12 Cyber Security Threats of Christmas: Are you prepared?
Have you thought about the cyber threats your business could face this Christmas?
Christmas is fast approaching, and while you are gearing up to decorate the tree, purchasing presents and preparing the perfect Christmas dinner, hackers are looming on the sidelines planning their perfect time to strike. Our downtime is Christmas Day for hackers. Have you thought about the biggest cyber threats to your business during the most wonderful time of the year?
In this blog, we’re discussing the 12 major cyber threats you may face during this time so you can feel safe and enjoy time with your loved ones over the Christmas period, relaxing with confidence that your business is protected.
“Why should I be worried about Christmas in particular?”
We hear you. What is it about Christmas that should make you think more about cyber protection than other times of the year?
Well, the obvious answer is you should always be thinking about cyber security and safeguarding your business. However, Christmas is a time where people are more relaxed and staff are taking time away from work to spend with their friends and families. When you are not on constant watch, that’s when hackers strike.
They know when you are sleeping… and they know it could take days before you realise you’ve been hacked or attacked. It is the perfect time of year for them to strike without you knowing and being blissfully unaware until your customer data is in the wrong hands.
There is also remote working to consider, and the implications this has caused on businesses. Working from home increases your chances of being hacked if you are not suitably protected, and there is more chance of you being open to attacks. Combine this with Christmas and your business could potentially be a flashing neon sign for hackers looking for vulnerabilities.
Therefore, without further ado, we give to you… the 12 Cyber Security Threats of Christmas:
Phishing is one of the most common threats used by hackers. Why? Because it works. Those who are unaware can accidentally give away important personal details, business credentials, and information vital to the security of their business such as passwords and bank details.
There has been an increase in phishing attacks, as covered in DCMS’s latest Cyber Breaches Survey.
There are different types of phishing you need to be aware of:
- General Phishing – Usually easy to spot with grammatical and spelling errors, asking for details and/or money, and promising something in return – often a ‘lover’ or ‘lotto wins’
- Spear Phishing – These are harder to spot and use targeted personalised information to make them sound as though they’re from legitimate sources, such as suppliers or businesses you may know
- Whaling – This is CEO fraud and is highly targeted at senior executives. They usually use a sense of urgency to persuade the reader to act, often giving away sensitive information. It is sophisticated, digitally enabled fraud, executed through Social Engineering (more on this later)
What to do if you have fallen victim to a phishing scam?
Do not click on the email. Report to your IT management, and if you think you may have accidentally given away vital information, immediately report it to your system administrators and Action Fraud UK. The best offence against phishing attacks is defence; make sure your business is protected and your staff are well-trained to spot phishing emails.
Phishing emails can and often do lead to Ransomware attacks. Over the last year, ransomware attacks have been identified as the most significant cyber threat that the UK is facing. Healthcare organisations were the main target for ransomware attacks over the last year, with criminals constantly looking for the most sensitive data that they can acquire.
What is Ransomware?
Often following phishing campaigns, ransomware prevents you from accessing certain data on devices and the information stored there. Data is encrypted which criminals then demand payment in order for it to be released. This can severely impact a business or organisation’s services.
For both SME and larger businesses, ransomware is often the biggest threat, often causing more than 24 hours downtime. What would a 24 blackout mean for your business? In the last 12 months there have been a record number of attacks, and it is something to be aware of especially around Christmas time. Emails could be seasonally related, sharing tempting offers and citing parcels waiting for collection or missed deliveries. These can be easily missed amongst a higher volume of similar legitimate activity.
3. User/Human Error
User/human error is still one of the biggest vulnerabilities when it comes to cyber security threats. Are your staff trained properly? Is the code on your website up to date and regularly checked? Accidental mistakes can be a disaster when it comes to the security of your business.
Unfortunately, cyber criminals are aware of this, and will try to exploit it wherever possible. It’s easier than you think to protect against human and user errors. Around Christmas time, where attacks can be more prevalent, make sure your staff are up to date on their cyber security training, double check the code on your website, and make sure cyber policies are up to date.
By making sure your staff are updated and trained you are eliminating one of the weakest links when it comes to cyber security. Make sure you’re closing any potential gaps that hackers could exploit and use to breach your company.
4. Credentials Stolen
Are your business credentials for sale on the Dark Web? More than 15 billion business credentials are in circulation on the dark web, this is up more than 300% in just a few years. This information comes from over 100,000 business breaches and gaining this information through account takeovers has never been easier for cyber criminals.
Financial details, personal information, and sensitive documents are often stored in the cloud. While we may think it is safe, without the adequate protection your information is vulnerable to hackers who are looking for opportunities to steal and sell your data to the highest bidder.
You can check if your business credentials have been stolen or breached here. No information is stored on the database so your findings are safe and secure. The most prevalent breaches, where your credentials can be stolen and sold on the dark web, are through phishing and ransomware attacks. It is vital to make sure your information is protected this Christmas so you can relax and feel secure knowing your business is properly safeguarded.
5. Insider Threat
Are your employees happy? Are any of them disgruntled, holding grudges, perhaps you have some ex-employees who left on a sour note? Insider threat is a big problem when it comes to cyber security, and sensitive information can be leaked.
