Experts underscore vigilance during post-redundancy times
Threat actors are taking advantage of layoffs to carry out ransomware attacks, as experts underscored the need to be vigilant during material corporate events.
Cyber security findings from Semperis revealed that 60% of ransomware attacks occurred in the aftermath of material corporate events, with layoffs and redundancies being a particularly significant trigger.
Across the organisations studied, nearly half (46%) of all ransomware attacks followed workforce reductions. Post-redundancy attacks varied per country, with the highest concentrations in:
- Singapore (57%)
- Australia and New Zealand (54%)
- France (49%)
- United Kingdom (46%)
- Canada (41%)
- Germany (41%)
- United States (43%)
- Spain (38%)
- Italy (32%)
Other material corporate events where ransomware attacks take place include after a merger or acquisition (54%) and after an IPO (42%).
The findings come in the wake of recent layoffs across organisations worldwide. In the United States alone, data from Challenger, Gray & Christmas revealed that there have been over a million job cuts in the first 10 months of the year.
"Corporate material events such as mergers and acquisitions often create distractions and ambiguity in governance and accountability—exactly the environment ransomware groups thrive on," said Chris Inglis, former US national cyber director.
"Worse, organisations are under intense pressure to sustain operations while transforming their form and protocols during an IPO or merger and cannot afford downtime, making them more likely to pay quickly to restore operations."
Attacks on holidays and weekends
Meanwhile, the report further found that organisations are more vulnerable during weekends and holidays amid staffing reductions during these periods.
More than half (52%) of ransomware attacks took place during a weekend or holiday, as 78% of organisations admit that they cut staffing at their security operation centres (SOC) during these times.
The top reason for cutting staff during these periods includes prioritising employees' work-life balance, while others cited the belief that they wouldn't be targeted.
"Staying alert is imperative because persistent and patient attackers will strike again if our vigilance fades," Inglis warned.
Jeff Wichman, Semperis director of incident response, added that employers wanting to offer SOC employees work-life balance should learn to plan ahead.
"If you want your employees to be out for the holiday, you need to plan and prepare. You need to have some type of monitoring, even if it's third-party monitoring with extra diligence over that period. There is no time off."
