CISO Best Practices Cyber Security Quick Tips Risk Management

The Most Scam-able Time of the Year

With the kids jingle belling and everyone telling you to be of good cheer, the winter holiday season is truly the most wonderful time of the year, unless you work in cybersecurity. 

Just like Santa and the elves, cybersecurity teams must be at the top of their game during the holidays. It doesn’t take much digging to figure out why: from Operation Aurora in 2009 to SolarWinds in 2020 to the 30% spike in ransomware activity around this season, workplaces are understaffed, distracted, and vulnerable.

While much of the increased attack surface is created from increased online shopping and a barrage of marketing emails with enticing links promising sales-of-your-dreams (and made worse by expanding bring-your-own-device policies), the end-of-year deadline for tax write-offs and charitable contributions provide an alternate and often more valuable route for their operations. 

The people in a business making these decisions are more likely to be senior-level individuals with greater access to the organization’s networks. Sure, an attacker could win over Paul from Accounting through a phishing email promising a 50% discount on this year’s latest and greatest, but how much access does Paul have? If a network is set up well, he likely cannot provide attackers significant reach. However, if attackers send targeted spear-phishing emails to the COO, Jenine, and she falls for it, there will be a much larger payoff, whether financial or in data they can access. Jenine is likely to receive online shopping phishing emails as well but these more targeted emails that go only to those making decisions can be much more successful for an attacker.

With taxes being discussed at length, often with an external company over email, charitable contributions being finalized, and the general movement of money being handled at the end of the year, companies need to be on alert for hackers taking advantage of the nature of the holidays. 

Another issue arises from holiday travel. There is limited cell service in Aspen or Barbuda where the boss jetted off to for some well-deserved family time away from the office. As business email compromise (BEC) operations soar, employees back at the ranch have to discern the validity of an email requesting them to quickly approve a wire transfer. Unable to call their boss to verify that the request is authentic, they are much more likely to fall for the attackers’ tricks in an effort to respond quickly. 

On the other side, when the C-Suite heads out of town they often delegate approvals or turn off features like dual-control. Attackers take advantage of this knowing that there are fewer human checks on these processes around this time of year.

For all of these reasons, your cybersecurity teams are exhausted. Burnout and turnover is already extremely high within the field with 65% of professionals in the space having considered leaving their job because of stress and burnout in 2021. The holidays exacerbate this trend and it is important to take care of your staff leading up to the holidays in case they have to come in to respond to something. Now is the time to enforce time off in the present or planned for after the holidays so that staff can have a break or a break to look forward to. Monitor on-call rotations, plan for backup staff, and have flex contingencies. Your staff is your greatest asset that you cannot afford to lose. 

In addition to having strong anti-virus protections, endpoint detections, network visibility, and access management, awareness of the vulnerability of all communications this time of year is important, especially if you are still wondering what to get the cybersecurity professionals at your organization for the holiday. Take a moment to remind your team to verify unexpected emails with the sender by phone when possible, ensure your email security solutions are up and running, and take care of your staff before heading out for the holidays this year.