Former cyber czar urges vigilance ahead of holiday season — “it’s not the attackers … it’s us”

Just a week before Thanksgiving, shoppers at Stop & Shop stores across Massachusetts were forced to leave empty-handed after a cyberattack against the supermarket chain’s parent company led to inventory shortages. 

Parent company Ahold Delhaize said in a statement earlier this month, that it had alerted law enforcement about the cyber breach and had taken some systems offline. “While there may be some limited inventory for certain products, we are working to re-stock our shelves and anticipate item availability to continue to improve over the next few days,” the company said. But the incident may be a sign of things to come during the holiday season, when cybersecurity crises are likely to peak.

Already this year, corporate giants like AT&T, Ticketmaster and United Health have suffered paralyzing cyberattacks, and now, businesses are bracing for the holidays, a time when many cybersecurity operations rely on skeleton staffing. But the FBI and Department of Homeland Security are warning that it’s no time for them to be taking a “cyber vacation.”

The vast majority of ransomware attacks that hobbled businesses and organizations over the past year — 86% —  occurred on a weekend or holiday, according to a new global study of 900 IT and security professionals released this week by cybersecurity firm Semperis. But researchers also found that 85% of surveyed organizations — 90% in the U.S. — reduce security staffing by as much as 50% during those same periods.

“This study would say that we’re not making thoughtful choices,” former White House “cyber czar” and Semperis strategic adviser Chris Inglis told CBS News. “If you realize that most of these attacks take place on holidays and weekends and you reduce your manning, you take away your opportunity to essentially have parity with your adversaries,” said Inglis. He added, “The advantage goes to the attacker, because they’re not taking a day off. They never take a day off.”

According to the report, organizations consistently overestimate their defenses, with 81% of respondents reporting that they believe they have the necessary expertise to safeguard their digital identities from threats. Still, 83% of participants suffered a successful ransomware attack within the past year.

Organizations are beginning to sense they’re more vulnerable around the holidays, but Inglis suggested consumers, too, need to be vigilant. Technologies like smart phones and tablets are now cheaper and nearly ubiquitous, but safety measures have not kept up. 

“We’ve not actually made the necessary investments to make it such that these technologies — or this system of technologies — is defensible and well defended,” he said.

According to the survey, mergers, acquisitions, stock launches or layoffs also functioned as “magnets” for ransomware attacks, with a majority of respondents – 63% – also experiencing a cyber attack following what’s known as a “material corporate event.” 

With financial executives predicting that President-elect Donald Trump’s return to the White House could usher in a wave of bank mergers and acquisitions, cybersecurity experts worry that cybercriminals will be able to take advantage of these “moments of distraction.” 

“Our adversaries – be they criminal or foreign, rogue nations – they test the waters every day. They’re conscious of the fact that our attention waxes and wanes,” Inglis said. “If there’s a merger or an administration transition, those are moments of distraction. So we can expect that they will do what they always do. It’s not that they search at this moment, it’s that they see their opportunities being perhaps more productive at this moment.”

In February, UnitedHealth Group suffered the biggest hack in U.S. healthcare history after its acquisition of Change Healthcare meant it inherited outdated technology, with digital systems not yet safeguarded by multi-factor authentication. 

Beyond an anticipated onslaught of big bank deals, changes in administration – regardless of politics – have historically enticed foreign adversaries to test the defenses of new leadership in Washington. In 2021, President Joe Biden inherited fallout from a sophisticated Russian cyberattack leveled against Texas software-maker SolarWinds and used to breach roughly 100 top U.S. companies and a dozen government agencies. 

In June 2017, the Russian military waged the devastating ‘NotPetya’ cyber attack during Trump’s first year in office, unleashing a virus that crippled parts of Ukraine’s infrastructure and ravaged computer systems worldwide, amounting to billions in damages. 

Security staffing also remains a widespread challenge across industries, with just 85% of organizations maintaining a year-round, 24-hour Security Operations Center, according to Semperis, and staffing challenges prompted by higher overtime costs when most employees are typically out of the office around the holidays.

Contributing to cybersecurity staffing headaches, cybersecurity workforce growth worldwide has flatlined for the first time since 2019. With growth of just 0.1% year-over-year in 2024, budget cuts, layoffs and hiring freezes have exacerbated a global staffing shortage of cybersecurity professionals, according to a recent report released by ISC2. 

The former U.S. national cyber director said that he’s routinely asked what keeps him up at night. “It’s not the attackers, the Russians, the Chinese or any kind of ransomware actors. It’s us,” Inglis said. “Sometimes, it’s the complacency and the proactive ambivalence on our side that is actually, I think, more determinative of our future.”