December 8, 2021

Last Updated on January 19, 2024

With more security staff taking time off, lots of extra diversions for everyone and a big spike in online transactions exposing that much more financial and personal data, the holidays are the most treacherous time for cyber-attacks against individuals, businesses and supply chains across the board.

Cyber ne’er-do-wells love nothing more than the cover of distraction and overwhelm to cloak their activities. Throw in some extra alcoholic beverages to boost the general confusion and you have a recipe for cybercrime that’s more popular than chocolate stocking-stuffers.

 

Major threats that are certain to escalate during the “season of giving” include:

  • Ransomware and other malware
  • Holiday phishing attacks and scams, such as bogus emails and text messages allegedly sent by popular retailers (think twice before you click to claim that “free iPhone 13”)
  • URL redirection attacks and the proliferation of spoof websites, especially in retail
  • Denial of service (DoS) attacks against already overtaxed websites
  • Site interruption tactics directed at retailers, where bots fill bogus shopping carts and wreak havoc with stock levels and inventory management, ultimately hurting sales

 

Who’s most at risk?

As you’d expect, retailers and e-tailers face massively elevated cyber risk during this “seasonal spike” time and must amp up their vigilance. Payment and control systems are strained, online and in-store traffic is surging, and staff are hyper busy serving customers—perfect concealment for hack-tivities.

Other industries that can expect more attacks at this time of year include entertainment and travel as well as supply chain/logistics, all of which see increases in business activity that will magnetize cyber threats. 2021 brings extra stress in these verticals due to COVID-related disruptions and restrictions coinciding with increased demand for goods and services, all overlaid on ongoing revenue losses, labor shortages and staffing cuts. These factors collectively create more vulnerabilities for hackers to probe.

Another sector already under siege that will see escalating attacks over the holidays is healthcare. COVID policies, worker shortages and chronically inadequate security make these organizations “the gift that keeps on giving” to cyber criminals, especially through ransomware payoffs.

What can businesses do?

Every organization should take steps now to develop “holiday alert” security and incident response contingencies so your Christmas Eve skeleton crew isn’t caught off guard and overwhelmed by an attack.

Start by identifying the risks most likely to manifest against your business, including what the downstream impacts of an attack or data breach on your business partners. A couple best practices recommended by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) include:

  • Identify IT staff who can be available to “surge” services on holidays and weekends, as these times of low staffing are hackers’ preferred times to strike
  • Conduct phishing/social engineering education and training exercises to keep security awareness “top of mind” in your workforce
  • Implement multi-factor authentication on your remote networks, email environments and other critical systems if you haven’t already

Other worthwhile holiday precautions that will benefit your business throughout the year include assessing your web applications to identify and mitigate vulnerabilities to URL redirect attacks, cross-site scripting (XSS) and other exploits. Make sure all your site’s plug-ins and web application firewalls are patched to the latest versions.

Speaking of patching: patch management and vulnerability management are core elements of any security program. Updating all your assets is a first step in eliminating known vulnerabilities that hackers will gleefully target.

Finally, companies that deal with consumers or otherwise see a big uptick in transactions during the holidays should consider DoS protections like load balancing, leveraging Content Delivery Networks (CDNs), taking advantage of caching to reduce database accesses, automating deployment so you can scale up on-demand, and implementing web-page analytics so you know what’s coming at you.

What’s next?

The time to think about security is always now. By planning proactively, you can enjoy those holiday celebrations knowing you’ve minimized cyber risk, instead of crying in your eggnog over the demise of your IT infrastructure and the posting of your customers’ personal data on Pastebin.

Wondering if your business needs a business continuity plan? Here’s a post on the subject: https://pivotpointsecurity.com/blog/does-your-smb-need-a-business-continuity-plan/

Interested in planning for data resilience to help minimize the impact of cyber attacks? This podcast with Cosmo Gazzani has what you’re looking for:

https://pivotpointsecurity.com/podcasts/the-virtual-ciso-podcast-cosmo-gazzani-disaster-recovery-business-continuity-and-data-resilience/