For many businesses, Christmas is the worst time of the year to suffer a cyber-attack. Not only is it hugely demoralising, it also means staff have to work over-time to investigate the the breach and to plug subsequent security holes. Furthermore, with Christmas being the peak trading period for a lot of organisations, a security incident could have a huge financial impact on sales. This may result in reputational damage, not being able to fulfil Christmas bonuses or even going into administration.
For example, if a security incident affected your e-commerce website, your customers will be unable to purchase Christmas gift’s and they may choose to purchase elsewhere. After all, time is of the essence and can they really trust your website to safely process their financial details?
On the other hand, businesses who have a quiet December are liable to take a more relaxed approach to work. There may be skeleton staff, with employees taking unused annual leave, and those that are working are often pre-occupied with the office secret Santa or the upcoming festive Zoom quizzes (how very 2020). Cyber-criminals know that this is the perfect time to catch your staff off-guard.
Although this may all sound a little ‘Ebenezer Scrooge’… fear not. Don’t let hackers steal your Christmas cheer! By following these top tips, you can ensure your business will have a cyber-safe Christmas.
Top tips for a cyber-safe Christmas:
- Build strong cyber resilience: It is important to actively learn from your experiences so that you can build a stronger resilience against cyber-attacks. Actively testing the effectiveness of security controls will help you to adapt to risks before they materialise. By undertaking regular CREST penetration tests, you can uncover and patch weaknesses in your security defences, applications and network before they can expose you to malicious attacks.
- Mobile management policies: If your staff work on the move or remotely, devices should be encrypted and policies should be in place to protect critical company data (in case a device is lost or compromised). Solutions such as Meraki’s MDM allow you to wipe sensitive information from mobile devices if needed. This gives you peace of mind that you have control over corporate information.
- Find out if your employees are naughty or nice: Are you confident that your employees would not fall for phishing scams? Well, with phishing simulation services, you can find out! Phishing awareness is especially important around the festive period, as scams are more prevalent and employees often drop their guard during the ‘christmas-wind-down’. Regular phishing simulation tests are a good way to test scam awareness. It is a chance to identify your security weaknesses and test the effectiveness of your employee training in a real-life scenario. Phishing emails can be tailored specifically to your business, they can appear to be from your CEO, IT Manager, suppliers or even big-name brands like Amazon. If employees are duped into downloading the faux-malicious file, their clicks will be tracked and and they will be directed comprehensive phishing awareness training and videos.
- Last Christmas, I gave you my… password! When it comes to password policies, employees need to avoid pet names, their date of birth, family names, their favourite holiday destination… the list goes on. Although a simple birthday post may seem harmless enough, hackers can to glean a huge amount of information from your social media accounts. The moral of the story is; do not overshare online, keep accounts private and use unique and randomised passwords for every account. To reduce the risk of your employees using weak and recycled passwords, you can introduce a company-wide password manager. Password managers such as LastPass allow you to run reports to identify staff who are not following password best practice.
- Build an incident response plan: Although a cyber-breach is most certainly not on your Christmas list, it is important to prepare for the worst case scenario. How thoroughly you respond to a breach can often mean the difference between a minor disruption and completely going out of business. To minimise business downtime and critical data loss, you must have a tried and tested plan in place. This not only helps to keep your business operational, it also means that you waste no time in reporting a breach to the ICO.
- Email security controls: As our email accounts are one of our most important digital assets, we cannot depend on the bare minimum security controls to keep them protected. Unfortunately, many businesses are still depending on bare minimum-security features offered by email providers such as Office365 to safeguard corporate accounts. However, as email continues to be the number one cyber-attack vector across the globe (especially during the festive period), businesses need to be strengthening their email security measures to prevent the risk of being compromised. This should involve enforcing anti-spoofing controls, being able to identify malicious emails and preventing large transfers of data.
- Assemble a strong and reliable security team: In order to proactively mitigate cyber-threats, you must have the appropriate expertise to tackle the ever-changing threat landscape. Although some businesses may lack the financial means to fund a full-time Cyber Security professional, outsourcing to a specialist security company can be a more budget-friendly option. By having the support of Cyber Security experts, you can rest assured that you are doing all you can to protect the integrity of your business critical data.
- BYOD Policies: In the wake of the pandemic earlier this year, many companies were forced to allow the use of personal devices for business use. However, in order to reduce the risk of data loss, device compromise or a network breach, your company needs to establish an effective BYOD security protocol. This should involve mandating software is up-to-date, installing security controls, encrypting data and ensuring you can remotely wipe the device if it is stolen or breached. It is important to promote a culture which is focused around Cyber Security best practice, in order to ensure employees are following the necessary procedures.