How to prepare your employees for holiday cyber risks

While the holidays might look a bit different this year (thanks, global pandemic), some traditions never change. Giving gifts, playing with tech toys, awkward conversions with distant relatives, and a little too much eggnog are common no matter what health and safety measures are in place. 

There’s another holiday tradition that is becoming increasingly common: cyberattacks.  

The holidays are primetime for cyber-criminals for many reasons. Employees are busy and distracted. Email inboxes are flooded with messages from aggressive marketers and passive-aggressive family members. People are clicking around the internet trying to find the perfect gift. Zoom calls and online gaming sessions with family members and friends. It’s a busy time full of distractions. 

Last year, a Scotiabank survey found that 60% of Canadians were concerned about falling victim to fraud during the 2019 holiday season. In the U.S., roughly 1-in-11,000 emails sent are phishing emails; however, once the calendar turns to November, this number jumps up to roughly 1-in-800 for the holiday season. 

While 2020 stats aren’t out yet, we do know that COVID-19 has caused an increase in cyberattacks and phishing attempts across the board; for example, our annual cybersecurity survey found that a little over 1-in-4 Canadian organizations were targeted with a COVID-19 themed cybersecurity incident. When you consider that 48% of Canadians plan to buy mostly, if not exclusively, online this year, we can only assume that this holiday season scam and fraud numbers will be among the highest we’ve ever seen. 

For IT and cybersecurity teams, this means that the months of November and December are a golden opportunity to run an awareness campaign within their organization, focusing on specific risks that are heightened during the holiday season such as travel, personal device use, and phishing scams that are specific to holiday shopping and deals. 

In this post, we’ll cover several things you can do to engage your staff with a holiday-themed awareness campaign over the next few weeks to protect themselves and your organization. 

Announce your campaign in a town hall or company-wide meeting 

Every awareness campaign needs a launch or kick-off to generate awareness and buzz. 

If you have a recurring company-wide meeting, such as an all-hands or a town hall, request 15 minutes to talk about cybersecurity going into the holidays.  

If you don’t have access to a meeting like this, record a video of yourself and share it via email or in your internal messaging tool. 

It’s important to add a face to your programs whenever possible. While it can be intimidating to start, having people see you talk about your awareness campaign will increase their engagement and make them feel like this campaign is designed specifically for them and your organization. 

Your kick-off should talk about the specific problem you’re trying to solve in language that is easily understood and not intimidating to non-technical employees. For this campaign, you want to talk about a few major threats that are special to the holidays (like the ones mentioned above), what can happen if a criminal is successful in one of those attacks, and most importantly, how you’re going to train staff over the next few weeks. The goal is awareness, not punishment. 

You don’t have to do this part alone. We highly recommend all cybersecurity awareness programs have marketing, communications, or HR teams involved since talking to people is literally their job. They can help you develop presentations, emails, and videos that catch the eyes of your staff, and can even help you have some fun with your campaign. 

Assign a supplemental awareness training course 

You don’t necessarily have to assign a dedicated “Cybersecurity for the Holidays” course—although if you do have access to one, it might be a great course to assign. 

When picking a course to assign, you should be trying to promote training that covers the biggest threats you believe pose a risk to your organization. If you believe personal device use is the biggest risk to your organization, that should be the number one thing you try to address through your entire campaign, including the assignment of a dedicated course for that topic. 

If there isn’t a specific threat you want to focus on, there are several great topics that are more important to focus on during the holidays: 

• Home network security 

• Internet-of-Things (IoT) devices 

• Social engineering and phishing scams 

• Remote work 

When you assign your course, provide some extra information about why you’re assigning that specific course. For example, you might want to talk about how phishing scams increase during the holidays because criminals try to impersonate retailers and family members. That added context will make your training feel more relevant to your employees. 

If you’re unable to assign a course before the holidays, don’t worry—the new year is a great time to send an annual cybersecurity refresher course to all your staff. 

Send a shopping or holidays phishing test 

Your courseware and communications don’t mean anything unless your employees get hands-on learning with a phishing email in their inbox.  

If you’re already doing monthly or periodic phishing tests, this step is easy; simply swap out your generic phishing template with something that speaks to the holiday threats you’re talking about. 

There are several templates that you can start with: 

• Delivery notifications 

• Marketing newsletters from a retailer 

• Charities requesting donations 

• Gift cards 

• Gift exchanges with coworkers or family members 

If you’re using a sophisticated phishing testing tool, you can even tweak these templates to give them a holiday spin. Just don’t make your tests too hard or you’ll risk frustrating your staff instead of effectively training them. 

For those who don’t do phishing tests, this is a golden opportunity to start. You can weave into your kick-off messages that phishing testing will be part of this campaign, making sure to spend some extra time to explain what a phishing test is and how your staff can report a suspicious email—real or simulated—to your team for review. 

Easily roll out automated, monthly phishing tests to all of your employees.

Learn more about CIRA Cybersecurity Awareness Training

Send a weekly newsletter 

For the duration of your campaign, you should send a weekly newsletter with tips, best practices, news articles, resources and blog posts that cover various holiday threats. 

When possible, try to link back the emails you write to your organization’s policies. For example, if you share a blog post about how to safely use personal devices when working remotely, provide an additional link to your organization’s device policy. 

You can also use this newsletter to explain the next steps or metrics around your awareness campaign. For example, if you run a holiday-themed phishing test, share those results in your newsletter so people know how the organization collectively did. 

There are many free tools that will let you easily create beautiful emails. This is a key area where a marketing or communications colleague can help you out. If you don’t have the ability to make something fancy, a regular email with some photos will do the trick. 

Talk about how to protect your families during the holidays 

Sometimes getting your people to care about cybersecurity in the workplace can be a difficult task. One way to get people to pay attention is to talk about how the education you’re providing can help protect themselves and their families outside of work.  

This is even more important as everyone winds down for the holidays and spends time visiting family and adding new toys and devices to their home networks. 

The general goal of cybersecurity awareness training is to get your staff to think a bit more about cybersecurity in general. Even if they ignore everything about how to protect themselves at work, but take positive steps to protect themselves at home, that’s should still be seen as a win in your books. Many of those behaviours will trickle back into your organization eventually! 

Have some fun and provide incentives 

Most importantly: it’s the holidays, so have some fun with your awareness campaign! 

Cybersecurity awareness training doesn’t have to be boring, and again this is really where a communications team can help you create an entertaining campaign that engages staff and makes your training stick. 

For example: if you’re recording a kick-off video for your campaign, throw on a costume. Use holiday stock photos in your email newsletters or courses. Send cards to all of your staff from the IT department with a poem in it about cybersecurity. These may seem silly but can an effective way to cut through the noise of work and make your training messages stick. 

As always, keep in mind what is appropriate for your organization. Keep things professional, use appropriate language, and keep holiday references neutral when possible.  

Finally, you can use incentives as positive reinforcement for staff members who participate in your awareness training campaign. For example, you can enter staff who complete your assigned cybersecurity courses into a raffle for a holiday gift basket filled with treats from local businesses.  

Regardless of what activities you plan, keep your campaign positive and celebrate wins. The holidays can be ripe for cybersecurity incidents and scams, and you shouldn’t be trying to add an extra layer of fear and compliance to an already stressful time. Keep it fun, reward positive behaviour and treat everything as a learning moment. If you do those things, you’ll close out your year with a successful and engaging holiday-themed awareness campaign that will make staff smile and teach them a thing or two about protecting themselves.

Go beyond the holidays and educate your staff on cybersecurity risks year-round with a simple, web-based training platform.

Book a demo of CIRA Cybersecurity Awareness Training today.