Cyber Sunday: Beware holiday cybercriminals

It doesn’t take a stretch of the imagination to understand why criminals prefer to attack when your IT/Security staff and leadership are on vacation.

There is an uptick in cybersecurity attacks around Memorial Day, the Fourth of July, Thanksgiving, and, of course, the Christmas season.

After enjoying time with family and friends, and enjoying a couple of eggnogs, directors and other leadership might not be as responsive to those alerts via email or text. If you run a small business, it’s entirely possible that you don’t have 24/7 alerting and monitoring because of staffing or tooling constraints.

It’s not really anyone’s “fault,” but that doesn’t change the responsibility and reality of the situation. With kindness and frankness, the bad guys really don’t care about your budgetary constraints, and they don’t care that it’s Christmas.

Hacks don’t just happen to big companies

A common refrain from organizations that have not experienced a crippling cyber incident is “we’re too small, why would they target us?”

That’s a pleasant fiction, and the reality is that many of the tools that hackers use are automated and opportunistic. When the bad day comes, it may feel extremely personal, but it’s not for the attackers. They’re scanning, sending mass phishing emails and seeing what they can grab onto.

The fundamental concept is that being a small- or medium-sized business won’t protect you from an attack.

In many cases, it’s exactly the opposite because many of the larger businesses have devoted time, energy and resources into maturing their security posture.

The small- and medium-sized businesses, often in unregulated industries, historically have anemic security budgets, which make them easier targets for bad guys. It’s just less effort, from an attacker’s point of view.

Detection and response matter

Although we should put effort into asset inventory and prevention measures, a big part of cybersecurity is about what you do AFTER the indicators of compromise are detected.

In the NIST Cybersecurity Framework (CSF 2.0), half of the families of controls deal with detection, response and recovery.

Yes, we should try to prevent the incident, but we should plan on it happening, too. It’s not a matter of “if.” It’s a matter of “when.”

A good analogy is that we use our turn signals and drive the speed limit, but we also wear our seat belts. Those aren't mutually exclusive things. Do I wear my seat belt because I expect to get in a crash? Well, yes. Yes, I do. I’m proud to implement easy measures to limit the impact of adverse events.

Incident response retainer

Of course, we should enjoy our holidays, but now might be a good time to dust off that incident response plan and make sure that our escalation procedures work. A fast and appropriate response greatly limits the blast radius of an incident.

Reviewing your cyber insurance might be a good idea as is ensuring you know who you will work with for technical investigation and triage. It’s best practice to have someone on a retainer so you don’t have to bother with putting together a Statement of Work (SOW) at 3 a.m.

If nothing else, be sure you have all the contacts programmed into your phone so if you have to respond to events, you’ll have one less thing to worry about.

Brandon Blankenship is the chief information security officer at ProCircular, a cybersecurity evangelist, and obsessively curious about how things work. Comments: bblankenship@procircular.com