Cyber 101: Avoiding the Online Grinch this Holiday Season

A partner recently asked “Why are there so many Cyber attacks during the holidays, and what advice can I give my customers to help defend them this year?”

Ah, the holidays here in the US are upon us.  Thanksgiving leads to Black Friday, Small Business Saturday, and Cyber Monday – and all of it leads to an uptick in the amount of Cybercrime we see that doesn’t let up until February.  So why is that the case? What can you do to help defend your customers who have retail operations and those who just shop online?  Let’s take a deeper look:

Cybercrime spikes in the USA around the Thanksgiving holiday for a very simple reason – a huge number of people shop online over the long weekend and Cyber Monday, so criminals are much more active just because of the huge uptick in people online and shopping all at the same time.  With the amount of advertising, sales, and revenue tied up on the month or so between Thanksgiving and the end of the year, threat activity remains high until well into the New Year in most geographic regions. Compromising a payment system during most of the year can net them thousands of sets of credentials and information.  Compromising it just during the holiday shopping season can net them far more – and with only a few weeks of active attack instead of months of work.  Scams revolving around returns of “gifts” can extend the pain for most retail organizations well beyond the end of December – with a combination of digital and physical scams trying to get money for nothing.  There is a secondary reason, though, and that’s the notorious “production freeze” effect.  During the peak activity times of most retailers, data systems are locked down and left unchanged until the peak period is over.  This is done to restrict the potential for downtime, where minutes offline could equate to hundreds of thousands or even millions of dollars in lost revenue.   The offshoot effect of the freeze is that critical security re-configurations and updates also have a tendency to not get done until after the holiday rush, and known mis-configurations remain un-corrected as well.  This leads to lots of exploitable vulnerabilities, and fewer-than-normal folks monitoring them as IT teams and MSP personnel spend some well-deserved time with family and friends.

Helping both your own customers and their customers can be tricky, but is also critical during the holiday season.  With the first batch of breaches already being brought to light ( ), it’s more important than ever to strengthen defenses and increase monitoring for potential issues during the festive season.  Here are a few things that you can do to make that happen:

  • Remember that giving employees appropriate time off for the holidays is critical; but so is making sure you have the right number of staff, with the right specialities, available when they’re needed.  Consider additional incentives to be on-call during periods traditionally given as holiday/PTO, with alternate time off for those who volunteer to work holiday times and financial benefits as well.  A relatively small budgetary outlay for incentives can defend against a massive loss of reputation and revenue if the right people aren’t available to fix an emerging issue.
  • Encourage retail and other customers to not implement a full freeze.  Continue to apply all patches and updates as quickly as possible and make changes to networking and other equipment to combat emerging threats.  Known vulnerabilities should be addressed, even in the middle of peak activity, as threat actors know that they have a window of attack if you leave them exposed.
  • Offer quick (15-30 minutes or so) point training sessions for Security Awareness Training. Quick overviews of common topics like email safety, common voice and physical scams, etc. can stop a potential threat actor from succeeding when there are fewer people watching what’s going on.  Every employee can help stop threat activity without putting themselves in danger or making their stressful work days any worse.  Incorporating 5-minute “heads up” sessions into the daily stand-up is another great way to accomplish this.  Anything to help keep threat defense top-of-mind as they go about their daily operations.
  • Set up easy-to-use self-reporting of any suspicious activity or accidental violations of cybersecurity.  Better to counsel an employee about how to not do something again then find out about it months later when the breach is already endangering company reputation and causing breach notifications and charge-backs to go out.  Employees will make mistakes, the best companies recognize that one mistake is not a pattern, but a teachable moment.
  • MSP’s themselves are primary targets for attacks, especially if they’re known to work with retail clients.  Why break into 20 different businesses when the threat actor can just compromise one MSP and have access to the same systems and information?  Increase your guard during these busy seasons.
  •  Finally, all employees should know that they might be targeted outside normal business operations.  Threat actors may attempt to gain credential information or access by compromising personal phones, laptops, tablets, and other non-company equipment that may be used for company business.  Let employees – from the most senior executives to the newest part-time staffers – know that they must be on-guard even when they’re not on the clock.

Threat actors who strike during busy retail periods can be stopped, or at the very least detected and contained, when everyone from the MSP to the checkout clerk are all working together to make sure physical and digital defenses are kept high.  Let’s make this a holiday season that’s joyous and fun for both employees and customers, and only ruin the spirit for the cybercriminals who want to make their day at everyone else’s expense.

Mike Talon