Holiday Security: Keeping Your Business Safe Over the Break

December and January are when Australian businesses are most vulnerable to cyber attack. Staff are on leave, response times are slow, and attackers know it.

Here’s how to secure your business over the holiday period.

Why Holidays Are Dangerous

Reduced monitoring. Whoever normally watches security alerts is probably on the beach. Attacks that would normally be caught quickly can go unnoticed for days or weeks.

Skeleton staffing. The few people working may not have the knowledge or authority to respond to incidents. Critical decisions wait until decision-makers return.

Extended dwell time. If an attacker gets in during the break, they have weeks to explore your network before anyone notices. More time means more damage.

Targeted timing. Attackers deliberately launch attacks during holidays, knowing response will be slower. Ransomware deployed on December 23rd catches businesses at their worst.

Holiday-themed phishing. Fake delivery notifications, charity scams, travel deals, and season-appropriate lures flood inboxes when people’s guards are down.

Before You Close

Update everything. Deploy patches now, while people are still around to handle any issues. You don’t want to discover a broken update when you return in January.

Verify backups. Confirm backups are running and test a restore. If ransomware hits over the holidays, backups are your recovery path.

Review access. Is anyone’s access expiring over the break? Are there temporary accounts that should be disabled? Are any contractors finishing up?

Set up monitoring alerts. Configure alerts to reach people who will actually be checking. A critical alert that goes to an inbox nobody reads for two weeks is useless.

Document who’s available. Create an on-call list with contact numbers for:

  • Someone who can make decisions about incident response
  • Someone with technical access to respond
  • Your IT provider’s emergency contact
  • Your cyber insurance’s incident line

Post this somewhere accessible, not just in email.

Brief whoever’s working. If you have staff covering the holidays, make sure they know:

  • What to watch for
  • Who to contact for what
  • What they can decide themselves vs. what needs escalation

Disable unnecessary access. If systems don’t need to be accessible remotely over the break, consider restricting that access temporarily.

Technical Controls to Verify

Check MFA is active. The holiday period is exactly when stolen credentials might be used. Verify MFA is working on all remote access points.

Review conditional access. Consider tightening policies temporarily - maybe requiring MFA for every login instead of trusted devices, or blocking access from unusual countries.

Enable account lockout. Configure lockout policies for failed login attempts. Brute force attacks increase during holidays.

Check firewall rules. Any rules that need to be in place? Any that should be tightened temporarily?

Verify endpoint protection. Are all devices running current endpoint protection? Are they checking in with your management console?

Test backup restoration. Don’t just assume backups work. Actually restore something and verify.

Holiday-Specific Threats to Watch

Fake shipping notifications. “Your package couldn’t be delivered” emails spike during online shopping season. Train staff to go directly to courier websites rather than clicking links.

Gift card scams. “Hi, are you available? I need you to quickly buy some gift cards” texts or emails appearing to be from executives.

Charity phishing. Fake donation requests for appeals that look legitimate.

Out-of-office reply harvesting. Your automatic replies tell attackers who’s away and how long. Consider not using them, or keeping them vague for external senders.

“Emergency” requests. Attackers impersonate executives with urgent requests, counting on skeleton staff being reluctant to verify or delay.

Over the Break

Check in periodically. Designate someone to briefly review security dashboards every few days. Doesn’t need to be deep - just checking for obvious problems.

Keep communication channels open. If something does happen, people need to be reachable. Have backup contact methods beyond just work email.

Be cautious with remote access. If you do work remotely over the holidays, follow normal security practices even if you’re at the beach house. Untrusted wifi, lost devices, and rushed decisions cause problems.

Returning to Work

Review what happened. When you return, check security logs for the period you were away. Any suspicious activity? Any failed attacks? Any alerts that weren’t actioned?

Catch up on patching. Security updates will have been released during the break. Get current quickly.

Reset temporary measures. If you tightened access controls or disabled systems for the holidays, restore normal operations deliberately.

Debrief on any incidents. If anything did happen over the break, conduct a proper review. What worked? What didn’t? What should change for next year?

A Holiday Security Checklist

Print this out and use it:

Before break:

  • Deploy outstanding patches
  • Verify backups and test restore
  • Review and clean up access
  • Configure monitoring alerts to reach available people
  • Document on-call contacts
  • Brief skeleton staff on incident response
  • Consider tightening conditional access temporarily
  • Communicate holiday security awareness to team

During break:

  • Check security dashboards periodically
  • Stay reachable for emergencies
  • Follow normal security practices if working remotely

Returning:

  • Review security logs for the holiday period
  • Deploy any missed patches
  • Restore normal access controls
  • Debrief on any incidents

The Worst-Case Scenario

If ransomware or another major incident does hit during the holidays:

  1. Don’t panic. Rushed decisions make things worse.
  2. Contact your on-call people. Use the list you prepared.
  3. Call your insurance. They have incident response resources.
  4. Isolate affected systems. Disconnect from network, don’t turn off.
  5. Document everything. Times, actions, observations.
  6. Don’t pay ransom quickly. Take time to assess options.

Having thought through this scenario beforehand makes it much easier to execute under pressure.

Enjoy Your Break

Security planning isn’t about creating anxiety. It’s about creating the conditions to relax without worry.

If you’ve done the preparation - verified controls, set up monitoring, documented contacts, briefed staff - you can enjoy your time off knowing that reasonable precautions are in place.

Threats don’t take holidays. But with proper planning, you can.

Happy holidays, and may your security dashboards stay green.