Preventing and protecting against any insider threats is the best method to mitigate any potential cyber security risks. While insider threat is declining in comparison to phishing and ransomware attacks, it is still something to be aware of. Make sure your software is up to date and patched correctly, that your staff are trained on your security protocols, and your passwords and sensitive information are updated and changed regularly to keep data secure.
6. Weak Passwords
65% of people use the same passwords for multiple accounts, leaving businesses potentially open and vulnerable. Are your passwords secure? Are they complex enough to make it hard for cyber criminals to breach?
Long passwords with a mix of capital letters and non-capitals, including numbers and special characters are recommended. We know it can be frustrating to remember multiple passwords, but it prevents hackers from gaining access to your accounts and sensitive data.
Before you leave for Christmas double check that your passwords are up to date and comply with best practice recommendations. Make sure all of your staff are following the password security policies, and that there are no gaps where hackers could potentially gain access while your guards are down.
Consider a password management tool. They offer a more secure way of managing multiple accounts and multiple passwords. For further information on password managers, you can look no further than this NCSC article, which should help you find the best solution for your business.
7. Incorrect Use Of Admin Accounts
Similar to human/user error, admin errors and incorrect use of admin accounts can lead to cyber breaches and hackers gaining access to sensitive information. If passwords are weak, and administration is overlooking security protocol, it leaves your business open to cyber attacks. Admin accounts often hold and store sensitive information about finances, accounts, and customers, which if not secured efficiently could lead to disaster.
Before Christmas check your admin accounts are secure, that data is protected, and that there are no gaps cyber criminals could target while you are unprepared. This way you can relax over Christmas knowing your business is sufficiently protected.
8. Social Engineering
Mentioned briefly earlier, Social Engineering has a category of its own due to its sophisticated and differing methods to breach your business. With hackers finding new ways of fooling businesses into giving away private data, accidentally installing malware on devices, and giving access to their accounts, Social Engineering has never been more of a threat.
Social Engineering often involves psychological manipulation, at Christmas time this may be manipulating your goodwill. These clever attacks trick employees and businesses into giving away sensitive data to hackers. Social Engineering is clever because it involves a human element, praying on the need to help others, and can therefore be difficult to prevent.
Hybrid or remote working has also increased the risk of Social Engineering attacks, as more employees are working from home using cloud-based systems which are easier for hackers to breach if not secured effectively. To prevent this, we would suggest making sure all your staff are adequately trained, and that they are aware of the psychological methods Social Engineering methods may use to manipulate them.
9. Data Exfiltration
Does your business have systems in place for data loss prevention (DLP)? Data Exfiltration is a security breach which can be conducted manually with access to a computer, or virtually through malware and malicious programming on a network. These attacks are often targeted with a specific aim and intent to gain access to a network or to locate and copy specific data.
According to the DCMS Cyber Security Breaches Survey, 46% of businesses and 26% of charities reported cyber security breaches or attacks over a 12-month period, most of these experiencing these issues on a weekly basis. Phishing and ransomware are methods used to gain access to data. Make sure your business is protected before you leave for Christmas, that staff are trained, and your emails are as secure as possible.
10. Misconfiguration of Devices
Are your devices configured correctly? Is your firewall working and updated properly? When cyber security software is updated or changed, this is when misconfigurations are most prevalent, leaving your business open to attack.
With the shift to remote and hybrid working, businesses have never been more vulnerable. With more businesses using cloud storage software to facilitate employees working from home, the dangers are at an all-time high. Misconfigured storage services have contributed to more than 200 breaches over the past two years which have exposed more than 30 billion records. It’s vital your firewall is correctly configured and up to date to protect your organisation from hackers.
Fortunately, many potential breaches are preventable simply by checking for any cyber security misconfigurations which are usually due to human or user error. Double check everything is updated and configured correctly before leaving for Christmas, minimising any gaps in your cyber security that cyber criminals can use to breach your organisation’s systems.
11. Patched Devices
Updating the patching on your devices is crucial in defending against hackers and cyber criminals. Patches are important because they fix known flaws in products that hackers could potentially use to gain access to your business. Keep all software on mobiles, tablets, laptops and desktop PCs up to date to reduce any vulnerabilities being exploited.
12. IoT Based Attacks
The ‘Internet of Things’ has been both a wonder and a curse. Connecting multiple devices through cloud-based software so you can use them all from one place has made working and living easier. However, it has come at a cost. Unfortunately, the speed and quality of manufacturer responses to security issues in ‘Internet of Things’ products has been extremely varied and many still lack basic security features.
At Christmas, gifts and potential cloud based connected devices can potentially cause a risk to your business. Make sure devices are updated, passwords are secure and complex, and keep your employees updated with relevant changes. NCSC is working on solutions to provide better cyber security for IoT devices, but it is important that you as a business remain vigilant and aware of any potential issues.
Wrapping up on cyber security christmas
See what we did there…?
We hope you’re now thinking about taking some steps to prevent your business from hackers, and to keep your data secure, not just over the Christmas period, but further ahead too. Remember, it is not all bad news, the fact you are reading this means you are taking the next steps in ensuring your business is safe over Christmas and beyond.