- Employee awareness
- 8 min read
The holiday season brings joy, celebration, and time off, but it also signals an increase in targeted and opportunistic cyber threats and risks.
Cyber-attacks increase by 40% during holiday periods.
The festive season is not just a precarious time for individuals and employees but also organisations. Today, we will dive into the reasons behind surges in cyber-attacks during the festive season and outline the specific threats organisations should be vigilant against, whilst also touching on some recent examples of festive/holiday cyber-attacks.
The holiday season is synonymous with relaxation and a break from routine and work. Unfortunately, this break often extends to cyber security practices as well. Employees become more complacent, overlooking security protocols, and exposing vulnerabilities that attackers can exploit. 1Password reveals that 45% of employees that get distracted at work fail to comply with security rules at their organisation. The atmosphere of relaxation, of winding down for the year, can inadvertently create an environment where vigilance takes a back seat, making it easier for cybercriminals to infiltrate systems. All of the strong and safe security behaviours you have been building need to be refocused and fortified during the festive season, not bypassed.
The prevalence of out-of-office messages and reduced staffing levels during the holidays becomes a prime target for cyber attackers. Knowing that response times may be delayed, threat actors strategically time their attacks to coincide with these periods. Attacks can also use out of office messages to pull valuable information such as shift times and contact numbers.
The festive season sees a considerable uptick in online shopping, with individuals eagerly hunting for the perfect gifts. This surge in online transactions becomes a breeding ground for cyber threat actors. They deploy tactics such as phishing emails and fraudulent websites to capitalise on the increased traffic, hoping to compromise sensitive information, financial details, or infiltrate organisational networks through unsuspecting shoppers. In fact, in 2022, shipping company DHL clocked in as the third-most impersonated brand in phishing emails (Checkpoint).
Holiday periods often coincide with staff vacations and company-wide annual leaves, leaving cyber security teams understaffed. This workforce shortage puts additional strain on security operations, making it more challenging for organisations to promptly detect and respond to potential threats. Cyber security defences may be stretched thin, providing attackers with a window of opportunity to exploit vulnerabilities that might otherwise be swiftly addressed. In their 2021 report, Cybereason noted that major ransomware attacks “tend to occur on weekends and holidays when fewer staff are around to detect and respond to them.”
The festive spirit can lead to employees being more easily distracted or, in some cases, inebriated during work hours. It is hard to believe but this Cybereason survey reveals that a staggering 70% of respondents admitted to having been intoxicated when responding to a ransomware incident over the holidays. This altered state of focus can make them more susceptible to falling victim to social engineering attacks, phishing attempts, or engaging in risky online behaviour. Cybercriminals leverage this distraction to increase the success rate of their malicious activities.
The holiday season places an additional burden on organisational networks. Increased online activities, both professional and personal, can strain infrastructure, making it an opportune time for cyber attackers to exploit potential weaknesses. This strain may manifest in various forms, including slower response times, increased latency, and a higher risk of successful attacks such as Distributed Denial of Service (DDoS) attacks.
91% of all cyber-attacks start with a phishing email sent to an unsuspecting victim. Phishing remains a prevalent threat during the holidays, with cybercriminals leveraging festive themes to craft deceptive emails. Cisco’s Cybersecurity Threat Trends report reveals that phishing attacks historically spike during the holiday period, with a peak increase of 50% in December. The most worrying period of phishing emails is recorded as being between December 6th and 9th. These emails often mimic legitimate communications, enticing individuals to click on malicious links or provide sensitive information, posing a significant risk to organisational security.
Cyber attackers create fraudulent websites mimicking popular e-commerce platforms or charity organisations. Unsuspecting users may be lured into making transactions or providing personal information, leading to financial losses, and compromising sensitive data.
Multi-Factor Authentication (MFA) fatigue sets in during the holiday rush. With various accounts requiring additional verification steps, users may become less vigilant, creating opportunities for attackers to exploit weakened authentication processes.
The holiday season is not exempt from ransomware attacks. Darktrace data reveals a 70% increase globally in the average number of attempted ransomware attacks in November and December compared to the monthly average. Cybercriminals take advantage of potential vulnerabilities to encrypt critical data, demanding ransoms for its release. The impact of such attacks can be catastrophic for organisations, leading to financial losses and reputational damage.
