Tired of cybersecurity tips that don’t really make an impact? This post is for you.

The year is winding down to an end. Everyone, including security teams, is busy and preoccupied. Cyber actors know this and are gearing up to launch attacks.

Over the holiday season, the global number of attempted ransomware attacks has increased by  30% YOY. Also, a 70% average increase in attempted ransomware attacks appears to occur in November and December compared to January and February.

One report from the retail and hospitality sector indicates that imposter websites, product-focused phishing attempts and phishing attempts impersonating executives all tick up during the holidays. The report also observed a greater prevalence of social engineering attacks, heavily targeted at credential harvesting or bypassing multifactor authentication (MFA).

With security teams already stretched thin, what happens when people head out for the holiday break? Short staff leaves your data, systems and networks even more vulnerable. If an incident occurs, do you have a holiday response plan in place?

Let’s look at some truly useful tips on how to prepare for cyberattacks during the holidays.

Tip 1: Have a response team in place

Before you head out for the holidays, know who can be called in if a cyber incident happens. You should clearly establish, in writing, who’s on call and when.

On-call team members should be available 24/7. Well-organized incident response teams should already understand their roles and responsibilities. Still, given how hectic the end of the year can be, it’s worth confirming who will be responsible during the holidays.

Tip 2: Consider managed detection and response

Some companies transfer security tasks to a managed detection and response (MDR) provider. It then becomes the responsibility of the third party to provide full coverage over the holiday and weekends. MDR solutions can take care of the full threat management lifecycle with turnkey support for leading endpoint and network security technologies.

The reality is that with the increasing complexity of malicious and automated cyber threats, many organizations lack the security skills to handle sophisticated and advanced threats. Even organizations that do have the required expertise often struggle with managing too many security tools and alerts to adequately reduce mean time to resolution (MTTR).

Alert overload and time-consuming investigations lead to security analyst fatigue. Meanwhile, today’s reality demands 24-7 coverage to investigate alerts as threat actors tend to attack during non-business hours and holidays.

For this reason, managed detection and response is an attractive solution for security teams that lack the expertise — or team size — to maintain strong security during shoestring staffing periods. MDR can consist of services such as alert management, threat containment, incident response and proactive threat hunting.

Tip 3: Be extra careful with downloads, clicks, messages and emails

Since everyone is in a hurry to get work done, we may let our guard down when it comes to reading emails carefully. Remember, the majority of malware still gets into computers and systems due to human error. Even the most careful of us may accidentally open infected files or click on malicious links.

Social engineering attacks continue to generate good results for cyber criminals. So be wary of any and all communication, even if it appears that it comes from a trusted source. All employees should treat any unsolicited messages with the highest level of suspicion.

If a request sounds fishy, stop and examine the entire context carefully: Who is the message coming from? Is the email address or domain name valid? Look again. Slight misspellings and typosquatting attacks can escape detection if you are in a hurry to get out the door.

You can also do in-house phishing drills. This means sending out fake emails on purpose to test your teams and educate them. When they spot a suspicious email, praise them. If they take the bait, show them where they made a mistake.

Tip 4: Lockdown privileged accounts

During the holidays and weekends, some security experts recommend locking down privileged accounts. It’s common for intruders to penetrate networks by escalating privileges to the admin level, where they can then deploy malware. High-level access is rarely required on holiday breaks or weekends.

As an option, security teams can create highly secured, emergency-only accounts in the active directory. These accounts would only be used when other operational accounts are temporarily disabled or when operational accounts are inaccessible during a ransomware attack.

An even better strategy would be to adopt privileged access management (PAM). This is a strategic approach to who has privileged access to the network. PAM includes infrastructure and apps and purposely manages access to them. Frequently, this involves using a single point of sign-on for users and a single point of management for admins.

Especially in hybrid cloud environments, a fully managed PAM program can provide guidance from strategy through steady-state management. PAM can also enable automation, analytics and optimization to secure your privileged users.

Tip 5: Establish clear isolation tactics

Isolation stops attackers from making any further ingress on the network and from spreading malware to other systems or devices. Security teams prepare to disconnect a host, lock down a compromised account and block malicious domains. Scheduled and/or unscheduled drills help make sure all personnel and procedures will perform adequately in the event of a breach.

As networks achieve more complexity, isolation may be difficult to execute in a real-world cyber incident. For this reason, extended detection and response (XDR) has gained significant traction.

XDR essentially gathers all the anchor tenants that are required to detect and respond to threats in one place for easier analysis. This enables the security teams to take action quickly without getting lost in multiple use cases, workflows and search languages. XDR also helps security analysts respond quickly without the need to create endless playbooks to cover every possible scenario.

XDR unifies insights from endpoint detection and response (EDR), network data and security analytics logs and events, as well as other solutions, such as cloud workload and data protection solutions. This provides a complete picture of potential threats. Meanwhile, automation is implemented for root cause analysis and recommended response, which is critical in order to respond quickly across a complex IT and security infrastructure.

Keep your organization safe this holiday season

If you were paying attention, you know many of these tips aren’t something you can deploy overnight. Establishing strong security is an ongoing campaign, and it will continue beyond the new year. As your strategy and tactics improve, your IT assets and resources will be safer during the holidays and beyond.

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today