commented Honan.
Many experts believe that generative AI in particular has huge potential in reducing the burden on security teams.
Watch here: How Generative AI can be a Force for Good in Cybersecurity (video)
In an article for Infosecurity Magazine, Chris Jacob, Global Vice President, Threat Intelligence Engineers, ThreatQuotient, set out several ways OpenAI’s ChatGPT can be used to reduce the burden on cyber professionals. These include reducing the exploitation of vulnerabilities, jump-starting quality coding and accelerating threat hunting and investigation.