Share This:

Many people worldwide are beginning to prepare for the rush of shopping, festive gatherings, and visiting in-laws as the holidays ramp up. Previously, SmarterMSP has written about the cybersecurity dangers that holiday weekends pose, and the end-of-year holiday season is no different.

The American Thanksgiving, with its four-day weekend, food comas, and doorbuster sales, is always a danger, and Christmas could be even more of a tempting target for hackers this year because it falls on a Saturday. The Saturday Christmas means many companies will observe long weekends. The Fourth of July weekend was notorious for the number of cyberattacks mounted this year.

The situation is so alarming that the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) recently released a bulletin specifically warning businesses about the cybersecurity dangers posed by the holidays. They warn:

The FBI and CISA highly recommend organizations continuously and actively monitor for ransomware threats over holidays and weekends. Additionally, the FBI and CISA recommend identifying IT security employees to be available and “on-call” during these times in the event of a ransomware attack. 

Hackers don’t take a holiday

“Hackers don’t take holidays. They thrive on holidays. For hackers, when everyone is out of the office and off the network, it’s like their own Christmas,” warns Tanner Roberts, an independent cybersecurity consultant in Denver. MSPs must be vigilant.

“IT and cybersecurity professionals need holidays too. Engineers are among the most overworked professionals in IT. The reality is that MSPs need to strike a balance between a rested workforce and a protected client,” advises Roberts.

If you are short-staffed, you might want to consider “Christmas in June” for your staff. While that advice may be too late for this year, it’s a good tip for MSPs to remember for the future.

Remember the basics

For clients and MSPs, much of what creates a secure holiday season is remembering the basics.

“It’s so easy to completely neglect basics when your mind is on the Christmas cards you need to send, the gifts you need to buy, and the plum pudding ingredients you need to shop for,” admits Roberts. And it’s a two-way street. Not only are clients distracted, so are MSPs.

“MSPs try to automate as much as they can, but humans run MSPs, and they can get distracted too,” Roberts says. For MSPs, the cybersecurity basics include regular patching, MFA, and extra vigilance – not less.

Roberts also recommends that companies have policies prohibiting holiday shopping on company computers.

“I don’t advocate a work environment that is like a police state. I understand people have coffee breaks and downtime, but they should shop on their personal devices. There’s too much that can go wrong when you have employees entering credit card numbers, getting email confirmation links for shipping, and so on, via company-owned devices,” emphasizes Roberts.

Password cleanse before the holiday

Roberts says the holidays are an excellent time to initiate a “password cleanse.”

“People should change their passwords periodically anyway, but having everyone do it before we get into the holidays is a great extra way to put a cheap layer of protection over the season,” suggests Roberts.

This is also the season for making sure multi-factor authentication (MFA) is in full force. MFA will secure online accounts by activating the most robust authentication tools available, such as biometrics or a unique one-time code sent to your phone or mobile device.

User training

User training is essential year-round. It’s become a relatively inexpensive, but effective tool for MSPs to deploy.

“In the end, it still comes down to employees being vigilant,” Roberts says. He adds that hackers will likely be impersonating favorite retailers, couriers, holiday events, and payment services. With all this holiday cheer, it can be easy for someone to click an incorrect link inadvertently.

“A robust refresher for users timed for mid-November is a great tool because all the information will be fresh in peoples’ minds as the holidays take hold,” advises Roberts.

Threat from within

Another risk unique to the holidays are seasonal employees. This risk can be unintentional or nefarious.

“People may leave passwords written down on sticky notes so that seasonal employees have easy access to Wi-Fi and other logins,” Roberts shares. “That, in general, is a bad idea.” Also, seasonal employees may not be as well-trained as permanent staff.

“Seasonal employees won’t be as steeped in company culture as year-round staff. There may be a few looking to cause problems, and others may inadvertently blunder into a cybersecurity situation. Make sure the training for this cohort is robust and regular,” emphasizes Roberts.

Beware the new year

New Year’s Day is a big holiday too.

“But because it falls as the end of a string of holidays there is a lot of cyber-fatigue by that point. People often let down their guard right after Christmas thinking that they’ve made it. Hackers know that and may take advantage of sloppiness to launch an attack,” warns Roberts.

Stay alert and you’ll have a happy holiday season.

Photo: wavebreakmedia / Shutterstock


Share This:

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published.