13/12/2025
Holiday Season Cyber Security and How to Stay Safe This December,
The holiday season brings opportunity and risk for business. Whether you're a sole trader or a team of 300, December often means increased activity, customer engagement, and, unfortunately, cyber threats. Cyber criminals know that businesses are busy, staff may be distracted or on leave, and IT resources are stretched. This makes the holidays a prime time for attacks such as phishing, ransomware, and data breaches.
Why are small businesses vulnerable?
According to the ASD Cyber Threat Report 2024-25, the average cost of a cyber incident for a small business is $56,600, not to mention the reputational damage and loss of customer trust.
Limited resources: Smaller businesses may lack dedicated IT staff or robust security.
Valuable data: Customer data, financial information, and sensitive health records is attractive to attackers.
Sophisticated attackers: Modern cybercrime is run by organised, multinational syndicates targeting businesses of all sizes.
Holiday-Specific Risks
Staff working remotely or on flexible schedules
Increased use of cloud services and mobile devices
Temporary staff or contractors with varying security awareness
Delayed response times due to reduced staffing
Why December Is High-Risk
Seasonal surge in scams: Cybercriminals know businesses are busy and staff are distracted. Fake invoices, refund scams, and phishing emails disguised as shipping updates are common.
Year-end financial activity: Attackers exploit payment cycles and invoice processing to launch Business Email Compromise (BEC) scams.
Reduced staffing: Many businesses operate with skeleton crews or close entirely, leaving systems unmonitored.
Top Cyber Threats This Holiday Season
Understanding the most common cyber threats is the first step to protecting your business, your customers, and your staff. The latest ASD Cyber Threat Report highlights some of these risks.
1. Business Email Compromise (BEC)
BEC scams are Australia’s most expensive cybercrime. Attackers impersonate suppliers or staff to request urgent payments or purchase gift cards. Small to medium-sized businesses are particularly vulnerable due to limited verification processes.
2. Ransomware
The Australian Signals Directorate (ASD) Cyber Threat Report 2024-25 identifies ransomware as one of the most disruptive cyber threats for Australian businesses. Ransomware attacks and data breaches increased in frequency over the past year, with cybercriminals using stolen credentials and malware to compromise networks and extort victims. These attacks often result in significant financial loss, operational downtime, and reputational damage.
ASD notes that ransomware campaigns frequently exploit unpatched systems and weak security practices. Businesses of all sizes remain attractive targets due to the value of their data and the potential for payment under pressure.
3. Supply Chain Attacks
Supply chain attacks occur when cybercriminals exploit vulnerabilities in third-party vendors or service providers to gain access to your systems. These attacks can be difficult to detect because they often originate from trusted partners.
4. Phishing and Social Engineering
Phishing remains one of the most common entry points for cyber attacks. During peak periods such as holidays, attackers often send emails disguised as special offers, shipping notifications, or urgent requests. These messages are designed to trick recipients into revealing sensitive information or clicking on malicious links. The Australian Signals Directorate (ASD) notes that these attacks frequently bypass technical controls by exploiting human behaviour, which makes staff awareness and training an important factor in reducing risk.
Practical Steps to Secure Your Business
Review and Update Security Policies: Before the holiday rush, review your cyber security policies. Ensure all staff are aware of their responsibilities, especially regarding remote work, device usage, and reporting suspicious activity.
Patch and Update All Systems: Cyber criminals exploit outdated software. Schedule updates for operating systems, applications, and security tools before the holidays begin.
Strengthen Authentication: Implement strong password policies and enable multi-factor authentication (MFA) on all accounts, especially those with access to sensitive data.
Backup Critical Data: Follow the 3-2-1 backup rule: keep three copies of your data, on two different media, with one copy offsite. Test your backups to ensure they can be restored quickly in case of an incident.
Educate Your Team: Run a quick refresher on how to spot phishing emails, suspicious links, and social engineering tactics. Remind staff to be cautious with unfamiliar attachments or requests for sensitive information.
Limit Access: Review user permissions and restrict admin privileges to only those who need them. Remove access for temporary staff or contractors who no longer require it.
Prepare an Incident Response Plan: Ensure everyone knows what to do if a breach is suspected. Have clear steps for reporting, containing, and recovering from incidents.
Holiday Cyber Security Checklist
All devices and software are updated and patched.
Strong passphrases and MFA enabled.
Critical data backed up, recovery tested, and documented.
Staff briefed on cyber threats and reporting procedures.
Access rights reviewed and updated.
Incident response plan in place and communicated.
Final Tips for a Secure Holiday Season
Schedule a pre-holiday security review with your TSSP.
Set up alerts for unusual account activity or login attempts.
Ensure someone is available to respond to incidents, even during office closures.
Remind staff to be extra vigilant with emails and links, especially those related to holiday sales or urgent requests.
Review your suppliers’ security practices to reduce supply chain risk.
The holidays should be a time of celebration, not crisis. By taking proactive steps and partnering with a trusted Technology Services and Security Provider like Harvey Norman Technology for Business, SMEs and sole traders can enjoy peace of mind and keep their businesses safe from cyber threats.
