The holiday season is traditionally a period of goodwill, gift giving, and time with loved ones, but if you are responsible for your enterprise’s cyber defenses it’s also a time when you should have a heightened awareness of cyber risk.
Cybercriminals often treat this time of year as a prime opportunity to exploit the unprepared and unwary. They know this time of year is when your staff are winding down and might not be as cyber aware as usual, which means they have a great opportunity to plunder the corporate gifts from under the tree.
“There’s all the holiday-themed phishing and social engineering scams to be prepared for,” explains Adam Marrè, Chief Information Security Officer at Arctic Wolf. “During the festive season, scams take on a ‘holiday flavor:’ fake e-cards, shipping or delivery notifications, gift card offers, and bogus charity donation requests. These are often disguised as genuine messages from vendors, couriers, or charitable organizations, and aim to trick recipients into giving away login credentials or clicking malicious links.”
Along with this, many companies are wrapping up end-of-year bills, handling holiday bonuses, or ordering supplies — often with staff under time pressure — and attackers exploit that chaos. They send fraudulent invoices, payment requests, or urgent “vendor detail changes,” sometimes impersonating senior executives or trusted vendors.
When people are rushed or distracted, they may skip normal checks, making these payment-related scams especially dangerous at this time.
Not only that, but because many employees travel, work remotely, or shop online over the holidays, mobile or home devices often mix personal and work activities. Use of public Wi-Fi (in airports, hotels, coffee shops) or unsecured networks can expose credentials or sensitive data, especially if staff access company resources outside standard office protections.
Attackers may also exploit “BYOD” (bring your own device) habits, meaning a personal device compromised via a holiday-themed phishing email can become a gateway into corporate networks.
“CISO’s and their teams need to make sure they have their plans finalized before the big day,” says Marre. “The earlier you prepare, the better you will enjoy the holidays, rather than having to head into the office to attempt to fix the problem.”
Steps to take before the holidays:
Lock down access and harden authentication
- Use strong, unique passwords, ideally managed by a password manager instead of browser-saved credentials or another method.
- Enforce multi-factor authentication (MFA) on all critical systems (email, VPN, admin consoles, etc.).
- Limit permissions by enforcing the principle of least privilege so that everyone, including seasonal/temporary staff or external vendors, only has access to what they absolutely need.
- Keep systems patched, updated, and monitored
- Maintain a centralized, automated patch-management system to ensure all systems (servers, endpoints, third-party software) are updated promptly.
- Use advanced endpoint protection / antivirus / anti-malware solutions (ideally with behavioral detection, rollback / ransomware-undo features).
- Implement continuous network monitoring and logging (SIEM or equivalent) to spot suspicious activity early, including unusual login attempts, unknown external connections, spikes in file access, or encryption events.
Train employees and raise awareness
- Consider running specific training to highlight awareness for holiday scams and cyber risks.
- Run security awareness training and phishing simulations, especially before high-risk periods. This helps staff spot fake emails and social engineering attempts, even when busy or distracted.
- Embed a culture of “verify first, act later.” Teach staff to treat unexpected payment requests, password reset emails, or vendor-change messages with caution, and to always double-check via another channel. (e.g. call vendor directly, check with finance).
Harden supply chain and third-party vendor security
- Maintain an up-to-date inventory of all external suppliers, contractors, and SaaS vendors, and evaluate their cybersecurity posture (patching frequency, prior breaches, authentication practices, backup procedures).
- Build contractual and technical requirements for vendors, including MFA, regular security audits, minimal privileged access, and clear incident response plans.
- If possible, segment vendor access using network segmentation or zero trust principles so that a breach in a lower-security third party doesn’t give attackers full access to critical systems.
Have a robust incident response and backup strategy
- Above all, make sure you have a robust incident response and backup strategy, just in case the worst does happen. And ensure regular, tested backups of critical data and systems. If ransomware hits, clean backups and a working restore process are far better than paying ransom.
- Make sure you have a schedule of who is working, or at least on call, during the holidays.
- Consider doing a quick tabletop exercise in case there is an attack over the break, to ensure you know how to contact people and get the right folks on it.
