Back to Blog
Security Awareness4 min read

Holiday Security: What Small Businesses Actually Need to Do

Attackers love the holidays—reduced staffing, distracted employees, and urgent requests everywhere. Here's how to prepare.

Every year, the pattern repeats: small businesses get hit with business email compromise or ransomware during the week between Thanksgiving and New Year's. The timing isn't coincidence.

Attackers know that holiday weeks mean skeleton crews, distracted employees, and pressure to handle urgent requests quickly. That "urgent wire transfer" from the CEO seems more plausible when the CEO is actually on vacation and verification is difficult.

Here's what organizations should do before the holidays.

Why Holiday Attacks Work

The psychology is simple:

Reduced verification. The person who would normally approve this request is traveling. The backup is hard to reach. The pressure to handle it quickly wins.

Increased urgency. Year-end deadlines, holiday orders, gift purchases—everything feels urgent. Attackers exploit this by adding urgency to their requests.

Changed patterns. People are working from unfamiliar locations, using unfamiliar networks, accessing systems at odd hours. Anomaly detection becomes harder when everything is anomalous.

Reduced monitoring. Who's watching the alerts? If something triggers at 11 PM on Thanksgiving, who responds?

Before the Break: The Checklist

Review Access

Spend 30 minutes reviewing who has access to your critical systems:

  • Are there any accounts for former employees still active?
  • Does everyone with admin access still need it?
  • Are there any shared accounts that should be eliminated?
  • Is MFA enabled everywhere it can be?

This is basic hygiene that should happen regularly, but the holidays are a good forcing function.

Verify Contact Information

If something happens during the holiday, can you reach the people who need to respond?

  • Personal phone numbers for key staff
  • After-hours contact for your IT provider/MSP
  • Cyber insurance carrier's incident hotline
  • Law enforcement contacts if needed

Don't assume you'll be able to find this information quickly during an incident.

Check Your Backups

Are backups actually running? When was the last successful backup? Has anyone tested restoring from backup recently?

A ransomware attack over the holidays is especially painful if your last good backup was three weeks ago.

Brief Your Team

Send a short reminder before people leave:

  • Watch for urgent requests that bypass normal approval processes
  • Verify any unusual payment or transfer requests through a known phone number
  • Report anything suspicious immediately—don't wait until Monday
  • Here's who to contact if something seems wrong

Keep it short. People are busy.

During the Holiday: What to Watch

Business Email Compromise

The classic holiday attack: an email that appears to come from the CEO asking someone in finance to wire money for an "urgent acquisition" or "vendor payment." The CEO is unreachable because they're on vacation. The pressure to act quickly is intense.

Defense: Establish that urgent payment requests require verification through a known phone number, not the number provided in the email. No exceptions.

Fake Shipping Notifications

"Your package couldn't be delivered—click here to reschedule." These spike during the holidays when everyone is expecting packages.

Defense: Remind employees to track packages through the carrier's official website, not links in emails.

Gift Card Scams

"I need you to buy some gift cards for a client holiday gift—I'll reimburse you." These target employees who might want to help the boss with a simple request.

Defense: Make it clear that leadership will never ask for gift card purchases via email.

Charitable Donation Fraud

Fake charities spike during the holidays. Some are crude; others are sophisticated impersonations of real organizations.

Defense: Donate directly through official charity websites, not through links in emails or social media.

For Remote Work and Travel

People working from hotels, airports, and family homes face additional risks:

  • Use VPN for accessing company resources from unfamiliar networks
  • Don't leave devices unattended in cars or public places
  • Update devices before traveling—patches often address actively exploited vulnerabilities
  • Be cautious with public WiFi—assume it's monitored

The Coverage Question

Who's covering while key people are out? Is there someone who can:

  • Respond to security alerts?
  • Make decisions about shutting down systems if needed?
  • Contact your IT provider or incident response team?
  • Communicate with customers if there's an outage?

Even informal coverage is better than assuming problems will wait until Monday.

The Year-Round Lesson

The security practices that protect you during the holidays should be year-round habits:

  • Verify unusual requests through known channels
  • Don't let urgency override verification
  • Keep access rights current
  • Test backups regularly
  • Have contact information for emergencies

The holidays just expose the gaps that exist all year.

Need help preparing your team for holiday security risks? Our Training platform includes seasonal security awareness content. Let's talk.

Jonathan Carpenter
Jonathan Carpenter
Founder, Anchor Cyber Security
Share:

Want to discuss this topic?

Let's talk about how these insights apply to your organization.

Get in Touch