Christmas breaks create cybersecurity risks. Reduced staffing, delayed response times, and distracted operators create opportunities criminals exploit.

Before you close for the break, complete this checklist.

Immediate Actions

Password Audit

Change critical passwords: Admin accounts, banking, key business systems. If you haven’t changed them in 6+ months, do it now.

Enable two-factor authentication: Every system that offers it. Email accounts are priority—compromised email enables most other attacks.

Disable unused accounts: Former employees, old vendor access, trial accounts you forgot about. Delete or disable them.

Check password manager: If you use one, ensure it’s backed up. If you don’t, the break is a good time to set one up.

Email Security

Review email forwarding rules: Criminals sometimes add rules that forward copies of your email to them. Check for any you didn’t create.

Check connected applications: Review what third-party apps have access to your email. Remove anything you don’t recognise or use.

Test recovery options: Verify you can recover your email account if needed. Test backup email addresses and phone numbers.

Backup Verification

Run backups: Ensure current backup of all critical data.

Test restoration: Actually restore something from backup. Backups you can’t restore are worthless.

Offline copy: Create an offline copy of critical data. USB drive or disconnected external drive. Ransomware can’t encrypt what’s not connected.

Cloud backup check: If using cloud backup, verify it’s current and accessible.

System Updates

Update all devices: Computers, phones, tablets, network equipment. Install available updates before the break.

Update business software: Accounting, CRM, other critical applications.

Update website: WordPress plugins, themes, and core. Outdated websites are common attack vectors.

Check antivirus: Ensure protection is current and active on all devices.

Staff Communication

Security Reminders

Phishing awareness: Remind staff that Christmas-themed scams are common. Gift card requests, shipping notifications, fake invoices.

Verification procedures: Reinforce that any requests to change payment details or transfer money must be verified by phone.

Reporting procedures: Ensure staff know how to report suspicious emails or activity, even during the break.

Access Management

Who has access while you’re away? Limit to those who need it.

Can you remotely revoke access if needed? Know how, have contact details.

Emergency contacts: Staff should know who to contact for security emergencies.

Physical Security

Devices

Secure unattended devices: Laptops and tablets should be locked away, not visible through windows.

Log out of everything: Don’t leave devices logged into sensitive systems.

Remove sensitive data: USB drives, printouts, written passwords—secure or destroy.

Office Security

Alarm systems: Verify working and monitored.

Access records: Know who has physical access to your premises.

Mail collection: Arrange collection or holding. Accumulated mail signals empty premises.

During the Break

Monitoring

Set up alerts: Critical system alerts sent to whoever is monitoring.

Financial monitoring: Enable transaction alerts on business accounts.

Website monitoring: Free services can alert you if your website goes down.

Response Plan

Emergency contacts: Who handles what if something happens?

Incident response: What steps to take if security incident suspected?

IT support access: Can you reach help if needed?

Common Christmas Attacks

Invoice Fraud

Criminals send fake invoices mimicking your regular suppliers, hoping holiday distraction reduces scrutiny.

Defence: Verify any unusual invoices or changed bank details by phone before paying.

Gift Card Scams

Fake requests from “the boss” asking someone to buy gift cards urgently.

Defence: Always verify such requests directly with the person, using known contact methods.

Shipping Notifications

Fake delivery notifications leading to malicious websites or attachments.

Defence: Don’t click links in unexpected shipping emails. Go directly to carrier websites.

Charity Scams

Fake charitable appeals exploiting holiday generosity.

Defence: Donate directly to charities you know, not through links in emails.

Quick Wins

If time is limited, prioritise:

1. Enable two-factor authentication on email accounts
2. Run and verify backups
3. Install pending updates
4. Remind staff about verification procedures
5. Set up basic account alerts

These five actions prevent most common attacks.

After the Break

First Day Back

• Check for unusual account activity
• Review any security alerts
• Verify backup systems still working
• Check website and online services

Ongoing

• Maintain the good habits you’ve established
• Schedule regular security reviews
• Stay current on emerging threats

Cybersecurity isn’t a once-a-year consideration, but the Christmas break is a high-risk period that warrants extra attention.

Complete this checklist before you leave, and you’ll significantly reduce your risk of starting the new year with a security incident.

For regional businesses wanting expert guidance on cybersecurity, the Team400 team can help assess your security posture and implement appropriate protections.