While the holidays ring in family gatherings, parties, and the opportunity to reconnect with friends, it’s easy to fall into a more relaxed mindset — physically, mentally, and professionally. It’s an exciting time of year. Unfortunately, it’s an exciting time of year for cybercriminals, as well. While we’re shopping, they’re on their own shopping sprees. It comes in the form of phishing, scraping, password attacks, and zero-day exploits. These attacks increase at holiday time. It’s estimated that ransomware attacks go up by as much as 40% over the holidays.
Why the seasonal spike? For e-commerce sites, there’s more traffic and personal information being shared, including credit card and personal information. Also — and this is a reason many forgot or don’t consider — the holidays are a security distraction.
Over the holidays, people go on vacations, whether physical or mental. Starting the week of Thanksgiving and continuing through the end of the year, it’s not uncommon for people to take off more days than they work. Work teams lose members, leaving fewer people to mind the security store. In the case of online retailers, there is a dangerous combination at play: more site traffic and fewer people monitoring and managing cybersecurity, the opportunity cybercriminals seek.
If you’re thinking it’s too late to address security for the 2022 holiday season, think again. Yes, certain types of more involved security measures take more time to prepare and implement – keeping them in mind for 2023). However, there’s one thing you’ll definitely want to do: Remind your employees how they can keep themselves and your organization safe over the holidays.
Specifically, send out a company-wide security communique that includes the following tips and suggestions as a critically important reinforcement. Consider that as much as 70% of security incidents and breaches are employee related. That probably means an innocent email from an unrecognized source was opened and/or an imbedded link clicked. That’s only a fraction of the ways employees can open attack vectors and usher in threat actors excited about conducting their own brand of shopping during the holiday season.
A recent study found that almost 70% of respondents admitted to sharing passwords with co-workers and over 50% use the same login and password on multiple sites. Remind your employees of the array of password management applications available.
Collaboration tools, such as Teams and Slack, are now the lifeblood of company communications. Phones and traditional email were supplanted by them years ago, and they are cybercriminals’ favorite way to enter your company. Why? Because it’s the easiest. All it takes is one employee to click on a link that, in turn, launches a DDoS or ransomware attack. Remind your employees have spam filters turned on and that hovering over a link will display the URL. It will easily enable them to determine from whom or where the email originated. If they’re not familiar with the sender, they shouldn’t open it. Ever.
Scams that target and rely on the curiosity of email recipients are called social engineering. Phishing is its most popular example. In phishing attacks, bad actors attempt to create a sense of urgency that they hope will tempt recipients to click on an attack-launching link or provide personal information to help rectify a situation. Pull up some social engineering examples online to share with your employees. Point out telltale phishing signs: misspellings, requests for personal information, an unbelievable or unrealistic sense of urgency. Because these attempts can be tricky, remind your employees to pay attention.
For years, we’ve been working in a BYOD (Bring Your Own Device) world. This saves time and management costs for companies, and employees get to use a device that maintains personal information. Unfortunately, BYOD has introduced a number of security challenges.
If you don’t have a BYOD policy in place, you should. It needs to cover what employees can and cannot do on their mobile devices, the types of devices that can be used, password expectations and requirements, the external applications allowed, authentication information and the work-related functions that can be handled on mobile devices. Most importantly, this policy should clearly state that upon termination of employment, the device will be wiped clean. If you have such a policy, now is a good time to remind your employees about it.
Reiterate to employees the importance of understanding which browser settings must be selected. Also, make sure they know how to find the settings page when there’s nobody around to help them. Ensure they understand how to verify the safety of a website and make sure its data is encrypted. As a reminder, if you don’t see an S after HTTP, it’s time to move on. That S stands for secure.
Questions About Cybersecurity? You Have Two Great Contacts to Choose From
For information about how to keep your organization and employees safe this holiday season — and beyond — contact the cybersecurity experts at DataBank and our long-time partner Radware.
About the Author:
Mark Houpt, DataBank’s Chief Information Security Officer, brings over 30 years of extensive information security and information technology experience in a wide range of industries and institutions.
Discover the DataBank Difference today:
Hybrid infrastructure solutions with boundless edge reach and a human touch.