‘Tis the Season: Prime Time for Cybercrime
The festive season is approaching, deadlines are over soon and business plans for the new year are being finalized. This is good news for you, your family, and your friends, but it's also good news for the nefarious Christmas elves known as hackers, and they will pretty sure take a strategic advantage out of this.
This time of year is prime time for social engineering attacks. Examples include phishing emails about delayed Christmas gift deliveries for your children, as well as calls regarding urgent payments that supposedly need to be made before the end of the year. The list is endless, and hackers' creativity knows no bounds.
Employees can be distracted by many things. For example, they may be stressed or rushed due to Christmas shopping, or they may be offline during holidays and long weekends. The same applies to your IT and cyber security staff. While some hackers may be on holiday, others may exploit the fact that your security is weaker than usual.
Phishing is highly effective when it impersonates well-known parcel delivery companies such as DHL and DPD, or creates the impression that urgent action is required, such as finding money to buy a gift for a family member. With staff being offline for longer than usual, attackers have more time to lurk on the network and encrypt devices. If your company works with gift cards, it will probably be targeted at this time of year, as gift card scams are an easy way for organised crime groups to generate significant profits ($200 million+). As online shopping increases around Christmas and during events such as Black Week and Black Friday, DDoS attacks on these shops, which demand a ransom in exchange for stopping the attack, also occur quite frequently. Christmas presents can also pose a threat. Imagine your new IP camera, which is connected to your Wi-Fi and accessible from the internet because you wanted it to work quickly and did not configure it safely, monitoring your front door. So much can happen over Christmas. For example, you might see an advert for a discount code, but if you click on it, you could download something malicious. Alternatively, you might find a USB stick labelled 'Photos from last year's Christmas party' on the floor. When you insert it into your PC, rather than finding photos, you will find malware. These are just ideas and examples of real-life cyberattacks that have occurred at this time of year.
Although Halloween has passed, this is still rather spooky. So, how can we get rid of those annoying Christmas elves lurking online? Make sure your automations are working properly, your security tools are stable, and that you have at least one person on call. Also, ensure that you can contact other members of your security team in case of an emergency. Keep an eye on security news and enable notifications in case one of your vendors, software libraries or third-party companies is breached. A supply-chain attack is not a gift you would even send to your worst enemy. Most importantly, make sure your employees are aware that the festive season can pose cyber security risks.
It's not rocket science. What follows are just some logical measures to take to prepare for Christmas. Lock your doors so that the elves must come down the chimney, which will burn their feet and make them cry. Enforce MFA wherever possible and consider why some services might not have this option. Block risky locations, devices, IP addresses, and user agents to strengthen your security. Simulate the festive season and the limited availability of your security staff by conducting tabletop exercises with skeleton crews to ascertain their reliability and the reliability of your security infrastructure. Conduct penetration tests to determine whether you can detect and mitigate the elves on their sleigh after they have completed their activities. Since some people will take their devices with them, ensure that you can control them using MDM software, in case you need to analyse them or wipe them remotely. Speaking of home offices, ensure that employees can only access company data via a VPN. Auto-lock devices after a few minutes and enforce strong passwords on these devices. Physical thieves also like Christmas, when people go to church or visit relatives, so make it hard for them to steal company devices. Don't leave installing patches until the 23rd of December - imagine if your main product failed on Christmas Day and thousands of customers were relying on it, but you were not reachable because of the holidays. When it comes to money, have procedures in place to double-check all data in invoices or contracts, and set up real-time banking alerts to be ready to act if someone tries to transfer $24,122,025 when no one is looking.
To raise awareness, prepare a cyber security-themed advent calendar that teaches the most important lessons and refreshes existing knowledge. Make it playful and engaging for your employees. For those who complete all the activities, hold a prize draw for a small gift. Run some Christmas-themed phishing drills. As a team leader, please consider the psychological well-being of your employees. Don't overload them with work at the end of the year. This will harm them and drastically decrease the cyber security of your company, as they will be more prone to social engineering.
If you have completed these steps or similar ones on your 'Make Christmas Cyber Secure' checklist, you are ready to send the evil elves back to their workshop. A little vigilance now will help to ensure a merry season. Make sure you patch gaps, test your environments, and be prepared to react in an emergency. Treat every unexpected parcel, link, or sense of urgency as though you were a curious elf peeking where you shouldn't. Remain suspicious, ask questions, and verify identities via a second channel. Never transfer money or hand over sensitive information without a second pair of eyes.