Are happy holidays ahead—for hackers?

Online shopping at work can put corporate networks at risk. Here is how to keep your clients and employees safe during peak gifting seasons.

Chris Crellin, senior director of product management, Barracuda MSP

The holiday shopping season is upon us, and it appears that not only did consumers start shopping earlier this year but that internet sales will continue to expand by as much as two-and-a-half percent between November 1 and December 31, according to Adobe.

With so much e-commerce happening between now and the start of the New Year, cybercriminals are wheeling out their annual bag of tricks, with visions of scamming shoppers out of their payment information and personal data dancing in their heads.

It’s no secret that employees tend to do some online shopping at work on Cyber Monday (and every other day). A 2019 report from advertising exchange OpenX and the Harris Poll found that 69 percent of consumers admitted to shopping at work. Among just millennials, that figure jumps to a whopping 81 percent. And that was before the pandemic and the increase in people working from home. Of course, e-commerce grew during the pandemic when people stopped going to stores in person. A recent survey shows 62 percent of employees admit to shopping online during virtual work meetings. For millennials, that number is 71 percent. The survey also found that 30 percent of married employees with children shop online during virtual meetings.

Granted, those figures may say more about the value of virtual meetings than employee performance, but it highlights the fact that staff are accessing e-commerce sites on corporate networks and hardware.

That not only leaves employees open to e-commerce scams but could also put company data and applications at risk. Those risks include several tried-and-true attacks – spoofed retail websites, credit card skimming, fake charities and gift exchanges, and data exposure when using public Wi-Fi networks. 

The risk is compounded during the holidays because IT and security staff may be on vacation – and cybercriminals know it.

What can companies do? Efforts to reduce this risk will vary based on the industry. For companies that require a high level of security (healthcare, government, etc.), the best response is to block e-commerce websites. For many companies, however, that type of policy may be seen as too punitive, and for some, allowing employees to take care of personal business at their desks is a common strategy for helping keep work-life balance in line.

For companies willing to accept that employees are going to shop at work, there are a few strategies that can help keep those activities secure and ensure everyone has a happy holiday.

Education is key. For MSPs and other providers, end user training is always critical since employees are generally the weakest link when it comes to cybersecurity. Specific refresher training around the holidays can help tamp down poor cyber hygiene habits while enabling employees to spot common scams and use best practices. For example, only shop from known websites, do not click on ads and take care when entering payment information. 

Focus on holiday-specific cyber scams. This time of year, social media feeds are filled with ads boasting super low prices on hot consumer items – most of which are scams designed to steal credit card information. Ensure employees are trained to recognize phishing emails (with malicious attachments or claiming to be from a recognized retailer), spot the difference between a secure and insecure website, and know how to best protect their passwords. 

They should also be reminded to check their credit card transactions frequently – even if they are being careful, their data may have been stolen from an otherwise trustworthy retail or charity site that has been breached. Finally, encourage them to use third-party payment methods like PayPal or Google Wallet that can protect their information. (This does not necessarily affect corporate security, but companies will generally benefit if their employees practice good cyber hygiene 24/7, not just at work.)

Stagger IT and security staff vacations. One of the challenging things about working in IT is that you never really have time off – you are one notification away from being called back to work to handle an emergency. Everyone wants time to spend with families over the holidays. Try to find a way to distribute those days off fairly and equally, so you do not find yourself short-staffed during a peak cyber-attack period.

Encourage clients to leverage advanced security solutions that can automate and improve their defenses. For example, security tools that use artificial intelligence and machine learning can help scan for phishing emails that may otherwise go unnoticed by traditional software. As a result, they can help reduce the risk of employees clicking on a suspicious link or sharing personal information while on the company network. Automation can also help relieve the burden on IT and security staff (who often find themselves short-handed apart from the holidays) and allow them to focus on value-added end-of-year tasks.

The holidays can be risky when it comes to cybersecurity, but MSPs and their clients can take advantage of the season by reinforcing best practices. Additionally, both employers and employees benefit when everyone plays it safe while shopping – whether at work or home.

Chris Crellin is Senior Director of Product Management for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for leading product strategy and management.