Turning Cyber Risk Into An Easy Boardroom Conversation Using NCSC’s CAF 4.0 and Hexiosec ASM
Rob Wright
24 November 2025
The holiday season is upon us; for many, it is a time for celebration and relaxation after a busy year. Unfortunately, it’s also prime time for cybercriminals.
In December 2023, there was a surge in cyber-attacks, with an increase of 187% for security-related incidents, and a staggering 332% increase in breached records. Cybercriminals are looking to take advantage as businesses wind down for the festive break.
We’ve compiled our top tips to help businesses stay cyber-safe over the Christmas break with actionable advice you can implement to avoid falling victim to these festive grinches!
After a busy 2024 for many businesses, they quite rightly shut down for an extended period or give their employees additional time off with friends and family. This leaves many organisations with skeleton crews or, sometimes, no staff over the festive break. This reduction in staff makes it harder to monitor systems and respond to threats promptly. Attackers could exploit this lull to deploy malware or launch targeted campaigns against vulnerable assets or devices.
With fewer staff available to respond manually to incidents, some businesses will need to set up automated solutions to help them detect these threats. Alongside this, a well-thought-out escalation process should be implemented before staff take their breaks, so that in the event of a cyber incident there is a clearly defined plan in place to handle any issues.
By starting to prepare now, you can ensure that should the worst happen, you are in a position to respond in a timely and effective manner.
During the festive period, scammers utilise various techniques to exploit employees and businesses. From festive-themed emails promoting fake websites to bogus delivery emails and even the age-old gift card scams from the CEO, there are many ways to be caught out.
Whilst many organisations still default to phishing training, people are always going to fall for well crafted phishing. As ever, the focus for defence should be on the protections around them: measures such as MFA and detection and response of unusual sign-ins.
However, reminding staff of the threats and the way to respond is always useful, especially during busier times. You should also encourage them to verify unexpected emails, especially during the holidays, as spoofed email addresses can obfuscate the genuine sender (our “How to Safely Check Suspicious Emails” blog has lots of helpful tips you can use).
Organisationally, configure protections to block suspicious communications and ensure you have the correct SPF, DKIM, and DMARC settings. Below are some useful tools to help your employees stay safe during the holidays:
Businesses often postpone system updates before or during busy holiday periods, as priorities are usually focused on completing other tasks before the end of the year. Plus, no-one wants to break something just before a holiday.
This potentially leaves systems and software with unpatched vulnerabilities over the festive break. Attackers routinely use automated systems to identify vulnerabilities in organisations and target known weaknesses that are easy for them to take advantage of.
Organisations need to understand where they are exposed to vulnerabilities, and schedule critical updates before the holiday season to secure their cyber defences – as ever, the key is planning ahead.
Today’s connected digital ecosystems mean businesses often work with additional vendors for logistics, marketing, or seasonal sales, and such suppliers often have direct connections to their customers’ applications and networks. Compromised third-party systems can provide attackers with a backdoor into your network, even if your systems are otherwise secure.
It’s critical to assess vendor cyber security practices before collaboration. Even if you are already working with third parties without having completed due diligence on their systems, you can use passive scanning tools like Hexiosec ASM to assess their cyber security and understand their risks to your systems. Alongside this, using secure file transfer systems like Hexiosec Transfer and enforcing access controls can help you minimise your risk exposure during the festive period.
The festive period doesn’t have to be a season of cyber security stress! By planning ahead, staying vigilant, automating your defences, and educating employees, your business can enjoy the holidays securely. The right tools and proper preparation are the best gifts you can give your organisation this festive season.
Discover how Hexiosec ASM can help you stay ahead of most of the cyber security challenges you will face over the festive period:
Book a demo of Hexiosec ASM today