While the holidays are a time of joy and rest for many, they also tend to be host to a unique set of threats for security teams to tackle. As employees wind down for the year and set up their out-of-office emails, threat actors are gearing up to target businesses with holiday cyberattacks.
According to research, holidays and weekends are prime times for adversaries to strike: in a new survey by Semperis, 72% of respondents were hit by ransomware attacks during the holiday period.
Striking during the holidays makes business sense – for attackers at least – because there are fewer people available to handle security threats. Organizations reduce their security staffing by up to 70% during weekends and holidays, according to security outfit Cybereason.
So, as the holiday period is upon us, what are the biggest threats to look out for and how can they be overcome?
Threats to security
The nature of the holiday period sees staff winding down or taking time off work. Cybercriminals are well aware of this lull, timing their attacks to coincide with the period when defenses are weaker, says Pieter VanIperen, CISO at Own Company.
During this time, attacks that would have otherwise been mitigated are more likely to defeat a firm’s defenses. Short-staffed teams can impact proactive monitoring and introduce delays to incident response, says Adam Harrison, managing director at FTI Consulting’s cyber security practice. “Incidents that may have been detected and contained while the security team was fully staffed could escalate into something more serious due to slower response times.”
Adding to this, with fewer team members available, organizations often delay updates to maintain operational continuity. This can inadvertently open vulnerabilities for attackers to exploit, says Lorenzo Grillo, managing director and head of cyber in the disputes and investigations practice at management consultancy Alvarez & Marsal.
Remote working as employees travel during the holiday period adds further risk. “Devices are more prone to loss or theft,” Grillo says. “Unsecured networks, used when traveling, increase the chance of unauthorized access to business data.”
More effective attacks
When an incident hits during the holidays, it can leave firms scrambling to pick up the pieces – and it can also take much longer to recover. Distributed denial-of-service (DDoS) attacks are more effective during this period, says Grillo. “Increased web traffic naturally strains server capacity, making it easier for attackers to crash sites with fewer botnets.”
The fallout from certain cyber incidents, such as ransomware or DDoS attacks, can leave firms scrambling for days or weeks to restore business operations. This challenge is heightened during the holidays when key personnel to properly manage cyber incidents are often unavailable, says Grillo.
Making things worse, while many firms are aware that hackers love holidays, they “don’t have great response plans in place”, says Greg Crowley, CISO at eSentire.”Often, the first problem is delays in seeing and responding to security alerts and notifications.”
There can also be issues getting in contact with all the right people while they are off. “These delays give the attackers time to execute their mission, gain a persistent foothold in your network, and exfiltrate valuable data,” Crowley says.
In addition, ransomware operators know if they catch a victim at a time when it’s difficult to gather decision-makers, the likelihood of the ransom being paid is higher, says Rob O’Connor, technology lead and CISO at Insight.
Ransomware “offers” typically capitalize on this, with attackers giving a limited time until the price of the ransom increases. “Or they threaten to leak sensitive data to the internet,” O’Connor warns.
Preparing for the holiday crunch
Taking the risks into account, it’s important that companies and security teams are prepared for the holiday crunch period. Ensuring your incident response plan is up to date and fit for purpose – with consideration of how it would operate with key stakeholders missing – is “critical”, says Harrison.
A mature and well-tested incident response plan should be able to address the potential for breaches to occur during the holiday period – or when key stakeholders are difficult to contact, says Harrison. “Delegated authority, pre-defined responses and decision points, and incident categorization and escalation paths will help an incident response team to operate with a degree of autonomy.”
Identifying and assigning staff to be on-call and respond in case of an emergency is a common approach, says Harrison. “There need to be defined expectations around availability during this period, as well as appropriate remuneration and a balance of coverage to ensure staff are able to take time off.”
At the same time, organizations must be prepared to make rapid decisions when a cyber disaster does happen, says VanIperen. “You have to think about worst-case scenarios and how you would go from zero to a minimal level of service.”
As part of this, companies should consider how they would perform if they lost their usual online communication channels, such as email or Slack, says VanIperen. “Or consider what would happen if the person who retains most of the IT knowledge within the business wasn’t available during a cyber-attack, in this case, because they are on holiday.”
In addition, basic security measures can help limit the damage from holiday attacks, says Matthew Johnson, threat intelligence analyst at NormCyber. “Use strong, secure passwords along with multi-factor authentication on all accounts that allow it. This will be one of your strongest defense walls against attackers.”
Meanwhile, regularly patching systems to close off as many vulnerabilities as possible before the holiday period will give firms an extra boost. Conducting pre-holiday security reviews helps address system vulnerabilities and ensure access controls are properly configured, says VanIperen.
In addition, O’Connor recommends security awareness training across all staff, reminding them of the heightened risk during the festive period.
Harrison adds that temporary or seasonal employees should be trained on security processes to reduce the risks associated with their roles. “Make sure their access is not over-provisioned, limited to what is required to perform their job only, and rescinded when they leave,” he says. “Remind employees of the importance of reporting suspicious activity, even if it’s during their time off.”
