Join our panel during Black Hat 2024 – Blurred Lines: Investigating the Convergence of Internal and External Threats



Insider Risk Insights - DTEX Blog

The Grinch of the Enterprise: Attackers That Take Advantage of Risky Employee Behaviors

businessman in christmas sweater talking on smartphone in modern office insider risk management remote employee security

With the holiday season upon us, it’s truly an incredible time of year. Folks are planning holiday get-togethers, searching for the perfect gifts for their loved ones, and radio stations are already playing (arguably too many) holiday tunes.

While everyone should embrace the holiday spirit and look forward to their extended breaks, now is more important than ever to understand that cyber criminals don’t observe the holidays. They work around the clock, 24×7, looking for any leverage to use to catch organizations and their employees failing to follow proper cyber hygiene. And, one of the primary ways they do this is by taking advantage of the holiday spirit.

Because of this, organizations need insight into the behaviors that employees typically exhibit around the holidays (and year-round as well) to ensure that attackers don’t successfully carry out their role as The Grinch by preventing them from getting their hands on enterprise valuables. To ensure businesses protect their presents this year, I chatted with the rest of the I3 research team here at DTEX to pinpoint the risky behavior employees exhibit that can lead to risk. Following are the things they shared that businesses should have a heightened awareness of this holiday season:

Non-traditional Shopping Sites
After reviewing our customer data, we found that during the year users typically only shop on the usual top five sites using their work computers, with Amazon taking the #1 spot. However, during the holiday season, they are much more inclined to make purchases from far more random sites, where especially flashy deals are thrown at them from Google, email, and social media ads. On average, users are going to 10-20 different sites for their holiday shopping needs, meaning that they can be more susceptible to scams and targeted phishing attacks this time of year.

For this reason, it’s important that organizations educate employees and understand how the actions taken by folks on their work devices can impact the business from a security perspective. This is true throughout the entire year, but is especially relevant during the holidays.

Personal Travel Booking
In addition to holiday shopping, there is a drastic 30% increase in employees planning personal travel on their personal devices throughout the holidays. Attackers are not ignorant to this and are likely to leverage this inclination to target individuals with once in a lifetime deals on flights, hotels, rental cars, or more.

Again, this is another case where organizations should educate employees to look out for these types of scams. When in doubt, it’s never a good idea to click on a link from an ad or email. Do your own research on reputable sites to find travel deals.

Corporate Devices for Personal Use: Beware
At this time of year, it’s expected that employees are going to do some light holiday shopping or travel research/planning in between work tasks. From a security perspective, this is clearly less than ideal as folks are more susceptible to scams, email attacks, and other avenues where organizations can be compromised.

A key in combating this increased risk is by gaining visibility into human behavior as employees interact with each other and use their corporate devices for more than just sending emails and completing their work. Additionally, internal security training on how to spot scams and phishing attempts can go a long way in protecting not just employees, but the business at large. These recommendations may seem simple from security-minded organizations, but the little steps go further than you would think for holistic enterprise protection.

The bottom line? Don’t use your corporate device for personal use and encourage your team members to steer clear of this behavior as well, as it could be introducing risk to your organization. Nobody likes a Grinch, so do your part to protect your company secrets!

Check out our resources page for more tips and tricks to keep your organization protected this holiday season and far into the new year.