Distributed Denial of Service (DDoS) attacks intensify during the festive period, disrupting online operations. Cybercriminals overload networks or services, causing downtime, impacting customer experience, and potentially resulting in financial losses for businesses. According to a Ponemon Institute study, the average downtime because of a DDoS attack sits at 54 minutes … and the average cost of a DDoS attack sits at $22,000 for every minute of downtime … this is a very costly attack to fall for!
Attackers may attempt SQL injections to manipulate databases and gain unauthorised access to sensitive information. Organisations must fortify their systems to prevent these types of attacks, especially when faced with increased online activity.
Compromised login credentials from previous breaches are often recycled during the holidays. In 2021, it was estimated that eight million credential stuffing attacks were run against consumers every single day during holiday season. Cybercriminals use stolen usernames and passwords to gain unauthorised access to accounts, potentially leading to data breaches and unauthorised activities.
As the use of Internet of Things (IoT) devices rises, attackers exploit vulnerabilities in these devices. Holiday-themed gadgets may become targets, posing risks to both personal and organisational security.
The holiday season witnesses a surge in identity theft attempts. Cybercriminals aim to steal personal information for financial gain or to facilitate other malicious activities, emphasising the need for robust identity protection measures.
Fraudulent transactions and unauthorised access to customer accounts peak during the festive shopping spree. In fact, The Cyber Express reports that by the end of 2023, e-commerce fraud in the retail sector will hit a staggering US$48 billion worldwide. Organisations must implement stringent security measures to safeguard customer data and maintain trust.
According to Verizon, 60% of breaches in the EMEA (Europe, Middle East, Africa) region include a social engineering component. Social engineering tactics intensify, with cybercriminals manipulating human psychology to trick individuals into divulging sensitive information. Awareness training becomes crucial in combating these sophisticated attacks.
Internal threats escalate during the holiday season, as disgruntled employees or those seeking financial gain may exploit their access to compromise organisational security.
Automated bots flood e-commerce sites during the holidays, artificially inflating shopping carts and causing inventory and sales disruptions. This deceptive tactic impacts both the customer experience and the financial health of businesses.
Public charging stations pose a threat through juice jacking, where attackers compromise devices connected to these stations. This tactic can lead to data theft and unauthorised access to sensitive information.
The use of public Wi-Fi during holiday travels exposes individuals and organisations to security risks. Cybercriminals may exploit unsecured connections, highlighting the importance of using Virtual Private Networks (VPNs) and other security measures.
Text message scams increase, with attackers attempting to deceive individuals into clicking on malicious links or divulging sensitive information. Users must exercise caution and verify the legitimacy of incoming messages.
The interconnected nature of supply chains becomes a target for cyber attackers. Organisations must assess and fortify their supply chain cyber security to prevent disruptions and unauthorised access to sensitive information.
In the midst of the heightened cyber threats during the festive season, TSC can be the cyber security training and awareness partner you need. Committed to equipping organisations and employees with the knowledge to combat both common and emerging cyber threats, we have meticulously crafted a comprehensive library of ready-to-go resources tailored to fortify your defences.
We can fortify your festive cyber security defences and awareness with:
To ensure your organisation is well-prepared for the cyber security challenges that accompany the festive season, we invite you to explore TSC's Festive Products Leaflet. This comprehensive guide details our array of resources and solutions, providing a roadmap to fortify your defences against cyber threats.
At The Security Company, we specialise in boosting cyber awareness, targeted training, customised projects and role-based solutions. Through our tailored subscription services, targeted and customised eLearning and awareness materials and our behavioural assessments, we're committed to helping organisations like yours instil long-term, security-conscious behaviours.
Our method is distinct. We begin by diving deep into your team's current mindset, pinpointing lax behaviours, security gaps and departments in need of focus and attention. From there, we craft tailored solutions that encourage better cyber practices from your employees. With comprehensive training and seamless integration into your current systems, we're here to fortify your team against modern cyber threats and be your trusted cyber security and awareness partner.
Ready to take the next step?
We can help you to formulate an effective and comprehensive festive cyber security training and awareness program for your organisation.
Do not hesitate to contact us for further information.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51