How Staffing Reductions Increase Ransomware Risk

Hi. I’m Tony Morgan, executive news editor at ISMG. Welcome to this discussion of the Semperis 2025 Ransomware Holiday Risk Report, which examines the heightened dangers of ransomware at this time. It’s my great pleasure to welcome to the conversation our subject matter expert, Jim Doggett, CISO at Semperis. So thanks for joining us, Jim. Thank you, Tony. It’s a pleasure to do this, especially coming up right off the heels of us issuing this report. It’s got fascinating results that I hope everyone really does enjoy listening to. I’m interested myself to hear what you’ve got to say. So we’ll jump straight into it. First, why are you doing a holiday risk report? Who’s it for? Typically, we do things that are for a CISO; but in this case, I think it’s also probably boards of directors and some of the senior management. And the reason why is we just had several questions that we’re trying to see: Where’s the world of ransomware going? Is it increasing? Is it decreasing? What are the characteristics? So we ended up interviewing close to a thousand different companies and getting their take on what’s going on in the world of ransomware with the hope of learning some things that actually help us do a better job of attacking it going down the road if we need to, or maybe it’s going away. Now you’re saying, what’s going on in ransomware? Was there anything in particular that you were hoping to get from the report? Yeah. I would say there’s three or four things we were really hoping to get. Number one, frequency. Is the frequency of people being attacked increasing or decreasing? Which is sort of interesting because we did find there was a slight decrease this year over the prior year, which I think is fairly interesting. Other things that we were really seeking: Is there a time element to when ransomware attacks occur? Do they occur randomly, or does there tend to be a focus on, say, weekends and holidays? And, again, it’s things like that that we’re trying to understand. Also, we want to get a better vector of how people are getting in. Typically, when ransomware occurs, it starts at a fairly low-level attack, like phishing or something like that, and then they escalate privilege to the point where they can do ransomware. You never directly attack the things that allow you to do ransomware. It always happens at a much lower base and it goes up. So, again, we were seeking information like that. And you mentioned that you did actually see that there had been a decrease. Is there anything else that you specifically learned as a result, and including anything that surprised you? Yeah. Several things surprised me that came out of that, which I do find sort of interesting. Number one is we found that weekends and holidays were significantly higher occurrence of ransomware, and roughly 60 percent of all attacks—from people we interviewed—occurred during weekends and holidays, which I think there’s some logic to that. And the logic, you have to sort of step back for a minute and think a little bit about, well, why would they attack on the weekend? Well, typically, people don’t work on weekends. And, it’s interesting—we did follow-up and asked the questions about, well, what are you staffed? If you have a SOC or if you have an external SOC that you’ve hired someone, outsourced it to, what do you do staffing-wise on weekends and holidays? And we found it very interesting that people are trying to be really nice to their employees so they don’t want them to work so much on weekends and holidays—which then means that they’re not staffing. And on average, the companies that lowered staffing, lowered it by almost 50 percent. That surprised me. So we know now that weekends and holidays are an attack vector. And now on top of that, we’re finding out that people don’t staff as much, which makes it, I mean, much, much harder to react and even detect it is happening. Sounds like we actually need to increase the staff over the weekend as whole. And that will be one of the recommendations I think people have to think very hard about. Even if they choose to do a hybrid maybe of internal staffing on weekends, if they need to outsource pieces of that, maybe… I don’t have the right answer. That’s what each company must decide, but it’s certainly something I think that needs to be addressed at this point. Absolutely. Like, the hospitality industry, weekends are gonna be part of it. Yeah. Tell me about the types of attacks that were identified. And again, you’ve said when they occur as weekends and holidays—was there a timing aspect as well in the time of day? Time of day, typically, what they like to do is later in the evenings after, if you will, a local time of 5:00 PM. Because, again, people tend to go home and you don’t fully staff. That’s just common sense, but we did prove it out in the study. So another very interesting thing that came up—which we didn’t directly ask at first, but it started to come out more and more—was that attacks tended to occur very frequently when companies are going through mergers or acquisitions or some kind of big corporate event—which, again, if you step back, makes some sense. At least it does to me. If you’re going through a merger, you’re distracted, you’re focused on other things. Plus, typically, when you have a merger or acquisition, one of the two companies’ security is not on par with the other. And if it’s not on par, there might be a weak spot. You join those networks together, and guess what? You got a easier vector to come in and attack. So I think that’s another aspect. As far as how they’re attacking, it’s the same thing. I’ve been in this business almost 40 years now. It’s always the same thing. Probably some new stuff too, but it’s still common phishing and those type of campaigns. It always starts low level and then goes to escalation. Also, a result of people not patching their systems: too much access. It’s the same thing that we’ve been dealing with forever. And that’s one thing that I tend to emphasize when I go around talking to CISOs is make sure you’ve dealt with the basics before you try to get the new shiny balls that are out there. And I will even include AI as one of those today. It does no good to put all these controls around AI if you still aren’t patching your systems or you give everybody too much access. So I’m gonna guess this lack of doing the basics is gonna be part of the answer to my next question, which is: Ahat’s the risk of keeping the SOC in house? Yep. Well, I think there’s a couple things. Keeping a SOC in house—and, again, large companies already tend to have more in-house SOCs. You go to smaller companies, they can’t afford to staff full time and have all the compliment of people you need to follow the kill chain or whatever it may be. So they tend to, outsource a bit more. But I think that the risk of in-house is the one I just talked about a couple of minutes ago: weekend staffing. If you’re gonna run at 50 percent staffing, that’s probably not gonna get it if you’re staffed in house. Also, getting the skills today to do it. I think there’s an element of that that is difficult to do—especially if you’re a smaller company; then the outsourcing might be better. But if you choose to go the outsource route, the one thing I’ve always recommended is