The end of the year is marked by long holidays, a season of joy, and optimism for the coming year. Businesses also have a lot to cheer about as the holiday season is usually accompanied by an increase in consumer spending as people are in a celebratory mood and inclined to treat themselves and others to a few luxuries. The US alone expects ~$850 billion in sales during the November-December period. But there is a fly in this seasonal ointment: festive cheer brings more opportunities for cyberattacks against businesses.
A quick glance at cyberattacks that made headlines reveals that threat actors love holidays for all the wrong reasons:
- Lunar New Year – Bangladesh Bank, the central bank of Bangladesh, was the victim of a cyberattack that attempted to transfer $951 million to the Philippines ahead of the Lunar New Year weekend
- Mother’s Day – America’s largest fuel pipeline operator Colonial Pipeline was hit by ransomware during the Mother’s Day weekend, resulting in fuel shortages and consumer panic
- Memorial Day – The world’s largest meat processor JBS suffered a ransomware attack over the American Memorial Day weekend that affected servers supporting North American and Australian operations, threatening shortages throughout the world
- US Independence Day – Remote management software vendor Kaseya was hit by an attack over the 4th of July weekend that distributed ransomware via an auto update to its customers and customers’ customers, affecting thousands of victims in at least 17 countries
- Halloween – One of America’s largest candy manufacturers, Ferrara, was the target of a ransomware attack right before the critical Halloween sales period
These news snippets show that businesses operating across a wide variety of industries have been targeted during various holidays. These events may feature attacks against large organisations, but that is because prominent organisations are headline worthy. All organisations, large or small, experience an increase in cyber risk ahead of and during holidays.
Why Threat Actors Love The Holidays
Threat actors love to launch attacks against businesses during the holidays because holidays, or festivals, make cyberattacks easier for several reasons:
- Alertness is Reduced – Everyone is in a good mood and employees are not as alert for social engineering attacks like phishing. They are more likely to open an attachment without suspecting malware, or enter their credentials in a website without checking if the website is genuine
- Staff Strength is Reduced – Many employees, including members of the IT team, will take time off ahead of or after the holidays to enjoy long vacations. Fewer IT staff at work implies reduced monitoring and slower response time to alerts, allowing attackers to compromise devices and networks. Staff on vacation also take longer to report to work if they are asked to return when an attack is detected, which delays an all-hands-on-deck response to a fast-spreading cyberattack
- Attacks Have Time to Spread – Attacks take time to spread through an organisation’s network and infect many devices. Attackers also like to take their time to identify which parts of the IT ecosystem are critical to the organisation’s functioning. A long holiday with no or minimal activity in the victim’s facilities allows the attack to spread through the organisation and increases the impact of the attack
- Maximum Impact on Profits – Many organisations experience a surge in sales during the holidays and are therefore more likely to pay an attacker quickly to resume operations as the cost of the ransom may be less than the loss in revenue and reputation
Businesses That Are Affected The Most By Holiday Cyberattacks
While any business can be attacked during the holidays due to the first 3 reasons mentioned above, businesses that are impacted by the 4th reason (impact on profits) can be considered to be at higher risk as they have more to lose from an attack timed to coincide with their peak sales season. These primarily comprise
- Travel & Hospitality
- Sweets & Giftables
Online shopping booms during holidays/festivals due to convenience, deep discounts, and employees receiving bonuses. A ransomware attack that takes down web servers, order processing data, or warehousing systems; a Denial-of-Service (DoS) attack that makes websites inaccessible to shoppers; or a data breach that leaks customers’ Personally Identifiable Information (PII), could all ruin a business.
Brick & Mortar
Offline shopping may not receive as much attention as online shopping because it doesn’t attract high profile VC funding, but that doesn’t make it less vulnerable. A cyberattack on Point of Sale (POS) systems or on inventory tracking applications could bring operations to a complete standstill. The cyberattack on Kaseya (mentioned above) resulted in one of Sweden’s largest supermarket chains shutting all 800 stores in the country because cash registers were paralysed by the attack.
