Security Strategy

When holiday hacks hit understaffed IT teams

Cybercriminals often encrypt when everybody’s out of office.
article cover

Dianna “Mick” McDougall

· 4 min read

Like most people, IT pros need time off during the holidays to go shopping, scour the neighborhood for missing packages, and string up a few Christmas lights. But the end of the year is an especially tough time for the security department. Cyber scams are often executed during periods like the holidays, when IT teams might be understaffed.

Most phishing attacks occur between Black Friday and the end of the year, according to a 2022 analysis from the threat-intel company Cybersixgill, citing both an increase in toolkit purchasing and phishy discourse in underground forums leading up to the big shopping day. Phishing-related products offered for sale on underground markets were highest in the third quarter of 2022, according to the researchers.

When December arrives, an eight-person prime shift may be reduced to two, said Doug Saylors, partner and cybersecurity unit leader at the consultancy ISG. “You have reduced shifts, [but] you have the same, if not higher, number of alerts,” Saylors said.

As IT shops where employees are OOO are hit with holiday-themed, malware-filled delivery notifications, businesses increasingly require contingency plans that include automation, rehearsals, and basics like multi-factor authentication.

The season of giving…malware. A December report from security services provider Trustwave found a number of order scams and courier notifications containing malware. In one example, a phisher pretending to be DHL crafted a “delivery failed” email that contained a credential-stealing Trojan.

Holiday seasons are opportune times for cybercriminals, according to Oz Alashe, CEO of the data-analytics provider CybSafe. “Black Friday, people are expecting to get offers and deals with things that are too good to be true,” said Alashe. “Likewise, if you are trying to attack an organization and get access to an organization, you know [that] on a Friday, quite often people have started to think about the weekend.”

Ransomware, too. The holidays are a prime opportunity for bad actors to trick unsuspecting shoppers with fake charities and malicious links, CISA warned in November, but even a long weekend allows ransomware threat actors to start encrypting.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

“This tactic provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organizations are at limited capacity for an extended time,” the agency announced in 2021, citing ransomware attacks on Mother’s Day, Memorial Day, and Fourth of July weekend.

Ransomware actors may be in a system for weeks before they begin encryption—a process that’s easier with fewer IT folks around.

Back up the truck. Automated tools like SIEM, SOAR, and MDR sort through logs and spot troubling events, such as suspicious logins or port scanning.

“A lot of the automation really is just about taking data from a whole bunch of different sources, correlating, aggregating, normalizing, and then sending out alerts and escalations based on either response or lack thereof,” said Jeffrey Wheatman, SVP at the security provider Black Kite.

Defenses like multi-factor authentication and network segmentation—both recommended by CISA—also provide valuable defenses against ransomware, no matter who on the IT team is around.

Backup plans must be announced and practiced annually, said Saylors, and include everyone from HR to the CFO.

Give IT a rest. A 2022 study found that 59% of surveyed CISOs reported high rates of stress, with roughly a third reporting staff turnover concerns.

Employers must find resilient employees who can handle the off-hours work, said Alashe, but such strength takes many forms. “‘Resilient’ is also sticking your hand up and saying, ‘Okay, I'm struggling here…I need to either be reinforced or replaced for a period of time,’” said Alashe.

In other words: Take a vacation.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.