While the holidays ring in family gatherings, parties, and the opportunity to reconnect with people, it’s easy to fall into a more relaxed mindset — physically, mentally, and professionally. It’s an exciting time of year. Unfortunately, it’s an exciting time for cybercriminals, as well. While we’re shopping, they’re on their own shopping sprees that come in the form of phishing, scraping, password attacks, and zero-day exploits. These attacks increase at holiday time. It’s estimated that ransomware attacks go up by as much as 40% over the holidays.
Why the seasonal spike? For e-commerce sites, there’s more traffic and personal information being shared, including credit card and personal information. Also — and this is a reason many forgot or don’t consider — the holidays are a security distraction.
Distractions — Cybercriminals’ Best Friends
Over the holidays, people go on vacations, whether physical or mental. Starting the week of Thanksgiving and continuing through the end of the year, it’s not uncommon for people to take off more days than they work. Work teams lose members, leaving fewer people to mind the security store. In the case of online retailers, there is a dangerous combination at play: more site traffic and fewer people monitoring and managing cybersecurity, the opportunity cybercriminals seek.
It’s Not Too Late
If you’re thinking it’s too late to address security for the 2022 holiday season, think again. Yes, certain types of more involved security measures take more time to prepare for and implement. Just be sure and remember to tackle those in 2023.
However, there’s one thing you’ll definitely want to do — remind your employees how they can keep themselves and your organization safe over the holidays.
Make sure to send out a company-wide security communique that includes the following tips and suggestions as a critically important reinforcement. Consider that as much as 70% of security incidents and breaches are employee-related. That probably means an innocent email from an unrecognized source was opened and/or an embedded link clicked. That’s only a fraction of the ways employees can open attack vectors and usher in threat actors excited about conducting their own brand of shopping during the holiday season.
A recent study found that almost 70% of respondents admitted to sharing passwords with co-workers and over 50% use the same login and password on multiple sites. Remind your employees of the array of password management applications available.
Collaboration tools, such as Teams and Slack, are now the lifeblood of company communications. Phones and traditional email were supplanted by them years ago, and they are cybercriminals’ favorite way to enter your company. Why? Because it’s the easiest. All it takes is one employee to click on a link that, in turn, launches a DDoS or ransomware attack. Remind your employees have spam filters turned on and that hovering over a link will display the URL. It will easily enable them to determine from whom or where the email originated. If they’re not familiar with the sender, they shouldn’t open it. Ever.
Scams that target and rely on the curiosity of email recipients are called social engineering. Phishing is its most popular example. In phishing attacks, bad actors attempt to create a sense of urgency that they hope will tempt recipients to click on an attack-launching link or provide personal information to help rectify a situation. Pull up some social engineering examples online to share with your employees. Point out telltale phishing signs — misspellings, requests for personal information, an unbelievable or unrealistic sense of urgency. Because these attempts can be tricky, remind your employees to pay attention.
For years, we’ve been working in a BYOD (Bring Your Own Device) world. This saves time and management costs for companies, and employees get to use a device that maintains personal information. Unfortunately, BYOD has introduced a number of security challenges.
If you don’t have a BYOD policy in place, you should. It needs to cover what employees can and cannot do on their mobile devices, the types of devices that can be used, password expectations and requirements, the external applications allowed, authentication information and the work-related functions that can be handled on mobile devices. Most importantly, this policy should clearly state that after termination of employment, the device will be wiped clean. If you have such a policy, now is a good time to remind your employees about it.
Internet Browsing Done Safely
Reiterate to employees the importance of understanding which browser settings must be selected. Also, make sure they know how to find the settings page when there’s nobody around to help them. Ensure they understand how to verify the safety of a website and make sure its data is encrypted. As a reminder, if you don’t see an S after HTTP, it’s time to move on. That S stands for secure.
For information about how to keep your organization and employees safe this holiday season — and beyond — contact the cybersecurity experts at DataBank and Radware.
About the Author
Mark Houpt is the CISO at DataBank, where he leads and manages security teams and programs within their Cloud Service environment. He is a security/vulnerability assessment professional and handles security compliance as it relates to vendor acquisitions and assessments. Mark is an expert on the application of FedRAMP, HIPAA, and PCI-DSS in a shared tenant environment. He is responsible for communicating control responsibilities in cloud services to customers and internal agents and agencies, preparing for audits and accomplishing annual Service Organizations/Vendor assessment and compliance processes by the development of a repeatable assurance program that allows for measurement of security posture, year over year. Mark is also an expert in assisting smaller and mid-size companies in presenting their security posture to potential business partners, guiding companies through the complex and sometimes daunting process of answering vendor security/posture questionnaires, developing a compliant security program, and remaining compliant with client demands.