The Tom the Turkey float at the 94th Annual Macy's Thanksgiving Day Parade® in New York City in 2020. (Photo by Eugene Gologursky/Getty Images for Macy's Inc.)

CISA on Monday issued a warning to businesses and especially critical infrastructure organizations, reminding them that cybercriminals often like to launch attacks over weekends and holidays like Thanksgiving because the employees who must respond are out of the office and not immediately available.

Indeed, companies should remain vigilant and have contingency plans in place for such a scenario so that recovery isn’t hindered by an ill-timed incident. In its alert, CISA suggested that organizations identify security employees would be available if an off-hours attack occurs, and also update their incident response playbooks, contact lists and communication plans.

To expand on these recommendations, SC Media reached out to cyber professional association ISACA and asked Scott Reynolds, senior director of enterprise cybersecurity, and Simona Rollinson, chief technology officer, for their own thoughts on how to be ready for a holiday cyberattack. Here’s what they had to say:

What would you recommend as best practices and policies in terms of activating your security team, incident response teams, SOC personnel, and other cyber workforce in response to a security incident that takes place over a holiday period, weekend or vacation? 

Scott Reynolds: Responding to an incident should always start with planning — ensuring that coverage across the various teams is organized ahead of time and contact information is shared and readily available in advance is critical. I’d also recommend routinely testing incident response plans and scenarios across different teams throughout the year to help ensure everyone is familiar with their roles during different scenarios that may arise during the holidays or weekends. 

Which job positions require you to clock back in at any given moment if a crisis occurs? Must those kind of 24/7 expectations be written into a contract and job description or is automatically just considered part of the job if an event happens? 

Reynolds: The need for specific roles to have the ability to jump in if a crisis occurs will largely depend on the size of the team and the severity of the crisis. In a company with one engineer, that person clearly will need to clock back in to resolve an issue, whereas in a company with a larger team, the burden can be distributed among more team members. In a smaller company, this need can be mitigated by cross-training team members to help buffer this requirement.

If certain security employees end up having to work over what was supposed to be days off, is it good policy for them to receive overtime (if their pay structure accommodates for that) or receive make-up/bonus time off later after the crisis subsides? Are there other ways to compensate them, as well? 

Reynolds: I think that receiving overtime or receiving make-up/bonus time later are two great ways to make up for unplanned support. Some people are motivated by monetary compensation whereas others would prefer a better work/life balance. The important thing is to ensure that employees feel valued and understand their contributions during a crisis helped minimize potential damage.

Alternatively, are there emergency steps a company can take to temporarily bolster their security teams if key members are on scheduled time off or vacation and are unable to return? Perhaps they could bring in reinforcements through a staffing provider?

Reynolds: There are a multitude of security consulting companies that can help transfer risks associated with lean security teams. However, where possible, I believe investing in cross-training as well as documentation is still extremely important due to the support this information can provide to a consultant coming in blind. I’d also recommend a security consulting company over a temporary hire from a staffing agency because they have a wider support system, and you can build a longer-term relationship.

Simona Rollinson: Before an emergency happens, companies should be leveraging third-party MSSPs and spending time with them so they can learn their business. MSSPs and SOCs know a lot about technology but they do not know you well. Now is the time to fine-tune your relationship so they understand the business use cases, risks and expected outcomes and are prepared in case an incident happens. Plan for functions beyond reactive incident monitoring. Many times, MSSPs are your lifeline. Take a part-time employee from an MSSP/SOC and ask them to do proactive threat hunting.

If employees end up missing out on a holiday like Thanksgiving or Christmas due to a security crisis, what can organizational management do to reduce feelings of burnout, exasperation, low morale, etc.?

Reynolds: Where possible, initially asking if employees would be willing to volunteer to work over holidays can ease potential burnout instead of making it mandatory. For these employees, management can provide overtime pay or expanded vacation as compensation.

Rollinson: Cybersecurity is the equivalent of a marathon and now it has exploded, as the traditional perimeter is no longer meaningful. Psychological trauma is the current crisis for IT professionals due to prolonged work from home and isolation. The C-suite is often not equipped to deal with this sufficiently. In planning for coverage during the holidays, it is important to keep the existing challenges and burnout issues that cybersecurity teams face in mind, and ultimately, prioritize people and check in.