Happy Holidays? Why the Holiday Season is Prime Time for Cyber Criminals

Robert D. Stewart
, Founder & CEO
, White Tuque

Over the last decade, I have never been able to fully relax over the holidays.

In technology, why do things always seem to fail when people have time off? In my years as an Incident and Crisis Manager some of the most impactful events I ever experienced always seemed to occur between December 20th and January 4th. An abnormally high portion of those incidents were critical and had an unusually extended timeline to restore.

Why?

I used to pass it off as bad luck, because outside of engagement time for support due to holidays, nothing else stood out in my post-mortems to speak to what the contributing factors could be. That all changed when I moved into Cyber Threat Intelligence. I was able to observe and research attack behaviour on organizations and combine that with my previous knowledge and experience resolving technology crises in late December and early January, and it terrified me.

What kept me on edge during the holiday season?

Let’s put our bad guy hat on for a moment and think like a Threat Actor. What opportunities are there to exploit in late December that are not there in any other period in the year? What factors are at play for business leaders that create a hospitable environment for the bad guys?

No One is Looking

Is there another 36-hour period that has so many western nations shut down and advertise this shutdown? Even critical services and those organizations that have 24/7 coverage tend to run at a minimal capacity. It is not hard to categorize employee or stakeholder behaviour between December 24th and January 2nd. Try and avoid work and looking at email, your phone, and no meetings if you can is a pretty typical directive for many employees.

How much could someone learn about holiday plans from your company’s social media? About your employees? Your suppliers and stakeholders? It does not take long for a Threat Actor to build a profile and understand who – and how – to attack.

If your employees know it’s downtime, if your customers know you and your partners are operating at limited capacity – so do the bad guys.

Guards Are Down

People are busy during the holiday season, even if you have staff on call 24/7, are people checking email as often? Is that work phone as close by as it normally is? People naturally aren’t as diligent when they are busy, focused on other things, and involved in holiday chaos. Some requests (for additional spending, or gift cards as an example) are not as abnormal this time of year.

Let’s consider the mentality of someone who receives an urgent request over the holiday. “Would my boss email me if it wasn’t urgent? If I don’t do this, then others will get bothered during the holidays.” Employees and Stakeholders are more likely to take action independently over the holidays compared to a normal working day.

A Call No One Wants to Make

It’s December 25th and you receive an alert about an issue. Many of us might think, “Do I need to bother people on the morning of the 25th, or can it wait until we’re back at work in a few days?” A lot can happen in a few days. Delays in acting can result in the threat escalating in various and unpredictable ways, not to mention this simply allows more time for the cybercriminal to execute and expand the attack.

There is no better time of year for cyber criminals to take advantage of an employer providing work-life balance to its employees.

Lack of Processes and Playbooks

Remaining efficient during an attack may sound like an unattainable ideal, but ensuring your organization has logical and actionable Processes and Playbooks in place before an attack occurs is essential to remaining resilient. If you don’t have a plan to handle a cyberattack at the best of times, chances of successfully defending your business in the face of a cyberattack during the holidays are low.

Refining your Processes and having a Playbook that outlines roles and responsibilities for team members during the attack is a preventative measure that keeps bad days from becoming bad weeks or months. If you are delayed in gathering approvals and engaging the right resources and partners, you’re giving cyber criminals a free advantage.

Availability of Resources

Organizations should also consider both the internal and external resources available during this time of year.  If you have on-call coverage, do you know what the response time is? What if you don’t have coverage? Do you know how to engage the decision makers and vendor partners during the holidays? What supports will your on-call people need to respond and be empowered to react as needed?

What about your partners and vendors? If an event happened on a statutory holiday, do you know how to get your legal team? Will you be able to reach your web developer and host? Can they get the people you need? Coordinating the required resources during a cyber event can be difficult when you don’t have all the resources around you.

If your organization has no plan to engage stakeholders over the holidays, you have no plan to defend against fraudsters and threat actors.

Would Anyone Even Notice?

Let’s think of an art gallery that deals in selling works by local artists that decides to shut down for a week over the holidays. They don’t have the same security systems that a museum or high-end art gallery would, and someone broke in quietly on December 25th yet it wasn’t noticed until the gallery re-opened on January 2nd when regular business functions returned. Does your business have critical technology that is only actively used when servicing customers?

Bad guys know that they have a potentially large window of time in which to operate and perform a successful and sophisticated attack, exfiltrate data, and take further control of downstream systems. These types of systems or business processes are the ones most likely to be attacked.

If a Threat Actor knowingly has a window of opportunity, they will use it.

The Wrap-Up

When you think of all those factors that come into play during a cyber incident, you can most certainly see why firms across the globe should be concerned about the conditions created by much of the world taking some time off. The good news? To help remediate those potential conditions, the fix is simple and available: you just need to make preparing for a cyberattack a priority in your organization.

Organizations do not always have to install a ‘magic box’ to attempt to mitigate their risk to technology outages or cyberattacks. What they do need to do is ensure they are prepared through proper use of Processes, developing Playbooks, and improving upon those through tabletop exercises which act as ‘fire drills’ for your team to prepare for a cohesive response.

Always remember, bad guys and fraudsters hope to use your technology to easily attack and interject themselves within your people and critical processes. They will exploit your vulnerabilities to make their job faster, easier, and more fruitful. Preparing both for what would happen during a cyberattack during different scenarios can give organizations a significant advantage in defending their technology, their data and most importantly, the critical processes that make their business a business.