Whenever a small business owner takes a long break from work, threat actors do not. Long holiday weekends, spring break, summer vacation and the winter holiday season traditionally are golden opportunities for bad actors to take advantage of vulnerabilities that arise when owners and employees leave the office. In fact, according to a recent survey conducted by Cybereason, more than one-third of respondents said it took their organization longer to assess the scope of, stop and recover from holiday or weekend cyberattacks compared to a regular workday.
Security pitfalls abound even during normal operations, so even a constant cadence of attacks finds more opportunities during times when defenders are less prepared. Typically, companies operate with fewer cybersecurity resources during breaks and off-peak times, significantly increasing the risk of lengthier or more severe incidents caused by delays in detecting and resolving a problem.
Not only are cybersecurity professionals challenged to deal with an increase in cyberattacks during off-business hours, but they’re also navigating additional risks as hybrid work remains commonplace for even small businesses. The shift to remote work drove a 238% increase in cyberattacks during the pandemic. This problem is almost certain to grow, as more than 36 million Americans are expected to work remotely by 2025, according to one report.
Because of the hybrid work trend, many individuals also are choosing to become digital nomads, packing their laptops and traveling to work hundreds or even thousands of miles from the physical business. Employees are spreading across the globe. According to several media reports, some U.S. workers are moving overseas without telling their employers.
Whether it’s authorized or not, working remotely can greatly increase an organization’s exposure to bad actors. Employees might be tempted to use unsecured public Wi-Fi networks (or have no other choice) or “borrow” access to a friend’s or neighbor’s network. When an organization does not make use of secure remote access technologies, such as multifactor authentication, or implement zero-trust principles for its employee’s endpoint devices, they increase their risk of attacks like ransomware or data loss.
Best Practices for Holidays and Weekends
For employees and organizations alike to enjoy their long weekends and holiday breaks – and work remotely as they please – there are several best practices to help address the risks posed by cyberthreats.
Implement multi-factor authentication (MFA) for all user logins
More than 80 percent of hacking-related breaches are caused by stolen or weak passwords, which is why many organizations have adopted multi-factor authentication (MFA). For laggard companies, now is the time to lean into MFA, as it enables stronger authentication by adding another layer of protection beyond a password. But not all MFA is created equal: authentication using one-time passwords (OTPs) over SMS messaging is easily suborned or misdirected and is largely considered insecure. In fact, the best practice is to avoid OTPs at all, which can still be subject to phishing attacks, and use device proximity techniques, such as Bluetooth connections from the computer to the user’s mobile device, per the Fast Identity Online (FIDO) Alliance recommendations.
Regularly patch and update software to the latest available versions
It’s important to ensure that all software across the organization is regularly updated, as most attacks make use of vulnerable, unpatched software. Part of this is tactical: organizations need to not just patch operating systems, but also user applications like office document software and browsers and also other components: servers, application software, networking devices. Part is strategic: if the business still runs on outdated software, making that change can be time-consuming and difficult, so it’s important to plan for systems and software end of life and plan and budget for those changes before those systems no longer receive security fixes.
Have an incident response plan
Sometimes cyberattacks are simply unavoidable, regardless of the security measures in place. To best prepare for any surprises, organizations should have an incident response plan in place to minimize the potential damage from an attack. Every company’s plan will look a bit different, but they all need clear definitions of responsibility, detailed plans to contain and minimize the attacks impact, communications planning, and recovery. And they all need to be tested regularly to make sure everyone knows their part, the plan works as expected, and it adapts to new threats and changes to the environment.
Provide security awareness training to employees
Truisms abound that employees are the weakest link in security. This is probably false; employees with the training to perform their tasks securely and respond appropriately to suspected attacks are possibly one of the organization’s greatest assets. Providing cybersecurity training for employees at all levels can help improve the overall security posture of the organization. But don’t regard training as a once-a-year checkbox effort. Consider small doses of security awareness training, particularly ahead of a long break to instruct employees about the dangers of phishing emails, online shopping scams or attempts to impersonate company leadership. Hosting these training sessions for every new employee and providing refreshers frequently, as opposed to just once a year, can also help to safeguard an organization and should be regarded as the minimum necessary.
Partner with or hire an outside team to be on call during the holidays.
Small businesses are increasingly vulnerable to cyberattacks in large part because some do not have security staffing coverage to quickly detect and respond to suspicious activity. Partnering with a managed services provider (MSP) enables small businesses to gain 24/7 assurance through advanced tools that detect, diagnose and fix unexpected security problems. Often, partnering with an MSP also is more financially favorable than attempting to hire, train, and retain security specialists to support cybersecurity needs. This is especially relevant at a time when there are some 700,000 unfilled cybersecurity job openings in the U.S.
As we get closer to spring break, summer vacations and long holiday weekends, it’s important to strengthen cybersecurity measures now before getting caught off-guard outside of working hours. By leaning into the tips above, organizations can best position themselves to strengthen their cybersecurity posture and take on any unexpected attacks.
Jacob Ansari is the PCI Practice Leader at Mazars in the United States.