Nightmare Before Christmas: Why Cyber Leaders Should Safeguard for the Holiday Season
September 28, 2022

Jeff Martin

Cybersecurity attacks increase each year over the holidays, and considering the spike in supply chain-based and zero-day attacks as of late, the 2022 holiday season is bound to be more extreme.

Some reports cite a 30% increase in ransomware attacks during that time year-over-year, and cybersecurity experts and officials alike warn of cybercriminals taking advantage of companies that let their guards down — especially during the holiday shopping season.

The holidays are right around the corner, so now is the time for developers to run stress tests and assess their code for vulnerabilities to mitigate a last-minute scramble.

Why? What worked last year might not work this year. Hackers and cyber attackers often move faster than companies — and they can target not only your organization, but also vendors whose code is embedded in your product.

Here are three steps business and security leaders can take now to bolster security for the holiday season:

1. Remediate your way out of being an easy target

Some organizations view security as an "I'll fix it later" problem, versus prioritizing mitigation of the issue in the first place. That's a risky, expensive mentality — ransomware payment amounts are up 12.7% from just two years ago, with an all-time high average cost of a data breach estimated at $4.35M. Further, putting security on the backburner inevitably creates a backlog of issues that will need resolving eventually, leaving engineers in an endless cycle of fixing.

This problem occurs year-round, but these backlogs get especially overwhelming during the holiday season, causing organizations to be a much easier target for hackers. One survey of cybersecurity professionals whose companies experienced a holiday or weekend ransomware attack found that despite 89% of respondents expressing concern about a repeat event, 36% of respondents reported having no contingency plans.

But most businesses can't afford to ignore security until a multi-million dollar cybercriminal attack.

Simply put, there is too much emphasis on detecting (acting reactively) and not enough time spent remediating (acting proactively). Remediation, particularly in a prioritized way, can transform your business from an easy target to a well-oiled machine, ready to thwart any potential threat.

2. Fortify manual efforts with automation

Automation excels in areas where you want to alleviate developer hours spent, such as tedious tasks like detecting where sensitive data is stored or creating pull requests that are ready to merge. Developers who have automation tools at their disposal can spend more time focusing on the hard-to-remediate issues that require human judgment.

Automation can also reduce human error, which spares the entire team time, energy, and headaches. For example, there are tools that can help ensure issues or vulnerabilities get addressed correctly and efficiently, eliminating the impact of an incorrectly patched vulnerability or overlooked detail down the line.

Granted, good automated security practices require a sufficient amount of automated quality testing. You must ensure that fixing a security issue doesn't create an operational or functional problem. An updated and functional regression suite is a must.

Companies that don't fully leverage automation can risk leaving themselves severely exposed and tend to be inadequately equipped to navigate threats that continue to crop up, especially during the holiday season.

3. Cover your bases outside of the security team

Many cyber leaders are focused on security and developer teams to secure their businesses against holiday season cyberattacks. But efforts to secure important data and information should go beyond these teams, in the form of both company-wide education and safety guardrails related to sensitive information or data.

Important steps to take to close any gaps or potential entryways for attacks include:

1. Improving and enforcing cyber awareness training for staff, including non-technical teams. Refreshers on phishing scams, or correspondence sourcing sensitive information or soliciting links and downloads, can be helpful for employees at all levels and departments.

2. Mandating multi-factor authentication for important accounts. Making this extra layer of security a requirement for certain accounts, like employee email, moves the needle in making it harder for hackers to take advantage of known, weak or reused passwords to steal data.

3. Keep software updated and back up all important data. Employees across teams should be encouraged to keep their personal and company technology updated and consistently checked for viruses or malware. Even so, it's worthwhile to operate in the cloud (with the above guidance in place) or on-prem in a fashion that ensures the preservation of all important data.

Cybercriminals are banking on lax oversight during the holiday season, but by taking a vigilant, proactive, and remediation-first approach early on, they will be met with a more difficult challenge. Cyber leaders should consider the holiday season already underway, and act now to set their team up for success.

Jeff Martin is VP of Outbound Product at Mend
Share this

Industry News

July 25, 2024

Backslash Security introduced its Fix Simulation and AI-powered Attack Path Remediation capabilities.

July 25, 2024

Check Point® Software Technologies Ltd. announced the appointment of Nadav Zafrir as Check Point Chief Executive Officer.

July 25, 2024

Sonatype announced that Sonatype SBOM Manager, its Enterprise-Class Software Bill of Materials (SBOM) solution, and its artifact repository manager, Nexus Repository, are now available in AWS Marketplace, a digital catalog with thousands of software listings from independent software vendors that make it easy to find, test, buy, and deploy software that runs on Amazon Web Services (AWS).

July 24, 2024

Broadcom unveiled the latest updates to VMware Cloud Foundation (VCF), the company’s flagship private cloud platform.

July 24, 2024

CAST launched CAST SBOM Manager, a new freemium product designed for product owners, release managers, and compliance specialists.

July 24, 2024

Zesty announced the launch of its Insights and Automation Platform.

July 23, 2024

Progress announced the availability of Progress® MarkLogic® FastTrack™, a UI toolkit for building data- and search-driven applications to visually explore complex connected data stored in Progress® MarkLogic® platform.

July 23, 2024

Snowflake will host the Llama 3.1 collection of multilingual open source large language models (LLMs) in Snowflake Cortex AI for enterprises to easily harness and build powerful AI applications at scale.

July 23, 2024

Secure Code Warrior announced the availability of SCW Trust Agent – a solution that assesses the specific security competencies of developers for every code commit.

July 23, 2024

GFT launched AI Impact, a new solution that leverages artificial intelligence to eliminate technical debt, increase developer efficiency and automate critical software development processes.

July 23, 2024

Code Metal announced a $13M seed, led by Shield Capital.

July 22, 2024

Atlassian Corporation has achieved Federal Risk and Authorization Management Program (FedRAMP) “In Process” status and is now listed on the FedRAMP marketplace.

July 18, 2024

Mission Cloud announced the launch of Mission Cloud Engagements - DevOps, a platform designed to transform how businesses manage and execute their AWS DevOps projects.

July 18, 2024

Accelario announces the release of its free TDM solution, including database virtualization and data anonymization.