Between ransomware and month-long engagements, IR teams need a hug – and a nap

Remember the good old days of cyber-incident response, when the job involved digital forensics and lots of stolen credit cards, as opposed to power-grid-breaking malware and multi-million-dollar ransom demands?

IBM Security's Laurance Dine, global lead for the company's X-Force incident response (IR) team, does.

"Evolving threats are driving changes to the IR role itself," Dine told The Register. "When I first started 20 years ago, it wasn't like this. The landscape has changed significantly, and now we've seen disruption in the pipeline, we've seen attacks on critical infrastructure, things like that that are massive."

X-Force saw a nearly 25 percent jump in the number of incidents its IR team responded to from 2020 to 2021. Additionally, Check Point's research reported a 50 percent increase in overall network attacks per week in 2021 compared to 2020.

These cyberattacks aren't limited to one sector or country or, say, the war in Ukraine. It's a global issue, and as such IBM Security wanted to encourage "an industry-wide recognition and celebration of incident responders," Dine said. 

To this end, the security shop sponsored a global survey of more than 1,100 incident responders in 10 markets and asked them about the ins and outs of their jobs – as well as how the stress of being a frontline responder to cyberattacks spills over into their personal lives. And they timed it to coincide with National Cybersecurity Awareness Month, happening now through the end of October.

• Global pandemic was good for business, say UK infosec pros – but we're still burning out
• Half of developers still at screens even during breaks
• Microsoft highlights 'productivity paranoia' in remote work research
• You've heard of the cost-of-living crisis, now get ready for the cost-of-working crisis

Spoiler-alert (or not): it's a high-stress job, and nearly a third of the survey respondents reported experiencing insomnia (30 per cent), burnout (30 per cent) and impacts on their social life or relationships (29 per cent).

"We have to protect incident responders from themselves," Dine said. "Instead of saying, 'Hey, I worked 16 hours. I need to go home and have a nap.' They're like, 'OK, what's next? How do I put myself into even more jeopardy by doing another 12-hour shift.'"

Ransomware makes everything worse

A big reason for this is ransomware, as the volume and frequency of these attacks, along with ballooning ransom demands and payouts, show no sign of getting any better. According to the IBM report, 81 percent of responders say the rise of ransomware has exacerbated the stress and psychological demands required during incident response.

"Ransomware has changed the stakes because of the immediate disruption and direct financial loss that it can cause businesses," Dine said, adding that this stress extends beyond the immediate IR team to the chief security officers, security operations center analysts and IR support across the business. 

"They know that every minute a manufacturing assembly line is down it's costing significant amounts of money," he said. "Everybody is aware of what's happening there, and everybody's looking for answers."

What brings you here?

The survey also asked respondents what attracted them to IR in the first place, and 77 percent cited a sense of duty to help and protect others ranked in their top three, followed by the continuous opportunity to learn (67 percent) and the opportunity to problem solve (60 percent).

Despite this drive to help others, however, about half of the respondents said a "sense of responsibility toward their team or client" (48 percent) and "managing stakeholder expectations" (50 percent) were among their top three job stressors.

Meanwhile, individual IR jobs can now stretch to upwards of a month: 48 percent said the average is two to four weeks, while 30 percent said an average-length incident lasts more than four weeks. Additionally, 39 percent said the first three days responding to an attack are the most stressful, and 34 percent said they work more than 12 hours each day during the most stressful period of the cyber incident.

Despite these long hours and lengthy engagements, 68 percent of incident responders surveyed said they're often responding to two or more overlapping incidents simultaneously.

One ray of sunshine on mental support

The good news in all of this is that the vast majority (84 percent) of respondents said they have access to adequate mental health support resources, and 65 percent said they have sought out these resources as a result of responding to incidents.  

Dine said he was "pleasantly surprised" by the number of responders who felt they had good access to mental health resources and noted this is another change – albeit a positive one – over the past two decades. He credits millennials and Gen Z with destigmatizing mental health support in the workforce. 

"I'm not saying nobody talked about it 20 years ago, but it wasn't like it is today where it's very open discussions with people saying, 'Hey, I need a break.' Or, even better, the ability for leaders to pay attention to their staff and say 'OK, you've had enough. You need to go and have a break,'" he said. "Those things are great for the industry."

• Hi, I'll be your ransomware negotiator today – but don't tell the crooks that
• We're now truly in the era of ransomware as pure extortion without the encryption
• Google Cloud closes $5.4b Mandiant acquisition
• Here's how crooks will use deepfakes to scam your biz

The report also highlights the steps businesses can take to help IR teams be successful and alleviate unnecessary stress on them. First: develop IR plans and customized playbooks. And then rehearse the plan by conducting regular simulation exercises.

"Preparedness is my biggest thing," Dine said. "You know [cyber incidents] are going to happen. You know it's not going away anytime soon. Lack of preparedness is really inexcusable."

There's also a takeaway for the folks in the trenches, and this one may be more difficult to put into practice, Dine admitted, because "we're here to help. And it's very difficult for us to walk away when people are in need of help."

"But my message to the incident responders and specifically to the leadership of incident responders is: You have to take care of your people. You have to take care of yourself." ®