As advisors to some of the world’s largest organizations, we know firsthand how critical the implementation of a company-wide cybersecurity strategy is to defending against today’s rapidly evolving threats. The continuous strengthening of security posture – from prevention measures to plans for detection, response, and recovery “ serves to prepare organizations for the inevitable with effective damage controls in place.
It’s important to remember, though, that cybersecurity is not just about tools and technology. There is a human element, too, that companies can leverage in their favor in their cyber defense strategies year-round “ and particularly during the busy holiday season.
It’s common to see a spike in cybercrime as we near the holidays. IT and security resources are stretched as they juggle holiday schedules with the mountain of regular tasks and responsibilities. Employees are less focused in their rush to wrap up their to-dos and finish the last of their work before the much-anticipated end-of-year break.
For cybercriminals who constantly look for weaknesses and gaps to exploit, it’s like, well, Christmas.
People, it turns out, are the biggest gap. According to the Verizon 2021 DBIR, 85% of breaches involved a human element. Not surprisingly, given its popularity among hackers and apparent effectiveness, phishing remains a top tactic.
- Don’t click on that link!
The frequency of phishing attempts spikes just before the holidays, and while email remains a common attack vector, text messages (smishing) are becoming more frequent. These socially engineered tactics trick recipients into opening an attachment to release malware, or clicking on a link that leads to a fake website. Their goal is to steal personal credentials or payment information.
How to stay safe:Remind employees to exercise caution when clicking on links and downloading files from unknown or unexpected email or text sources. Build their awareness of common phishing characteristics – such as typos and grammatical mistakes, and unusual urgency especially related to a financial transaction such as an invoice, even if it appears to come from a legitimate person. The more your employees know to look for, the more effective they will be at avoiding phishing traps.
- Stick with names you trust.
Speaking of an email appearing to come from a colleague or other legitimate person, the sender’s email address and sometimes a link’s URL can offer big clues as to whether an email is real or fake.
How to stay safe:If an email looks suspicious, employees should check the email of the sender, carefully looking for misspellings in the person’s name, company name, or address format. For instance, if your company email address format is james.smith@abc.com, a hacker might use a subtle change to appear legitimate, such as j.smith@abc.com or use a slight misspelling such as jim.smith@abc.com. Similarly, employees can check a link’s URL without clicking it by hovering over it with the mouse to see where the link is directed and whether it’s to a valid company (e.g.,www.verizon.com) or one that’s questionable (e.g.,www.amiescompany.com).
- It looks
With the remote office now commonplace, mobile devices such as laptops and phones are being used more frequently for both work and personal use. But this practice can impact your business if malicious software is downloaded inadvertently. For instance, hundreds of apps in the Apple App Store and Google Play can mimic a popular brand by using a familiar logo or color scheme “ but in fact are purpose-built to steal credit card information.
How to stay safe: Direct employees (and even customers or vendors) to download your organization-specific apps directly from your company’s website to ensure that it is legitimate (not a fake). If they do download an app from an app store, have them thoroughly check the user reviews to help verify its validity.
- Careful going out in public.
Public Wi-Fi uses public airwaves, making it a potential avenue for bad actors to access your information. Still, you don’t want to impact employee productivity by limiting their ability to connect to email and other key systems they need to get their job done.
How to stay safe:As employees work remotely or travel this holiday season, remind them to avoid exposing sensitive information “ their own and your corporate systems and data “ on unsecured Wi-Fi networks, for instance, in coffee shops, airports, and hotels. Better yet, supply employees with a virtual private network (VPN) which creates an encrypted connection between devices and the VPN server to protect connections “ and your information “ from nearby hackers.
- There’s strength in numbers.
We’ve all heard the advice: use a strong password. But password protected doesn’t necessarily mean it’s safe. Stolen credentials were used in 25% of breaches last year, according to the Verizon 2021 DBIR.
How to stay safe: Encourage your employees to follow good password hygiene: Longer is stronger, but the maximum characters depends on what the app or system supports. An alphanumeric code is even stronger and includes a mix of letters, numbers, and symbols. Don’t reuse usernames and passwords across different accounts “ if those credentials are stolen, criminals will have easy access to multiple accounts, not just one.
And even safer: Many companies and websites now offer multi-factor authentication which uses a combination of something the user knows (username and password), something the user has (a token or PIN), and something the user is (a fingerprint or face id) to confirm his/her identity. Employees should use MFA wherever it’s available “ to access vendor systems, bank accounts, etc. “ to verify their identity and greatly increase their (and your) security.
And here’s a final tip for your organization’s IT or security team:
- “Update Available”
Apps require basic maintenance. Updates from technology vendors not only contain enhanced or new capabilities, they often contain code to “fix” identified security vulnerabilities and close gaps that potentially can be exploited by malware. These are important and should not be ignored or delayed.
How to stay safe: Be sure your team has policies in place that ensure they are performing regular maintenance across your IT environment such as upgrading employee devices to the latest versions of frequently used tools such as web browsers (e.g., Edge, Chrome, Safari) and Zoom.
Deploying your “human element” against threats is a cybersecurity force-multiplier that can keep your organization safer this holiday season “ and year-round. Pass along these tips to your employees, use regular training to build good cyber habits and awareness, and say “bah humbug” to the cyber criminals who are out to ruin your holidays.
