Nightmare Before Christmas: Why Cyber Leaders Should Safeguard for the Holiday Season
September 28, 2022

Jeff Martin
Mend

Cybersecurity attacks increase each year over the holidays, and considering the spike in supply chain-based and zero-day attacks as of late, the 2022 holiday season is bound to be more extreme.

Some reports cite a 30% increase in ransomware attacks during that time year-over-year, and cybersecurity experts and officials alike warn of cybercriminals taking advantage of companies that let their guards down — especially during the holiday shopping season.

The holidays are right around the corner, so now is the time for developers to run stress tests and assess their code for vulnerabilities to mitigate a last-minute scramble.

Why? What worked last year might not work this year. Hackers and cyber attackers often move faster than companies — and they can target not only your organization, but also vendors whose code is embedded in your product.

Here are three steps business and security leaders can take now to bolster security for the holiday season:

1. Remediate your way out of being an easy target

Some organizations view security as an "I'll fix it later" problem, versus prioritizing mitigation of the issue in the first place. That's a risky, expensive mentality — ransomware payment amounts are up 12.7%(link is external) from just two years ago, with an all-time high average cost of a data breach estimated at $4.35M. Further, putting security on the backburner inevitably creates a backlog of issues that will need resolving eventually, leaving engineers in an endless cycle of fixing.

This problem occurs year-round, but these backlogs get especially overwhelming during the holiday season, causing organizations to be a much easier target for hackers. One survey of cybersecurity professionals whose companies experienced a holiday or weekend ransomware attack found that(link is external) despite 89% of respondents expressing concern about a repeat event, 36% of respondents reported having no contingency plans.

But most businesses can't afford to ignore security until a multi-million dollar cybercriminal attack.

Simply put, there is too much emphasis on detecting (acting reactively) and not enough time spent remediating (acting proactively). Remediation, particularly in a prioritized way, can transform your business from an easy target to a well-oiled machine, ready to thwart any potential threat.

2. Fortify manual efforts with automation

Automation excels in areas where you want to alleviate developer hours spent, such as tedious tasks like detecting where sensitive data is stored or creating pull requests that are ready to merge. Developers who have automation tools at their disposal can spend more time focusing on the hard-to-remediate issues that require human judgment.

Automation can also reduce human error, which spares the entire team time, energy, and headaches. For example, there are tools that can help ensure issues or vulnerabilities get addressed correctly and efficiently, eliminating the impact of an incorrectly patched vulnerability or overlooked detail down the line.

Granted, good automated security practices require a sufficient amount of automated quality testing. You must ensure that fixing a security issue doesn't create an operational or functional problem. An updated and functional regression suite is a must.

Companies that don't fully leverage automation can risk leaving themselves severely exposed and tend to be inadequately equipped to navigate threats that continue to crop up, especially during the holiday season.

3. Cover your bases outside of the security team

Many cyber leaders are focused on security and developer teams to secure their businesses against holiday season cyberattacks. But efforts to secure important data and information should go beyond these teams, in the form of both company-wide education and safety guardrails related to sensitive information or data.

Important steps to take to close any gaps or potential entryways for attacks include:

1. Improving and enforcing cyber awareness training for staff, including non-technical teams. Refreshers on phishing scams, or correspondence sourcing sensitive information or soliciting links and downloads, can be helpful for employees at all levels and departments.

2. Mandating multi-factor authentication for important accounts. Making this extra layer of security a requirement for certain accounts, like employee email, moves the needle in making it harder for hackers to take advantage of known, weak or reused passwords to steal data.

3. Keep software updated and back up all important data. Employees across teams should be encouraged to keep their personal and company technology updated and consistently checked for viruses or malware. Even so, it's worthwhile to operate in the cloud (with the above guidance in place) or on-prem in a fashion that ensures the preservation of all important data.

Cybercriminals are banking on lax oversight during the holiday season, but by taking a vigilant, proactive, and remediation-first approach early on, they will be met with a more difficult challenge. Cyber leaders should consider the holiday season already underway, and act now to set their team up for success.

Jeff Martin is VP of Outbound Product at Mend
Share this

Industry News

April 03, 2025

StackGen has partnered with Google Cloud Platform (GCP) to bring its platform to the Google Cloud Marketplace.

April 03, 2025

Tricentis announced its spring release of new cloud capabilities for the company’s AI-powered, model-based test automation solution, Tricentis Tosca.

April 03, 2025

Lucid Software has acquired airfocus, an AI-powered product management and roadmapping platform designed to help teams prioritize and build the right products faster.

April 03, 2025

AutonomyAI announced its launch from stealth with $4 million in pre-seed funding.

April 02, 2025

Kong announced the launch of the latest version of Kong AI Gateway, which introduces new features to provide the AI security and governance guardrails needed to make GenAI and Agentic AI production-ready.

April 02, 2025

Traefik Labs announced significant enhancements to its AI Gateway platform along with new developer tools designed to streamline enterprise AI adoption and API development.

April 02, 2025

Zencoder released its next-generation AI coding and unit testing agents, designed to accelerate software development for professional engineers.

April 02, 2025

Windsurf (formerly Codeium) and Netlify announced a new technology partnership that brings seamless, one-click deployment directly into the developer's integrated development environment (IDE.)

April 02, 2025

Opsera raised $20M in Series B funding.

April 02, 2025

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, is making significant updates to its certification offerings.

April 01, 2025

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, announced the Golden Kubestronaut program, a distinguished recognition for professionals who have demonstrated the highest level of expertise in Kubernetes, cloud native technologies, and Linux administration.

April 01, 2025

Red Hat announced new capabilities and enhancements for Red Hat Developer Hub, Red Hat’s enterprise-grade internal developer portal based on the Backstage project.

April 01, 2025

Platform9 announced that Private Cloud Director Community Edition is generally available.

March 31, 2025

Sonatype expanded support for software development in Rust via the Cargo registry to the entire Sonatype product suite.

March 31, 2025

CloudBolt Software announced its acquisition of StormForge, a provider of machine learning-powered Kubernetes resource optimization.