While it is essential for SaaS apps do security checks year-round, the fourth quarter (Q4) can be a good time to consider a robust checkup that prepares a company for the new year and holiday related risks.
Recommended SaaS security checkup activities for Q4
The second half of the year is a great time to schedule your annual security awareness training for employees. This annual training should remind employees to:
- make strong passwords and manage passwords securely,
- avoid phishing and social engineering attacks,
- secure their hardware, and
- back up data.
Cybercriminals don’t take holidays, and in fact, bank on the fact that employees may be distracted, to try phishing attacks or social engineering attacks.
- Phishing attacks are emails or messages containing links that when clicked, install and spread malware. Did you know that phishing attacks are the most successful in December compared to any other month of the year?
- Social engineering describes processes where someone tries to get unauthorized access by impersonating someone with access, or by tricking someone into revealing information they can use for nefarious purposes.
A Third-party Vendor Impersonation That Stole Millions
A hacker named Evaldas once managed to pilfer millions of dollars from Facebook and Google. He started at Facebook, where after a meticulous process of social engineering, he gathered information on how the company did their payment processing for invoices and the contacts involved in the transactions. Eventually, he successfully tricked the accounts payable team at Facebook into sending payments to his bank account instead of the intended, masquerading as their third-party vendor Quanta Computer.
Security teams should also let their employees where to report phishing attempts. Reporting phishing and scamming attempts to your IT or security officers helps everyone stay aware of threats.
2. Review your incident response policy internally and externally
Because incidents are more likely during the holidays, it is important to review your incident response policies both within your company and with any third-party vendors. Your policies should clearly document the security process, the responsible parties, and any contingencies for employees out of office.
3. Spread awareness of holiday-specific security risks
In addition to spreading general security awareness, make sure your team knows about these common holiday scams where criminals will pose as senior executives and vendors:
- Vendor Impersonation: Cybercriminals may impersonate trusted vendors or suppliers that a company regularly works with. They might send convincing emails or messages claiming there are last-minute changes to invoices or payment details due to holiday-related issues.
- Gift Card Scams: Attackers may send seemingly genuine emails to employees, posing as senior executives or supervisors, requesting gift cards as holiday gifts for clients or team members.
- Emergency Scenarios: Attackers might craft emails or messages that simulate emergency situations, such as a critical holiday IT issue or security breach and request immediate access to sensitive systems or information.
It’s critical to be suspicious of any business messages that try to pressure you into a sense of urgency, even during the holiday season.
4. Spread awareness of risks while traveling
It’s best not to travel with your devices, but sometimes it may be necessary. Make sure such employees aware of the following risks:
- Theft or loss: Taking company hardware on vacation increases the chance it can be lost or stolen. Always make sure company hardware is in a secure location.
- Public or open-wifi: Employees should avoid connecting to public or open Wi-Fi points. However, if it can’t be avoided, make sure employees know the importance of using a VPN when connecting to any non-company owned Wi-Fi networks.
- Charging ports: Unknown USB charging points or even chargers can host malware threats. Employees should always use a known-safe charger and AC power ports.
The Holiday Heist Against Bangladesh Bank
The Bangladesh Bank Heist is one of the most audacious cybercrimes in recent history. In February 2016, cybercriminals managed to siphon off an astounding $81 million from the Bangladesh Bank’s account with the Federal Reserve Bank of New York. What makes this theft particularly intriguing is how the criminals strategically exploited the holiday season to maximize their gains.
During this cyber heist, the criminals infiltrated the bank’s systems and sent a series of fraudulent transfer requests to the Federal Reserve Bank. These requests appeared legitimate, mimicking the formatting and language typically used by the bank. They also used the SWIFT network, which is widely trusted for international financial transactions, adding a veneer of authenticity.
The heist unfolded during the Lunar New Year in Bangladesh, which coincided with Presidents’ Day in the United States, where the Federal Reserve Bank of New York was located. As key personnel in both Bangladesh and the United States were away from their offices, response times were significantly delayed.
Get ready for your Q4 SaaS security checkup
I hope this article helped you understand how a Q4 SaaS security checkup can help your company prepare to stay secure during the holiday season and all year-round. Learn more about Movius security, or schedule a demo and request our SOC 3 Report.
Sources:
- Ransomware Awareness for Holidays and Weekends – CISA
- Cybercrime Doesn’t Take a Vacation – Dark Reading
- Bangladesh Bank Heist – Darknet Diaries
- Synthetic Remittance – Darknet Diaries
You may also be interested in:
- A Simple Explanation of SOC 2 and SOC 3
- What is a Good Compliance Program?
- Transforming Business Communication: Innovations in AI, IoT, & Omni-Channel Engagement for Enhanced Security with Amit Modi
- AI and the Future of Mobile Security
- Impact of AI in SaaS applications
- App Activation and User Experience in SaaS
