It’s Always the Most Wonderful Time of the Year — for Hackers
The year 2021 ended up with the highest holiday retail sales on record, with companies ramping up their efforts to capture consumers’ attention, dollars — and data. And it worked!
Ecommerce retail sales grew from 11% to 15% in the 2021–2022 holiday season . That’s an estimated $210 billion in eCommerce sales tied to personal information, banking credentials, corporate financial accounts, and even employee health records.
The total number of cyberattacks resulting in compromised data increased by 27% this year compared to 2020 , showing businesses are more vulnerable than ever to security risks.
To counteract this rising threat and avoid exposing data to hackers, businesses need to identify and address weak security points and increase end-user education.
People are the weak point you can’t patch
Imagine you get an urgent email from your boss to review an attached PowerPoint deck before you take time off this summer. The sender’s name looks right, you know the presentation deck like the back of your hand, and you’re eager to hit the road and wrap up your workday.
A word of advice: Think twice before you click.
Businesses often get hacked for two reasons: software vulnerabilities or flaws in human behavior. Even the most robust corporate security infrastructures can be brought down by an employee falling for seemingly innocent emails, texts, or even voicemails.
Phishing attacks have grown more sophisticated over time, with hackers using unique subject lines, sender/IP addresses, URLs, and images that are indistinguishable from the software your employees use regularly.
If you think your team will never fall for a fake email or text message — think again. With more than 258 million corporate users, the Microsoft 365 platform is a breeding ground for sophisticated phishing attacks.
Attackers can mimic the protocols and appearance of Office 365 messages and interfaces to trick even the most astute users into downloading malware or disclosing their business login credentials.
Hackers build credential-stealing pages into the same platform used by the recipient, taking advantage of Microsoft Azure to build landing pages with Microsoft-signed SSL certificates. Some fraudsters even create a windows.net domain that is almost indistinguishable from the actual interface.
Given a 300% increase in cybercrime since the beginning of the pandemic, businesses need to examine the innate vulnerabilities in human nature to face the unexpected.
While threats vary depending on the size, sector, and type of organization in question, businesses have many weak points that are exacerbated over the holiday season or summer holidays.
- Abnormal activity is the standard.
- Especially during any holiday or sales promotions, consumers and employees alike are overwhelmed by digital communication from e-commerce retailers across channels. Estimated retail e-commerce sales in 2021 amount to $207 billion , with retailers contacting end-users across multiple channels, including email and text.
- With brands sending consumers a virtually endless amount of marketing collateral, end-users are less likely to be suspicious of an errant email from a cyber-criminal.
- Precautionary change freezes leave businesses vulnerable.
- To avoid disrupting operations during a critical time of the year, many businesses impose some form of a change freeze across all production systems between Thanksgiving and the New Year and again in the summer, guaranteeing simple IT systems continue to operate efficiently.
- Major retailers or software companies avoid making significant changes to their platforms or applications for fear of underperforming during a peak sales period, such as Black Friday or Christmas Day.
- With online sales comprising an increasingly larger share of total sales, freezing business operations for weeks at a time can halt business and affect revenue.
- Staff turnover rates rise.
- Particularly in the retail sector, businesses are more likely to hire temp workers or other staff to fill in the gaps for full-time employees who may be out of the office. But, of course, the same thing occurs during all “days off” and your summer holidays.
- The risk of a business data breach or ransomware attack rises exponentially over certain times of the year, with criminals hoping to take advantage of distracted employees or teams that are not fully staffed during a busy time.
Five security best practices businesses should employ
For businesses, the security baseline during the holidays, and summer vacay should be different from other times of the year. Your team should modify its strategy based on threats that may arise over time.
Identify security risks, know your infrastructure, and establish the protection controls you need to identify phishing attacks or other security breaches. Beyond the baseline, here are a few additional ways your business can protect itself during the high-traffic periods.
- Educate the end-user. Provide cybersecurity awareness training for both temporary and full-time employees. While this may seem like a given, businesses across sectors should consider implementing a refresher course on the type of cyber threats your organization might face over the year.
- Since employees are likely more prone to phishing, ransomware, vishing, smashing, or even charity fraud in the winter months, educate your team on the simple precautions they can take to mitigate risk. Encourage employees to be cautious about the messages they read and the links they click and encourage them to continuously assess and verify both internal and external communications.
- Move toward micro-training techniques. No single learning method works for everyone, and varied approaches to security training are critical. For example, many organizations do annual 45-minute training and then require employees to take a 10-question quiz, which isn’t always effective or long-lasting. Instead, consider more pointed, personalized training and education around what employees should look for. For instance, a regular phishing test via email and text can keep your employees aware of the types of attacks they might be exposed to from multiple sources.
- Use multi-factor identification. With most employees conducting business on their phones or mobile devices, multi-factor authentication (MFA) is vital to securing your business information and employee identities online. MFA adds an additional layer of security on sites containing sensitive information and makes it more challenging for an unauthorized user to log in as the account holder. Your credentials must come from two different device categories within an allotted amount of time to gain access. One of the most common methods is to send a user a unique code via phone, text, or email for them to input in addition to their username and password.
- Plan for short-term and temporary staffing changes. A strong incident response plan is vital all year, but it is particularly essential to update your contingency plan to account for your company’s periods of temporary or reduced staffing. In addition, all businesses should ensure security responsibilities are clearly understood across all departments, particularly in the event of a breach.
- Make an offline backup of critical systems and data. Continuously diversify your backup strategy to avoid a single point of failure. Create an offline backup and spread your backups across multiple technologies to make it harder for cybercriminals to impact your data availability. Even if you can’t prevent an attack, storing your data in various locations will minimize the damage caused to your business and give you adequate time to respond despite reduced staffing resources.
Life is hectic — Your security infrastructure doesn’t have to be
If your business is concerned about cyber attacks, you’re certainly not alone. In a recent survey, were worried about a repeat cyber intrusion in 2022. Skeleton staffing, remote workers, system freezes, and an oversaturation of digital marketing to end-users can leave your team vulnerable to cybercriminals at any time of the year. You are not safe just because we are past the holidays. 89% of cybersecurity professionals
While the threat of cyber attacks is ongoing, you can reduce the risk of a security breach with the right security solutions in place.
Learn more (corebtsdotcom) about how to minimize your organizational risk today so you can keep your team, customers, and data safe with a reliable plan in place.
Image Credit: Joshua Woroniecki; Pexels; Thank you
National Director — Security Services at Core BTS
Tim Grelling is the Director of Innovation, Security at Core BTS. Tim is a seasoned security professional that specializes in helping mid-market and enterprise organizations implement holistic IT solutions. With over 20 years of industry experience, he has worked with numerous Fortune 500 companies to assess security risk and guard against cyberattacks. As a Director of Innovation at Core BTS, Tim helps clients develop end-to-end security solutions that minimize organizational risk.