While the holidays might look a bit different this year (thanks, global pandemic), some traditions never change. Giving gifts, playing with tech toys, awkward conversions with distant relatives, and a little too much eggnog are common no matter what health and safety measures are in place.
There’s another holiday tradition that is becoming increasingly common: cyberattacks.
The holidays are primetime for cyber-criminals for many reasons. Employees are busy and distracted. Email inboxes are flooded with messages from aggressive marketers and passive-aggressive family members. People are clicking around the internet trying to find the perfect gift. Zoom calls and online gaming sessions with family members and friends. It’s a busy time full of distractions.
Last year, a Scotiabank survey found that 60% of Canadians were concerned about falling victim to fraud during the 2019 holiday season. In the U.S., roughly 1-in-11,000 emails sent are phishing emails; however, once the calendar turns to November, this number jumps up to roughly 1-in-800 for the holiday season.
While 2020 stats aren’t out yet, we do know that COVID-19 has caused an increase in cyberattacks and phishing attempts across the board; for example, our annual cybersecurity survey found that a little over 1-in-4 Canadian organizations were targeted with a COVID-19 themed cybersecurity incident. When you consider that 48% of Canadians plan to buy mostly, if not exclusively, online this year, we can only assume that this holiday season scam and fraud numbers will be among the highest we’ve ever seen.
For IT and cybersecurity teams, this means that the months of November and December are a golden opportunity to run an awareness campaign within their organization, focusing on specific risks that are heightened during the holiday season such as travel, personal device use, and phishing scams that are specific to holiday shopping and deals.
In this post, we’ll cover several things you can do to engage your staff with a holiday-themed awareness campaign over the next few weeks to protect themselves and your organization.
Announce your campaign in a town hall or company-wide meeting
Every awareness campaign needs a launch or kick-off to generate awareness and buzz.
If you have a recurring company-wide meeting, such as an all-hands or a town hall, request 15 minutes to talk about cybersecurity going into the holidays.
If you don’t have access to a meeting like this, record a video of yourself and share it via email or in your internal messaging tool.
It’s important to add a face to your programs whenever possible. While it can be intimidating to start, having people see you talk about your awareness campaign will increase their engagement and make them feel like this campaign is designed specifically for them and your organization.
Your kick-off should talk about the specific problem you’re trying to solve in language that is easily understood and not intimidating to non-technical employees. For this campaign, you want to talk about a few major threats that are special to the holidays (like the ones mentioned above), what can happen if a criminal is successful in one of those attacks, and most importantly, how you’re going to train staff over the next few weeks. The goal is awareness, not punishment.
You don’t have to do this part alone. We highly recommend all cybersecurity awareness programs have marketing, communications, or HR teams involved since talking to people is literally their job. They can help you develop presentations, emails, and videos that catch the eyes of your staff, and can even help you have some fun with your campaign.
Assign a supplemental awareness training course
You don’t necessarily have to assign a dedicated “Cybersecurity for the Holidays” course—although if you do have access to one, it might be a great course to assign.
When picking a course to assign, you should be trying to promote training that covers the biggest threats you believe pose a risk to your organization. If you believe personal device use is the biggest risk to your organization, that should be the number one thing you try to address through your entire campaign, including the assignment of a dedicated course for that topic.
If there isn’t a specific threat you want to focus on, there are several great topics that are more important to focus on during the holidays:
When you assign your course, provide some extra information about why you’re assigning that specific course. For example, you might want to talk about how phishing scams increase during the holidays because criminals try to impersonate retailers and family members. That added context will make your training feel more relevant to your employees.
If you’re unable to assign a course before the holidays, don’t worry—the new year is a great time to send an annual cybersecurity refresher course to all your staff.
Send a shopping or holidays phishing test
Your courseware and communications don’t mean anything unless your employees get hands-on learning with a phishing email in their inbox.
If you’re already doing monthly or periodic phishing tests, this step is easy; simply swap out your generic phishing template with something that speaks to the holiday threats you’re talking about.
There are several templates that you can start with:
Marketing newsletters from a retailer
Charities requesting donations
Gift exchanges with coworkers or family members
If you’re using a sophisticated phishing testing tool, you can even tweak these templates to give them a holiday spin. Just don’t make your tests too hard or you’ll risk frustrating your staff instead of effectively training them.
For those who don’t do phishing tests, this is a golden opportunity to start. You can weave into your kick-off messages that phishing testing will be part of this campaign, making sure to spend some extra time to explain what a phishing test is and how your staff can report a suspicious email—real or simulated—to your team for review.