that you have to leave the management of that resource in house. In other words, you don’t outsource the whole thing and hope they do a good job. They’re not your company, so they don’t have the same vested interest. They don’t own stock. They don’t…whatever. So I highly always recommend you have someone internal role that takes the accountability to manage that team and be ready if their [internal] team needs to jump in. Absolutely. You can’t outsource responsibility. And your legal liability as well. Correct. So what’s your view on the opinion that there’s too much emphasis on detection rather than response? Yeah. Well, first of all, when I say detection, I typically think of two things: preventing something from happening and detecting it, either before or while it’s happening. I do think in today’s world, there’s too much emphasis on [prevention] because the one thing I have learned through all my years is that if a bad guy wants to get in bad enough, he will get in. It’s just a reality. You can’t—unless you wanna unplug, there is no absolute. So you have to almost address it by saying, “I’ve got to assume that I’m going to be attacked, and they’re gonna successfully get in. Now what do I do?” And that’s to me is an area that’s probably the biggest gap that I see in CISOs across the world. CISOs, we’re really good at preventing the tactic. We’re not nearly as good historically on what do we do when it happens. In other words, incident response, crisis management, business continuity. How do we get back up and minimize the damage that’s being done? That’s hard. That’s really hard. And also it’s not a technical thing, typically. It’s a process thing. It’s a people thing. Legal has to get involved. Communications has to get involved. I could go on and on, but I think that is a massive gap right now in most companies, large and small, across the world, that need to step back and say, CISO, you’re now not only accountable for preventing, detecting—but also how do you respond? And, again, ransomware is the perfect example. Prior to ransomware, CISOs really didn’t get blamed. Well, they may have got blamed, but they weren’t responsible for most of the big outages. There were fires and floods and things like that. Ransomware is right in our spot of security. We have to be ready. And they’re gonna come to us and say, you were responsible. What are you gonna do? Now when you say, “What are you gonna do,” you started to go down the route of some of the things that people can do. Can you expand on that? You know, what exactly should organizations be doing now to bolster their resilience? Okay. I think there’s a handful of things that I would recommend. Number one is they have to have a plan. Have they even thought about it? Have they stepped back and said, “Well, if this goes down, can I recover?” Most companies—this is the example that I always go in with. I say, okay. So your entire network’s down and out. What are you gonna do? He says, well, we’ll copy it from backup and we’ll get it right back up and running. And I say, well, how long will that take? And then they start to have a few issues with talking about how long it may be. And I say, well, have you tested that? Do you know if you could get back in that amount of time? Then I go to the next question. I say, well, have you thought about all the infrastructure that supports that? And this is where I would get into what we do for a living, which is Active Directory, Entra ID, and that space. If those things are out, how long will it take for you to recover those? And virtually no company—or very few companies—can answer that question because it is very hard to test recovery of AD. It’s not a copy-and-do-it. It has to be installed, perpetrated throughout all your domain controllers. It’s a fairly complex process, and, typically, it takes multiples of whatever their RTO is. They need to get back in 24 hours? It may take weeks—because you can’t do anything if your infrastructure is down. You can’t run an application if your infrastructure is down. You can’t log on to the network to do anything if things are down. So I think that that is a big, big area that everyone needs to start to focus on. The second thing that I would say is once you have that plan in place, you gotta test it. Test it. Test it again, and then test it again. You don’t build muscle memory by thinking about it and not doing it; you have to actually do it. And a lot of these things, especially the infrastructure, you will find out all kinds of things that you didn’t know to get in the way of doing a quick recovery. Because in the end, what you’re trying to do is limit the damage. And if you haven’t practiced doing that, the first time you’re in an emergency situation where people have roles that may be slightly different can be really, really daunting. Yeah. I even came across somebody who did do a thorough test and found out they didn’t have the parking space to get the new servers in. But, anyway, I’ll move on from that. How is Semperis helping its customers prepare for ransomware risk? Couple of things I would say on that. Number one is we’ve got over a thousand customers now who we’re helping. And, typically, what we focus on is the identity space. In other words, your identity store that holds all your credentials—which when you think about it, that is the keys to the kingdom. Almost every application every company uses is dependent on that identity store being available to authenticate who the person is and what access they should have. If that’s down, nothing works. You can’t even log in to get your email. So that is an area that we have chosen to focus on. And I joined Semperis for that very reason. I came from a very large insurance company where we had an outage of Active Directory, and it was not an attack. It was a fat-fingering of an individual that made a mistake, knocked out roughly 20,000 users. We went to backup. Of course, backup didn’t work because we had never tested it. We didn’t know how to install it anyway. So we ended up hiring consultants for a month, roughly millions of dollars expended, lots of downtime—and we recovered. So that’s why I joined. Because this needs to be a vector that people focus on at a minimum. Because bad guys, when they attack, they almost invariably—probably 90 percent of the time—they go after your identity store, be that Active Directory, Entra ID, Okta, or whatever people are using. So we focus on that space, and we follow the attack MITRE attack framework, if you will. We look at it before an attack, during attack—what you can do, and then that assumption that you have already been attacked successfully—then how do you recover and recover quickly and minimize the damage? That’s what we do, and that’s all we do. Okay. So you grabbed our viewers’ attention now. Where are they gonna go to learn more? You can just go to our website and learn as much as you want—and you have the ability to contact us there at Semperis.com—s e m p e r i s dot com. Excellent. Jim, thanks so much for sharing your insight today. Thank you for joining us. I’ve been speaking with Jim Doggett, Semperis CISO, and we’ve been discussing the issues of ransomware over the holiday period. I do hope you’ll be able to implement some suggestions from today. For ISMG, I’m Tony Morgan, and thank you once again, Jim.