Christmas should be a period of relaxation, celebration and festive fun, even in business. The holiday season coincides with the end of the year and is therefore a great time to reflect on the successes of the past year. However, businesses should be wary of the Christmas holidays as well. Data breaches, both for consumers and businesses, typically increase around this period, as hackers and fraudsters understand that people are at their most vulnerable when their guard is down.
The business wind down before the holidays can be extremely dangerous for companies of all shapes and sizes. Only having skeleton staff present, while other employees either work remotely on insecure devices or are on annual leave, increases the potential for a data breach. Given that the average cost of data breaches has increased this year, businesses should be extremely wary of how their data is stored and handled - particularly during the Christmas holidays.
Here are some practical steps businesses can take to protect their confidential data during the festive season.
1. Deliver training
A business’ chances of being the victim of cybercrime increases exponentially in the run-up to Christmas. With staff members primarily working from home, if not on annual leave, companies often become complacent with their security policies and make mistakes that they would otherwise not make.
Hackers take advantage of this false sense of security through phishing scams by disguising themselves as a member of the company or a trusted third party. These scams are typically carried out via email spoofing, in the hope that an employee opens the email and clicks on a link that gives the hacker access to their systems.
Another deceptive approach taken by holiday hackers is to carry out Man in the Middle (MitM) attacks. With flexible working becoming an increasingly popular working arrangement, employees are likely to work remotely during the holidays to spend more time with their family, often using public Wi-Fi networks in coffee shops, trains and hotels. However, public Wi-Fi networks can be insecure and competent hackers can compromise the private communications made from the employee's device, injecting new messages and impersonating the other party to make them reveal sensitive information.
Hackers will already be preparing for the holiday season, meaning those in leadership positions should do the same. Managers should deliver comprehensive training on how to avoid damaging data breaches and how to react should one occur. For example, employees should be taught how to create secure passwords that are unique and changed regularly, as well as highlighting the importance of not sharing them.
Training sessions should be delivered on spotting a potential phishing scam and how to alert the appropriate members of staff. Finally, companies can specify that only company-owned devices should be used for work-related activities, have strong passwords and only be used in locations with secure Wi-Fi networks.
2. Establish a clean desk policy
Cybersecurity is quite rightly a priority for many organizations. A recent report published by Beaming, found that UK businesses are attacked online every 2.5 minutes. However, upper management often forgets the importance of securely storing and destroying sensitive paper documents. A report published by the ICO in 2016 showed that 40% of data security incidents were related to paperwork, indicating the risk of leaving private information like credit card details and payroll documents accessible to external parties.
Implementing a clean desk policy (CDP), whereby employees are asked to leave their workspaces clutter-free at the end of each day, offers a potential solution. Criminals can copy or steal hard copies of documents to commit fraud or blackmail employees, yet organizations can reduce this risk by regularly decluttering their workspaces and leaving no sensitive information on display.
Putting a clean desk policy into action is undoubtedly difficult, yet it remains achievable if the correct steps are taken from the outset. For example, the entire senior management team need to agree to commit to the policy; without pressure from the top, the average employee is unlikely to change their habits.
The policy should also be communicated across the company, perhaps through an email with the document attached. Explaining the reasoning behind the policy will help to get everyone on board and create a cohesive approach.
Finally, companies should make it easy for employees to store or dispose of their paper documents. A dedicated storage space for documents should be created, with strong security protocols in place to protect its contents. Waste paper should also be properly destroyed rather than thrown in bins or put through a standard office shredder. A simple solution could be to outsource the work to a specialist information management company in your area, saving your company time and money.
3. Increase physical security measures
In their efforts to implement cybersecurity measures, businesses should not neglect effective physical security - security measures that are designed to prevent theft or vandalism. Having staff physically present in the office is often the best deterrent for avoiding thefts, yet fewer members of staff is unavoidable for most offices during the holidays. With fewer employees at their desk, external parties are more likely to breach the premises and take confidential information.
Steps should be taken to ensure access to the site is only granted to employees and their invitees, such as by introducing key cards and passcodes to enter the building. Likewise, the office space should be monitored regularly, both by security personnel and CCTV. Investing in high-quality alarms is always a good business decision.
The Christmas holidays should be a well-deserved break for your business, a time to relax and regroup before business continues in the New Year. However, with fewer employees working and more external parties wanting to do harm to your business, confidential data is at greater risk of being compromised. Nevertheless, if the appropriate steps are taken to protect your data, both through cyber and physical security measures, businesses can enjoy the holidays in peace.