For many people, the long days and longer nights of January are a cue to start making holiday plans. For people working in information security, however, holiday planning means something else altogether. They’ll be checking calendars for upcoming long weekends and public holidays, to make sure there’s a solid response plan in case a security incident happens.

Whether by accident or design – and it’s often the latter – data breaches, system compromises and incidents sometimes happen outside normal working hours. In August 2021, the FBI and CISA jointly warned of an increase in ransomware attacks occurring at holidays and weekends, after observing attackers’ tactics and techniques over previous months.

It’s understandable: workplaces are often closed for longer than usual at bank holidays, and people’s guards can be down during time off, when staff cover is often scarce. This buys attackers valuable time if responders need to be called back from leave – and criminals know this.

Between 2018 and 2020, the average number of attempted ransomware attacks over the holiday season went up by 30 per cent each year compared to the monthly global average, researchers from Darktrace, a security company, found.

On Christmas Day itself, the port of Lisbon suffered a ransomware attack. Officials said the port’s operations were unaffected, but its website remained offline several days later. Four days later, Potsdam in Germany took its city’s IT network offline following a brute-force attack.

Though not technically a holiday, three days before Christmas Eve The Guardian newspaper experienced a ransomware attack. Luckily, its business continuity plan meant it could still publish a print version of its newspaper while journalists worked remotely.

When it comes to recovering from incidents, others haven’t been so lucky. The South Pacific island of Vanuatu suffered an attack on its government’s systems and websites. One month after the incident, officials were still using their private email accounts and personal devices. Some even went back to typewriters, papers and pens to conduct their business.

A security incident, data breach or system compromise brings multiple risks. It could lead to confidential information being disclosed, and a prolonged period of interruption to normal business. It could harm your reputation with customers, the public or other stakeholders.

That’s why it’s essential to have a structured, formalised incident response plan. The faster you can recognise and categorise an incident, the faster you can deal with it and recover from it. This means you can:

• Quickly and accurately assess security incidents and decide the best response
• Reduce recovery times and minimise interruption to regular business operations
• Take disciplinary, civil or legal cases backed by solid evidence gathered correctly
• Comply with legal or regulatory obligations where required
• Strengthen your defences and decrease the risk of future attacks
• Keep improving security with accurate reporting and tracking

Another good reason to check your response plan is if you need to comply with the EU General Data Protection Regulation. If a breach involves personal data, then you need to report this to the appropriate supervisory authority (in Ireland, that’s the Data Protection Commission). Ideally, you need to flag a suspected breach within 72 hours of finding out about it.

This brings us to another a critical part of any response plan: communication. It’s very likely you’ll need to tell not just regulators but other stakeholders too, whether that’s management, customers, the media or members of the public. Your incident response plan needs to spell out clearly how the organisation will communicate details of what happened. Times have changed; you won’t be judged for being the victim of a security incident, but you will be judged on how you respond. Effective communication can make all the difference here.

So what can you do to protect your organisation?

• Design a response plan with levels that vary depending on the seriousness of an incident
• Assemble an incident response team that will manage the response and any interaction with third parties (e.g. police, regulators, customers, employees, media)
• Make sure all team members who will be involved in the response have proper training and know their responsibilities
• If there are skills gaps your team can’t fill, identify external providers who can help
• Get senior management support for the response plan and the team that will carry it out
• Keep an incident response log to record all actions and their outcomes
• Test the plan regularly so everyone’s familiar with their roles and duties
• Have a review process to learn lessons from incidents that required a response, so you keep learning and reduce the chances of similar incidents in the future.

We’ve created a white paper that goes into granular detail about how to develop a comprehensive incident response plan. It’s free to download from our website. Keep a close eye on upcoming dates when you could be more at risk (bearing in mind there’s a new office holiday in Ireland this February to mark St Brigid’s Day). With an effective response plan in place, you can start thinking about the other kind of holiday arrangements…