This holiday season brings plenty of stress for businesses, battling a slew of cyber risks. From holiday phishing scams to Wi-Fi attacks and insider threats, this year is set to bring in fresh cybersecurity challenges. Check out the five most common risks enterprises face in the holiday season and how to address them.
With homebound workforces across multiple locations, multi-perimeter defense is no doubt important in the age of COVID, businesses need to shore up internal defenses to stave off insider threats from temporary workers.
This includes restricting remote access that isn’t needed for specific users and isolating sensitive data from users/accounts that don’t need it. Plus, it is a must to factor in endpoint security and BYOD activity for compliance and security during the holiday season.
Here, we outline the five most common cybersecurity threats businesses should watch out for over the next few weeks and address them.
1. Unsafe E-commerce Sites Accessed During Work
There’s always some risk involved in e-commerce, as there are thousands of fake shopping sites out there and online payments are a popular target among hackers.
This risk multiplies during the holiday season, as a few employees will inevitably do their last-minute shopping while at work from company-issued devices. In a WFH world, this is an even bigger problem, as the lines between work and personal activity are increasingly blurred. An employee might use a work device to quickly place an order in the weeks leading up to Christmas, late one night while getting a head start on the post-holiday workload.
Action point: Secure your enterprise network perimeter so that suspicious e-commerce websites are blocked. Configure business email so that hyperlinks from promos and marketing emails don’t open automatically. You should also monitor employees’ online activity to preempt any red flags.
2. Phishing Emails and Holiday-related Fraud
This is probably the most common threat you will encounter during the holiday season. Hackers tend to get more creative at this time, luring unsuspecting employees with lucrative discounts, exclusive products, and rewards. As a large portion of your workforce is in the mood to spend, the chances are higher of someone clicking on the bait and opening your enterprise network to attacks.
For non-retail companies, there’s a risk that a phishing email will install malicious software on a company device or extract login credentials for your enterprise network. Retail companies are battling a much larger challenge, as hackers typically target their customer data repositories.
This risk is exacerbated by human error.
Action point: Don’t be frugal about cyber awareness during the holiday season. Overworked employees can make errors or overlook vulnerabilities that could cost you down the line. Hold refresher training sessions to train employees about phishing risk and secure email protocol, fighting against social engineering attacks as much as possible.
3. Vulnerabilities in New Devices and BYOD
This an emerging risk, with less of a probability than the other holiday-related attacks we are discussing, but it deserves attention nonetheless.
The holidays are a time when a lot of us buy new gadgets or receive them as gifts, and most employees will inevitably plug these devices into the enterprise network. For example, a smartwatch connects to an employee’s mobile device, which, in turn, connects with the company’s private network. Confidential data like emails are relayed to the device if an employee uses it for notifications, etc.
Potentially, a cybercriminal could use the device as a backdoor to hack the network, as confirmed by academic research. At the very least, employees’ personal data is at risk if these new devices are incorrectly configured.
Remember, wearables are among Deloitte’s predictions for the top ten most desired gifts in 2020, making this a bigger problem than you might imagine.
Action point: Define a clear set of protocols for onboarding new employee devices, whether personal or for work. This type of “BYOD clause” would ensure that every device inside or within the radius of your enterprise network is protected.
4. Insider Threats From Seasonal Workers
Seasonal employees can be a high-risk security vector for the enterprise during the holiday season.
The average company will onboard a mid-sized-to-large seasonal workforce from various third-party providers, all of whom may not be properly vetted/verified.
There are two types of risks here. First, an employee could join your company in a temporary role with explicit malicious intent — i.e., they are aware of valuable confidential assets and need insider access to reach them. Second, hackers could target a seasonal employee with the lure of financial gains. These employees are:
- Less entrenched in your company’s culture and therefore less invested in its wellbeing
- Not provided with cybersecurity training at the same intensity as permanent employees
- Governed by a different set of contractual terms which may not cover data obligations
These three factors make seasonal employees candidates for insider threat, yet you cannot do without them during the holiday season.
Action point: Adopt least privilege access across the enterprise, regardless of permanent or temporary employees. Don’t discriminate against seasonal staff by labeling them as “risks” as Google did. Instead, develop deeper engagement, invest in their cybersecurity training, and treat them as full-time employees with time-bound contracts, holding them accountable for their enterprise network usage.
5. Employees Using Public Wi-Fi When Vacationing
Employees can choose to take time off during the holidays to take a short trip, travel, and spend time with friends and family. However, in an increasingly connected world, it is likely that they never entirely switch off. An employee could open their work email or access enterprise storage on the cloud when traveling, by connecting to a public Wi-Fi network.
However, public Wi-Fi networks may not use the same encryption protocol as an enterprise. There’s also a possibility that employees could unwittingly join in a rogue Wi-Fi hotspot and handover control to an attacker.
Action point: Educate your employees about the risks of using public Wi-Fi. Drive home the point that its cons far outweigh any convenience or cost advantage. You can also configure the corporate email to require authentication whenever the user switches to an unfamiliar network.