Once the calendar turns to November, people begin eyeing the dwindling days until Christmas. And with that sandglass motion of the calendar comes shopping, much of it being online. Studies about shopping, work, and cybersecurity risks are not plentiful, but the research that has been done paints a clear picture that MSPs and other security specialists must pay close attention to this time of year.
“Keep in mind, most people spend at least a third of their life working so if something can be knocked off the to-list during that time, people are going to take the opportunity,” notes Albert Fletcher, a cybersecurity specialist in Salt Lake City.
A report in 2018 by staffing firm Robert Half Technologies confirmed this with nearly two-thirds of employees (64 percent) reporting they plan to do some online holiday shopping.
“And that percentage, I would imagine, has gone up, not down, since 2018,” Fletcher predicts.
Other numbers of note from the report, which studies the period from November 15 through December 25, are as follows:
– Those who shop only on CyberMonday: 20 percent
– Once a week: 35 percent
– A few times per week: 36 percent
– Nearly every day until they finish their lists: 8 percent
“These numbers should make cybersecurity professionals nervous. People are excited to order that deal from Amazon or Wayfair and they aren’t paying attention to cyber-hygiene, even though they absolutely should be,” Fletcher warns.
He adds, “Online shopping at work is one of those things that cybersecurity professionals and MSPs wring their hands over and say it’s bad, but very few companies prohibit it.” Yet, many companies look the other way in the race to retain talent and view holiday shopping on work time as an unwritten perk.
And the studies have shown, 76 percent of companies allow online shopping on company time and devices. In one survey of middle-level managers, 55 percent said their company permits workers to shop online but has no strategy for educating on the risks associated with these types of activities.
“That is asking for trouble,” Fletcher advises.
Safety must be the focus for holiday user training
“If companies are going to allow it people are going to do it, MSPs that conduct user training should devote a whole ‘refresher’ course sometime in early or mid-November that emphasize several holiday-themed components,” says Fletcher. “The components should be ones that the CISA stresses.” These include encouraging workers to shop from known websites (trusted sources), reminding people not to click on ads, and to be careful giving out personal banking information.
“So much of the hazards of holiday shopping come down to people checking common sense at the door and they need to be reminded that the cyber-Grinch is lurking, ready to steal Christmas,” adds Fletcher.
He advises that organizations should stress other safety measures as well during holiday cyber training, including measures such as:
- How to recognize secure and insecure websites
- How to recognize phishing emails and dangerous attachments
- How to use secure passwords
- What information to never share while shopping.
“People get a sense of invincibility when they shop, there’s some sort of psychology to it and they overshare, a good user training program will emphasize what to share and what not to,” Fletcher says.
According to Fletcher, holiday cybersecurity user training should also emphasize how to spot phishing emails dressed up as holiday cheer.
Scammers often send phishing emails that appear to come from large department stores, e-commerce sites, and other popular retailers. Because consumers already expect to get emails from these legitimate brands, they can fail to notice a well-disguised phish.
“These can often be extremely well-disguised and often well-timed,” notes Fletcher. “An email from Amazon or Macy’s during the crush of the holiday ordering season is probably going to get your attention, the problem is when those emails aren’t really from those retailers but a hacker purporting to be.”
Stagger holiday schedules
Another problem MSPs run into this time of year is that often IT Operations and SecOps teams may be short-staffed with staff out on vacation during the holidays. Everyone is stretched thin.
“Hackers know this and exploit it, so we advise all IT departments, whether they are internal or an MSP, to try not to spread themselves to thin. Perhaps giving someone a week off in January with some bonuses or perks might better serve the cybersecurity needs of an organization,” Fletcher says.
Photo: Voloshyna Anna / Shutterstock