'Tis the Season to Be Cautious: Cyber-Safety Tips for the Holidays
With 20%-25% of annual retail sales taking place during the holiday season, one can only assume that retailers have spent the last few weeks busy beefing up their cyber security – and network capacity – in readiness for the huge influx of traffic, whether naughty or nice. But the truth is, businesses in all industries need to take extra precautions during this time of year. Employees will be employees and, in all the hustle and bustle of the holiday season, their internet behavior might expose enterprise data to exceptional risk.
A Litany of Attacks
Thieves of money and cyber data relish the holiday season. They save up some of their most aggressive tactics to trick employees into divulging valuable data, allowing the thieves to invade enterprise networks and make off with the goods. Below are just a few types of attacks that skyrocket around the holiday season.
Many enterprises witness a sudden rash of electronic greeting cards sent from one employee to another, or received by employees from external sources. The Department of Homeland Security’s Computer Emergency Readiness Team has issued a warning that e-greeting cards, even from seemingly reputable websites, may contain malicious links including false ads. Clicking on these links and ads can activate malware that quickly spreads throughout the enterprise network.
Phishing for Data
Widely used phishing scams involve sending seemingly innocent and helpful e-mails to employees, directing them to spoofed websites where data thieves lie in wait. Users are misled into providing personal or company data that allows hackers to attack additional users on the network – or the business itself.
Holiday-themed phishing scams are especially effective. Hackers know that during the gift-buying season people are particularly susceptible to emails containing awesome sales come-ons and discounts. Falsified FedEx, UPS, DHL and postal service emails trick users into clicking through to sham websites and unwittingly sharing information with cyber criminals.
Let’s be honest: Especially in the run-up to the holidays, a good deal of personal business is conducted from company endpoints. One wrong click and the hacker hits pay-dirt. He can now download malware onto the endpoint and, from there, get at the enterprise network, servers and customer data. After that, anything goes.
Enterprising hackers don’t only hack online ad systems to inject fake ads. They also buy ad space on legitimate web sites. Once again, a single click on a seemingly innocent ad – even on a reliable site – may inject malware onto an endpoint and lead to the next full-blown ransomware attack.
Cyber-Protect Your Enterprise During the Holiday Season
What can businesses do to protect their networks and data during this time of year? After all, nothing spoils seasonal festivity and joy quite like a badly timed cyber security incident.
There are many immediate steps that businesses can take to bolster enterprise security and mitigate the risk of cyberattacks. Do them now and start the New Year right!
Making Employees Aware
First and foremost, make sure that employees are aware of the threats. It is never too late to start or update an employee-training program to make people more alert to cyber dangers. 80% of data breaches are due to insider threats. While a small portion of these are intentional, the vast majority are simply the outcome of ignorance and negligence.
Many companies include cyber-security awareness training in their orientation of new hires. However, research shows that knowledge retention improves significantly when training sessions are held at regular intervals. The start of the holiday season is a great time to schedule the next session.
An effective password policy is essential. For some strange reason, many enterprises still use default passwords. That’s the first course of action by the hacker, so let’s stop that practice in its tracks.
New password guidelines were recently issued by the National Institute of Standards and Technology (NIST). Now is a good time to implement them.
Setup User Group Policies in Active Directory to enforce password policies based on NIST recommendations such as:
- Simpler – NIST no longer recommends enforcing specific combinations containing special characters or a mix of lower and upper-case characters, so you don’t need to require them
- Longer – at least 8 characters, but longer is better
- Memorable – something that users will remember; NIST recommends using passphrases containing typical English words
- Different passwords for different services – don’t re-use the same password across services
- Forget about expiration – NIST has determined that requiring frequent changes to passwords just confuses users, while contributing nothing to security
Freezing Production Systems
The lead-up to your business’s busiest season is not the right time to introduce new production systems or changes to existing ones:
- Don't implement any new software or technologies within your production systems until after the rush
- Ensure that essential systems are running smoothly and properly
- Make cautious exceptions to these rules for critical security patches, but test them carefully before rolling out the patches
Throughout the network, make sure you regularly update:
- Antivirus software on all endpoints and servers
- Operating systems and application software with the latest security patches
Have a careful look around your network:
- Remove unused, end-of-life (EOL), unsupported, or unapproved applications
Filtering Web Content
Web filters and secure web gateways screen incoming Web pages, allowing the enterprise to block pages that are likely to include objectionable advertising, spyware, viruses, and other risky or undesirable content. Some Web filter products also provide the ability to report on the kinds of traffic being filtered, and where it originated.
- Install a web-filter program to block access to malicious websites, restricting employees from viewing certain websites or categories of websites
- Implement secure browsing solutions to neutralize any threats that may be lurking in ‘uncategorized’ websites (or even within the browser itself)
Securing Wireless Access Points
Did you know that Wireless Access Points are easy to hack?
It’s surprising how many enterprises still don’t secure access points, even though doing so is easy and provides a significant layer of cyber security:
- Don’t broadcast the internal WiFi network
- Make sure that all routers use WPA2 802.11x security protocols, which are more difficult to crack than WPA or WEP
- Set up a separate, public WiFi network with a unique password for guests
Sharing and Following Threat Data
Many criminals share attack methods and use them to strike at multiple enterprises. Take pre-emptive action by learning what’s happening to other enterprises and share what’s happening at yours. By sharing threat data, such as malicious techniques and indicators of compromise (IOCs), enterprises can stack the odds in their favor by taking preemptive steps to curb cyber-attacks:
- Subscribe to multiple threat-intelligence feeds
- Notify open-source threat-intelligence communities whenever your enterprise suffers a cyber incident
Cyber-security is a never-ending battle. At this time of year, many enterprises are especially susceptible to attacks. An extra bit of attention now can go a long way to securing your network and data during the holiday season.
Implement our tips and finish 2017 as a security success!