The holidays can be a magical time. From Thanksgiving through December each year, there are more reasons to meet friends and family for cocktails or cozy nights in, share time-tested recipes, or tune into any great number of holiday flicks (Love, Actually, Die Hard, The Ref – choose your adventure). And whether you do it online or in-person, there’s shopping, shopping, and more shopping.

Unfortunately, though, the holidays can be magical for threat actors, too.

With so many of us stepping away from our day-to-day responsibilities, CIOs and CISOs must ask themselves, “Who's minding the store?” And if it’s not immediately obvious, ‘the store’ in this metaphor is your IT environment.

The most wonderful time of the year… for cyber attackers

Generally, the holidays mean many desks are empty. Computer systems are often unattended and security operations centers are short-staffed with fewer eyes on the storefront. The result? Businesses and organizations are more vulnerable to cyberattacks.

Additionally, 2022 witnessed mass layoffs, leaving companies short-staffed. Compound that with an infosec talent shortage and the usual stress and burnout, and you’ve got a recipe for oversight and human error.

In a study conducted by Cybereason, a whopping 70% of respondents actually admitted to having been intoxicated when responding to a ransomware incident over the holidays. But a cyberattack probably isn’t the best time to test your Ballmer peak.

Of course, malware attacks are rampant year-round, but they increase significantly over the holiday season. In fact, according to Cisco’s 2021 Cybersecurity Threat Trends report, phishing attacks historically spike around holiday times, reporting a peak of 52% in December. Additionally, lucrative malware campaigns like ransomware show no signs of slowing down.

Also in 2021, Darktrace reported a 30% increase globally in the average number of attempted ransomware attacks over the holiday season from 2018 to 2020 compared to the monthly average, and a 70% increase in attempted ransomware attacks in November and December compared to January and February.

Companies suffering from a ransomware outbreak could suffer extreme losses in revenue from downtime, crippled operations, and possibly even fatal consequences in the healthcare vertical.

Clearly, the holidays have a very different meaning if you’re a cybercriminal or hacking group – mainly, this time of year equals opportunity.

Common cybersecurity threats during the holidays

A common approach cyber criminals use to discover who to attack is through "out-of-office" automatic email responses. They may start with a "spray and pray approach," sending out thousands of emails en masse and then parsing the rich information of the out-of-office message. These messages may indicate the following data points:

• Who is on PTO

• When staff will return

• Staff phone numbers

• Emergency contacts

That's a treasure trove of information for hackers.

Plus, there are additional cybersecurity and safety issues to keep in mind having to do with – you guessed it – human behavior.

With the onset of the holiday season, many of us have increased our online activities: booking flights, shopping for gifts, etc. Though these activities are not innately malicious, they give additional fodder to cybercriminals looking to social engineer end users to click and download their malicious payloads.

A prime example? You’re likely expecting packages or messages from relatives. So an attacker could easily create spear-phishing emails to emulate a FedEx or UPS package tracking number or mass-sent holiday "greeting cards."

During such a busy shopping season, it’s likely more people click on email links or promotional discount ads. As a result, there’s usually a large spike in email phishing over the holidays.

A look at recent holiday cyberattacks - 2022

Here are just a few recent examples of major attacks that occurred during or close to a holiday:

• Over the New Year, Bernalillo County, Albuquerque, New Mexico closed down government buildings following a ransomware attack. The attack actually left a jail blind to its camera feeds and rendered its automatic door mechanisms fail close, leaving inmates in lockdown.

• From December 2021 to January 2022, the Maryland Department of Health was hit with a crippling ransomware attack, leaving its hospitals in chaos amid a surge of COVID-19 cases. MDoH confirmed that health officials had to calculate the COVID-19 statistics by hand and could not release death certificates for weeks.

• The San Francisco 49ers’ made headlines for the wrong reasons during Super Bowl weekend when they were hit by ransomware. The BlackByte ransomware-as-a-service (RaaS) group claimed to have exfiltrated data with an estimated value of $4.175 billion.

• Lapsus$ topped headlines multiple times this year, compromising Claro on Christmas Eve of 2021 and Impresa on New Year’s Day, 2022, and rounding out the year with tech giant Microsoft and SSO provider Okta.

• Around Thanksgiving, Swedish retail giant Ikea confirmed an attack at the hands of the Vice Society hacking group.

Cybersecurity best practices for holidays and weekends

Last year, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint ransomware awareness advisory specific to looming holiday threats.

While CISA and the FBI don’t currently have specific threat reporting indicating a cyberattack will occur over the upcoming holidays, they did prepare a list of best practices for orgs to help address the risk posed by all cyber threats, including ransomware.

The list is extensive, so we reviewed it and pulled out highlights to prioritize as you prep for the holidays:

• Schedule security employees to be "on call" during holidays

• Educate end users throughout the year, but especially during the holidays, to not click on suspicious links or fall to social engineering tactics via spear phishing attempts

• Provide generic out-of-office messages for external recipients, or restrict automatic responses to internal contacts, if possible

• Make and maintain offline, encrypted backups of data and regularly test backups

• Raise awareness among users about the risks involved in visiting malicious websites or opening malicious attachments

• Limit access to resources over internal networks, especially by restricting remote desktop protocols (RDP) and using virtual desktop infrastructure

• Review the security posture of third-party vendors and those interconnected with your organization

• Replace software and operating systems that are EOL/EOS to currently supported versions

• Regularly patch and update software to the latest available versions

• Use a centralized and automated patch management system

• Conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices

• Ensure strong passwords that are not reused across multiple accounts or stored on a system where an adversary may have access

• Implement multi-factor authentication (MFA) for all services, particularly for remote access, VPNs, and accounts that access critical systems

• Regularly audit administrative user accounts and configure access controls under the principles of least privilege and separation of duties

• Continuously and actively monitor for ransomware threats over holidays and weekends.

For more intel, review these resources to prepare for a safer holiday season:

• Microsoft – Protect yourself from Phishing

• 2022 Patching & Endpoint Management Checklist - Top 8

• Supply Chain Ransomware Attacks on the Rise: How to Prepare Now

• The Anatomy of a Ransomware Attack

• 27 IT and Cybersecurity Stats to Put on Your Radar

By following the cybersecurity best practices from the FBI and CISA and digging into the additional resources provided here, you can reduce your risk of exposure and feel just a little bit better about taking that well-deserved time off.