On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of November.
December is prime time for cyberattacks and data leaks, especially in the United States, where organizations and employees are in holiday-season mode between Thanksgiving and New Year’s. For some industries, this time period means an overload of internet traffic, and the focus is on keeping business operations running. For other industries, operations are heading into a shutdown or preparing for a minimum workforce available.
Threat actors know this and see this period as prime time to launch an attack, or, as CISA pointed out, the December holiday slowdown “provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organizations are at limited capacity for an extended time.”
Keeping up with cyber threats is difficult enough in the best of times, but how do organizations keep their data and networks safe when employees are distracted (and not following best cybersecurity practices) or the security staff is an on-call skeleton crew? We talked to 18 cybersecurity professionals across a variety of industries to learn how their organizations approach security during the holiday season.
Reduced staff and time off
Of the 18 respondents, only two shut down operations completely. Most, however, say they reduce the number of staff working or are more flexible with providing time off. Keeping cybersecurity standards at normal levels is vital for all of the organizations.
“We do not reduce staff hours; however, during the holidays, many have to take PTO or lose their time,” says Christopher Callahan, CISO at Weichert Companies. During that time, Callahan adds, detection and response functions are outsourced to a third party to ensure continuous coverage.
“We do not reduce staffing levels during the holidays,” explains Sheshananda Reddy Kandula, Senior Security Engineer at Adobe. “However, we maintain contact information for the entire team to facilitate rapid outreach and team formation if needed. All team members are expected to respond promptly and diligently to any incidents that may arise.”
“During the holidays, we have reduced staff but enough coverage to keep up support. With security, it’s a bit different because we have to become very careful with who is out of office and who is on the clock. With security, you always have to cover your domains so that you aren’t drifting off protocols and leaving room for error,” says Bryon Singh, Director of Security Operations at RailWorks Corporation.
Several of the respondents stressed the importance that, no matter how thin the staffing might be or how many days the office might be closed down for the holidays, cybersecurity standards have to be kept at normal levels. However, they are often modified through increased automation in threat detection, enhanced monitoring and well-formed incident response plans.
Explore cybersecurity services
Specific changes to security protocols
Because of the reduced workforce or partial closures, the organizations all make temporary changes to some of their basic cybersecurity practices. Half the organizations freeze updates and patches, six change their incident response plan and elevate their alert protocols and four limit account access.
Kapinder Diwan, Director of Information Security at Tradeweb, freezes updates and patching to maintain operation stability due to having fewer people available because of holidays and vacations. The exception to this would be critical or emergency patches or updates. Diwan’s co-worker, Muthukumar Devadoss, adds that the security team has an alternate operations plan in place to mimic disaster recovery situations during the holiday period.
Stan Mierzwa, Director and Lecturer at the Center for Cybersecurity, Transformational Learning and External Affairs at Kean University, recommends putting in an effort with greater situational awareness specific to the sector one is in. “This requires focused open source intelligence gathering that the organization can really zero in on to provide a more focused strategy during the holidays.”
But some people use the holiday time to prepare for the future of their cybersecurity program. Geoffrey Adamson, Governance Risk and Compliance Manager at TD Bank, plans to use the holiday time to prepare for cybersecurity exams in 2025.
Lessons from the holiday incident
Unfortunately, sometimes the bad guys win over the holidays, no matter how well the preventative strategy is.
“In a previous job, I dealt with a product-related security incident during the holidays that led to data spillage,” explains Kayla Williams, CISO with Devo. “Most of the product team was unavailable, so the security team couldn’t fully remediate the issue. I implemented a policy that requires managers to ensure that no more than 20% of their team is out at any given time, not just during the holiday season. This is a best practice I’ve carried to all of my subsequent roles and encourage other CISOs to implement in their organizations.”
Holiday periods can be particularly vulnerable times for cyber incidents due to reduced staff and increased attack attempts. Security professional Umair Mazhar points out a notable example he faced when his company experienced a ransomware attack on the Christmas holiday.
“The attack occurred when systems were less closely monitored, exploiting an unpatched vulnerability,” says Mazhar. “The attacker was trying to encrypt critical data, which required immediate action from the response team. Due to proactive measures and rapid response from our offshore team, we managed to control the attack surface.”
Singh’s company also dealt with a holiday cyber incident. “We had an intrusion through a vulnerability in our firewalls SSL VPN, but with the proper alerting and extension to our team with our SOC, we were able to respond and mitigate in a timely manner.”
The common thread with these stories is that each security professional had either a plan in place that resulted in minimal damage or was able to use the incident to prevent problems in the future.
To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.
If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.