The holidays are coming up quickly and while many of us are looking forward to getting some human downtime (not technical), some may be feeling the pressure and some stress to make sure everything that needs to be done by the end of the year is in fact done by then, especially with the ongoing log4j aka log4shell security fires happening. We checked in with some Information Security directors for some advice on how tech managers can make sure security isn’t left out in the cold during the holidays.
Quick-fire questions and answers with Michelle Tolmay, Director of Information Security at Photobox:
Image source: Epic Woman in Security, Michelle Tolmay, Director of Information Security at Photobox:
Holidays are (as you know!) high time for e-commerce companies. How do your security routines look before and during the holidays?
Before the holidays a lot of work is done to baseline the outcomes of our various systems. Getting a good understanding of what is normal, means you can detect anything out of the ordinary quickly.
What are your top security tips for tech team leads entering the busy holiday season?
Malicious Actors don’t take time off for the holidays, so you can’t let your guard down.
Are there any common mistakes that one can easily make during the stress of the holidays?
It’s easy to bypass the processes when you’re tired and busy, but if your processes are cumbersome, spend the rest of the year refining your processes so they really are the easiest option
As a team manager, is it noticeable in your team that the holidays are approaching. If so, how?
Definitely! A mix of happiness and exhaustion sets in this time of year. They’ve worked hard to deliver all their projects in readiness for Christmas. I see this time of year as time to reflect, and thank them for all their hard work.
If you’d like to hear more from Michelle Tolmay at Photobox, check out how they shifted the security culture at Photobox to become an enabler for faster business development.
Now let’s hear from Jonas Gille, Head of Information Security at Detectify, and his advice for stress-free holidays:
Image: Jonas Gille, Head of Information Security at Detectify
The holidays are a busy and maybe even distracting time of year. In your experience, how do security routines look before and during the holidays?
In the best of worlds, the routines around the holidays should look exactly like any other period of the year: make sure that regular hygiene factors such as patching are done in time (as it always should be), and you add some extra focus on the risks that your organization faces during holidays. If you have your hygiene factors in place, then addressing the unique risks is a good place to focus your energy.
If you know you will be short on staff that could manage an incident, then setting up an on-call schedule or alarm list is a good way to reduce the risk of not being able to respond in time. Bonus points for sending out a list of tips to all employees on how to protect themselves from phishing scams related to holiday shopping.
They say hackers (all hats) never take holidays. Do you usually see any unusual activity in the org network this time of year?
That’s what they say… the combination of unmonitored systems and unstaffed security programs sure sounds like a tasty cocktail for hackers.
For the sports fans, it’s a little bit like scoring a goal in a football match when the other team is on a timeout – it’s ugly, against the rules, but in the end, the ball hits the net. So yes, for many companies, holidays can be prime time for attacks and it’s not uncommon to see increased suspicious activity on the network. But before jumping on the panic train, one needs to understand whether this is a result of attacks, or that it becomes more distinguished due to the reduction of ordinary non-malicious traffic.
Let’s hope that the hackers can’t resist the Christmas spirit this year and take some time off to celebrate with their loved ones <3
Do you do anything different in anticipation of the said change?
I strongly believe in consistency, therefore making drastic changes due to an upcoming holiday should be avoided unless explicitly needed to mitigate a risk. Instead, I try to focus on identifying weak spots in the daily security program to understand whether any systems or procedures face the risk of failing due to changes that come with the holidays, e.g. staff being on leave.
What are some common mistakes related to information security made by C-level or managers this time of year?
I think this vary a lot between companies, but I believe you can divide them into 2 groups:
- “The ones without a plan” – These are the ones who don’t take time to understand what their system environment looks like, what threats they are facing, and how their security capabilities will operate during holidays when staff is on leave. It is often that they don’t have a plan on how their security routines should look like when running on limited resources and how to deal with potential incidents.
- “The ones with too many plans” – These are the ones who decide to do some late Christmas shopping and implement new systems and processes at the last minute, to reach a certain deadline or feel pressured to take advantage of a really nice discount. Implementations take time and pushing it through under stress often leads to vulnerabilities opening up due to poor configurations. Such vulnerabilities may be prone to an attack or incident become difficult to deal with during the time off.
As a team manager, is it noticeable in your team that the holidays are approaching. If so, how?
To some extent, yes. I’m not a psychologist but one thing strikes me every time a holiday is closing in and that is that the mind always reminds you of things that “would have been really nice to get done before the leave” which brings us back to the common mistake earlier of having “too many plans”.
It’s also noticeable that cross-functional team resources get tied up in various projects that increases the time to delivery for my projects.
What are your top security tips for tech team leads entering the busy holiday season?
- Invest the time to identify and document what your critical assets are
- Understand the risks and vulnerabilities associated with your critical assets
- Define who your threat actors are
- Review the incident response plan and keep the reduced resources in mind
- Patch everything you got
As mentioned earlier, holidays should not affect the security program to any larger extent
As I see it, information security is not a sprint where you give everything you got for 100 meters, gasping for air, pat yourself on the back and say “well done Jonas”, and crawl back to the showers until it’s time for the next race. It’s an everlasting marathon where you need to keep on going at a steady pace, and sometimes give that extra push to climb a hill or stumble through some rocky terrain.
Automate attack surface monitoring for continuous coverage against web threats
Detectify is the only fully automated External Attack Surface Management solution powered by a world-leading ethical hacker community. By leveraging hacker insights, security teams using Detectify can map out their entire attack surface to find anomalies and detect the latest business critical vulnerabilities in time – especially in third-party software. The only way to secure your attack surface is to hack it but it doesn’t have to be complicated. With Detectify, continuous security starts with a few clicks. Start a free 2-week trial and go hack yourself.