Travel & Hospitality
Holidays provide time for people to travel, either to explore new destinations or for a trip to their hometowns. The hospitality industry provides attractive offers for travellers, and seasonal revenue is a significant contributor to the annual revenue of both the hospitality and travel sectors. Cyberattacks that affect website availability, booking information, and payment systems, and data breaches that leak PII can have a severe impact on profitability.
Cyberattacks on this industry can be quite unconventional as well as an Austrian hotel discovered when the smart locks on its guest rooms were hit by ransomware attacks 4 times in December and January.
Sweets & Giftables
Holidays and festivals are also a time for distribution of sweets, confectionaries, and gifts; providers can expect a spike in sales both from retail demand and corporate bulk orders. Threat actors know that fulfilling these orders takes time and orders are placed and fulfilled in advance of celebratory events. Therefore, these sectors can expect cyberattacks before the festivities begin, as evidenced by the earlier discussion of an attack on a candy manufacturer ahead of Halloween.
How Businesses Can Protect Themselves and Avoid Reputation and Revenue Loss
Businesses can mitigate cyber risk all through the year, and especially during the holidays, by following these measures:
- Block Unnecessary Device Access – Every device that connects to the business network is a potential point of entry for a cyberattacker, and businesses should block all devices that do not, or no longer need, access to the business network. This includes any device that has been sent to a vendor for repair and upgrade, personal devices of employees, and backup devices that are in storage. Access should be provided only as and when required and on a case-to-case basis after assessing the business need for such access. Devices, in this context, extend beyond PCs to include networking and networked devices such as routers, printers, and IoT products
- Revoke Unnecessary User Access – Employees leaving the organisation should have their access revoked immediately after their exit to prevent attackers exploiting unused employee accounts to launch attacks. Current employees should be granted access based on the principle of least privilege i.e., a user has the minimum access privileges required to carry out their responsibilities, irrespective of their position in the organisation’s hierarchy. Additional privileges that are required for ad hoc tasks should be granted on a temporary basis and revoked as soon as the task is completed
- Install All Patches – Ensure that the latest patches for both software and hardware are installed as soon as they are released by the vendors. An unpatched operating system, application, or device allows threat actors to attack businesses through known vulnerabilities
- Deploy Endpoint Security – Install endpoint security, like K7 Endpoint Security, on all endpoints including POS and warehouse devices to detect and block ransomware, phishing, and other cyberattacks. All endpoints should be secured as even a single unprotected device can be used to launch an attack. It is critical to ensure that all endpoints are allowed to receive the malware definition updates released by the vendor as over 450,000 new cyberthreats are registered every day and the latest malware definitions are required for protection against the latest cyberthreats
- Deploy Network Security – Gateway security devices, like K7 Unified Threat Management, should be deployed in all stores, offices, and warehouses to protect business networks from hacker intrusions and Denial-of-Service attacks
- Provide Training – Train employees on the fundamentals of cyber hygiene, such as the importance of creating strong passwords and not sharing them, the tactics used by threat actors, and spotting social engineering attempts which could target them on their personal devices and in their use of social media. Human fallibility often forms the weakest link in the cybersecurity chain and cybersecurity training avoids users inadvertently opening the doors to a cyberattack
- Have IT Staff on Call – IT staff deserve vacations as much as other employees, but a diminished IT team makes containing an attack difficult. Ensure that critical team members who may be on leave can return quickly to work in the event of a threat emergency
- Secure the Supply Chain – Businesses that maintain cybersecurity in their facilities can still be compromised if their suppliers do not follow cybersecurity best practices. Target Corporation’s massive 2013 holiday shopping season data breach was initiated through a refrigeration contractor. Encourage your vendors to follow cyber hygiene and work with them to secure your organisation’s supply chain
K7 Security provides international award winning enterprise cybersecurity solutions to protect organisations operating across a wide variety of industries. Contact us to learn more about our 24/7/365 cybersecurity that secures IT infrastructure during all holidays, festivals, and seasons.