Rise in cyberattacks stretches and stresses defenders

Cybersecurity specialists who respond to hacks say they are stretched as ransomware and other attacks proliferate, often working on multiple cases at once while trying to avoid burnout.

Job stress is amplified by the amount of work incident response teams are asked to undertake, industry veterans say. International Business Machinery Body

The X-Force incident response unit estimates that it performed 25% more work in 2021 than in 2020.

In some ways, heavy workload naturally follows the evolution of cybersecurity over the past decade, said Jared Greenhill, senior consulting director at Palo Alto Networks. Inc.

Unit 42 incident response activity. In recent years, he said, incident responders could often only work on one job at a time, as they had to travel to offices of hacked companies.

“The C-level team wanted you there, they wanted to be able to talk to you in the elevator. They wanted five or 10 of you in person, supporting the incident,” he said.

That expectation has changed in recent years, he said. The increase in attacks and the development of remote tools mean that on-site work is not always practical or necessary.

Additionally, tighter limits on cyber insurance coverage sometimes mean that small businesses don’t have the financial leeway to meet the many costs of a hack and hire multiple responders – often one of the costliest parts of the recovery, he said.

It wasn’t like you finished your work at the office around 5 or 6 p.m. You just kept working 24 hours a day because everyone kept working.


— Itay Shohat, Director of Incident Response and Threat Hunting at Sygnia

The coronavirus pandemic in 2020 closed offices, banned travel and forced a significant number of people to work from home. For incident responders, that meant juggling more cases, said Itay Shohat, director of incident response and threat hunting at cybersecurity firm Sygnia Inc.

Mr. Shohat said that at the height of the pandemic, he would often start the day with a video conference on one case for several hours, move on to another case, then another. He would then join update calls with his client’s management and move from job to job as necessary.

“It wasn’t like you finished work at the office around 5 or 6 p.m.,” he said. “You just kept working around the clock because everyone else kept working.”

A global survey of 1,100 incident responders released Monday by IBM’s Security Division found that 68% said it was common for them to be assigned to two or more incidents at the time. Work seems to be taking its toll: A similar figure, 64%, said they sought mental health assistance for insomnia, burnout and anxiety.

The CEO knows exactly how much money the company is losing and is doing it [known] to everyone too. There is enormous pressure.


— Laurance Dine, Global Head of X-Force

Stress management is a primary consideration on every incident response team, veterans say. The work is technical, laborious and difficult, often carried out in the shadow of a business closure that could threaten its existence.

“The CEO knows exactly how much money the company is losing and makes sure [known] everyone else too,” said Laurance Dine, Global Head of X-Force. “There is tremendous pressure.”

Hackers often launch attacks on weekends or just before major holidays. A ransomware attack on meatpacker JBS USA Holdings Inc., for example, happened early on Memorial Day weekend in 2021, and the Los Angeles Unified School District was hit on Memorial Day weekend. Labor Day this year.

Cybersecurity and Infrastructure Security Agency and district incident responders worked late into Sunday night after attackers released data stolen from school systems, Superintendent Alberto Carvalho said Monday.

“Christmas has been hot lately,” said Keith McFarland, senior executive at cloud company Salesforce. Inc.

internal threat response team, citing disclosure of attack on technology provider SolarWinds Corp.

in December 2020 and a vulnerability in open source software known as Log4j disclosed last December. This vulnerability forced security teams to work throughout the winter break.

Managers say they understand the pressure their staff are under and try to prevent burnout. At X-Force, Mr. Dine said his employees are not allowed to work more than two consecutive incidents without time off.

Greenhill said he and others at Palo Alto Networks monitor staff well-being and manage capacity so staff aren’t constantly working. The company requires incident responders and analysts to take time off when they feel exhausted. “It’s definitely a balancing act, and there’s no perfect solution,” he said.

At Salesforce, which runs an in-house IT security incident response team of about 40 to 50 people, staff get one Friday a month off to relieve some of the stress, McFarland said.

The company’s sun-tracking model, with teams in the United States, Ireland and Australia working shifts, allows its staff to keep semi-regular hours, he said.

“We’re really trying to keep our day length to the normal eight hours,” McFarland said. He also stresses the importance of self-care for his staff, including regular exercise and interests outside of work.

IBM’s Mr Dine said hobbies have been crucial for his own mental health while working, particularly running marathons and ultramarathons. “If I didn’t have that, I don’t think I would be in this business,” he said.

Write to James Rundle at james.rundle@wsj.com

Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8

Leave a Reply