Nightmare Before Christmas: Why Cyber Leaders Should Safeguard for the Holiday Season
September 28, 2022

Jeff Martin
Mend

Cybersecurity attacks increase each year over the holidays, and considering the spike in supply chain-based and zero-day attacks as of late, the 2022 holiday season is bound to be more extreme.

Some reports cite a 30% increase in ransomware attacks during that time year-over-year, and cybersecurity experts and officials alike warn of cybercriminals taking advantage of companies that let their guards down — especially during the holiday shopping season.

The holidays are right around the corner, so now is the time for developers to run stress tests and assess their code for vulnerabilities to mitigate a last-minute scramble.

Why? What worked last year might not work this year. Hackers and cyber attackers often move faster than companies — and they can target not only your organization, but also vendors whose code is embedded in your product.

Here are three steps business and security leaders can take now to bolster security for the holiday season:

1. Remediate your way out of being an easy target

Some organizations view security as an "I'll fix it later" problem, versus prioritizing mitigation of the issue in the first place. That's a risky, expensive mentality — ransomware payment amounts are up 12.7% from just two years ago, with an all-time high average cost of a data breach estimated at $4.35M. Further, putting security on the backburner inevitably creates a backlog of issues that will need resolving eventually, leaving engineers in an endless cycle of fixing.

This problem occurs year-round, but these backlogs get especially overwhelming during the holiday season, causing organizations to be a much easier target for hackers. One survey of cybersecurity professionals whose companies experienced a holiday or weekend ransomware attack found that despite 89% of respondents expressing concern about a repeat event, 36% of respondents reported having no contingency plans.

But most businesses can't afford to ignore security until a multi-million dollar cybercriminal attack.

Simply put, there is too much emphasis on detecting (acting reactively) and not enough time spent remediating (acting proactively). Remediation, particularly in a prioritized way, can transform your business from an easy target to a well-oiled machine, ready to thwart any potential threat.

2. Fortify manual efforts with automation

Automation excels in areas where you want to alleviate developer hours spent, such as tedious tasks like detecting where sensitive data is stored or creating pull requests that are ready to merge. Developers who have automation tools at their disposal can spend more time focusing on the hard-to-remediate issues that require human judgment.

Automation can also reduce human error, which spares the entire team time, energy, and headaches. For example, there are tools that can help ensure issues or vulnerabilities get addressed correctly and efficiently, eliminating the impact of an incorrectly patched vulnerability or overlooked detail down the line.

Granted, good automated security practices require a sufficient amount of automated quality testing. You must ensure that fixing a security issue doesn't create an operational or functional problem. An updated and functional regression suite is a must.

Companies that don't fully leverage automation can risk leaving themselves severely exposed and tend to be inadequately equipped to navigate threats that continue to crop up, especially during the holiday season.

3. Cover your bases outside of the security team

Many cyber leaders are focused on security and developer teams to secure their businesses against holiday season cyberattacks. But efforts to secure important data and information should go beyond these teams, in the form of both company-wide education and safety guardrails related to sensitive information or data.

Important steps to take to close any gaps or potential entryways for attacks include:

1. Improving and enforcing cyber awareness training for staff, including non-technical teams. Refreshers on phishing scams, or correspondence sourcing sensitive information or soliciting links and downloads, can be helpful for employees at all levels and departments.

2. Mandating multi-factor authentication for important accounts. Making this extra layer of security a requirement for certain accounts, like employee email, moves the needle in making it harder for hackers to take advantage of known, weak or reused passwords to steal data.

3. Keep software updated and back up all important data. Employees across teams should be encouraged to keep their personal and company technology updated and consistently checked for viruses or malware. Even so, it's worthwhile to operate in the cloud (with the above guidance in place) or on-prem in a fashion that ensures the preservation of all important data.

Cybercriminals are banking on lax oversight during the holiday season, but by taking a vigilant, proactive, and remediation-first approach early on, they will be met with a more difficult challenge. Cyber leaders should consider the holiday season already underway, and act now to set their team up for success.

Jeff Martin is VP of Outbound Product at Mend
Share this

Industry News

March 21, 2023

OpenText launched the latest version of ValueEdge -- an innovative modular, cloud-based DevOps and value stream management (VSM) platform.

March 21, 2023

Oracle announced the availability of Java 20, the latest version of the programming language and development platform.

March 21, 2023

Rafay Systems introduced Environment Manager, a solution that empowers enterprise platform teams to improve the developer experience by delivering self-service capabilities for provisioning full-stack environments.

March 20, 2023

To meet the growing demand for Oracle Container Engine for Kubernetes (OKE) with global organizations, Oracle Cloud Infrastructure (OCI) is introducing new capabilities that can boost the reliability and efficiency of large-scale Kubernetes environments while simplifying operations and reducing costs.

March 20, 2023

Perforce Software joined the Amazon Web Services (AWS) Independent Software Vendor (ISV) Accelerate Program and listed its free Enhanced Studio Pack (ESP) in AWS Marketplace.

March 20, 2023

Aembit, an identity platform that lets DevOps and Security teams discover, manage, enforce, and audit access between federated workloads, announced its official launch alongside $16.6M in seed financing from cybersecurity specialist investors Ballistic Ventures and Ten Eleven Ventures.

March 16, 2023

Hyland released Alfresco Content Services 7.0 – a cloud-native content services platform, optimized for content model flexibility and performance at scale.

March 16, 2023

CAST AI has announced the closing of a $20M investment round.

March 15, 2023

Check Point® Software Technologies introduced Infinity Global Services, an all-encompassing security solution that will empower organizations of all sizes to fortify their systems, from cloud to network to endpoint.

March 15, 2023

OpsCruise's Kubernetes and Cloud Service observability platform is certified to run on the Red Hat OpenShift Kubernetes platform.

March 14, 2023

DataOps.live released an update to the DataOps.live platform, delivering productivity for data teams.

March 14, 2023

CoreStack and Zensar announced a strategic global partnership. CoreStack will provide its AI-powered NextGen cloud governance and FinOps capabilities, complementing Zensar’s composable cloud operations offering.

March 14, 2023

Delinea introduced the Delinea Platform, a cloud-native foundation for Delinea's PAM solutions that empowers end-to-end visibility, dynamic privilege controls, and adaptive security.

March 13, 2023

Sysdig announced a new foundation that will serve as the long-term custodian of the Wireshark open source project.

March 13, 2023

Talend announced the latest update to Talend Data Fabric, its end-to-end platform for data discovery, transformation, governance, and sharing.