'Tis The Season To Evaluate Cyber Readiness And Resilience

The holiday season is a time of celebration,but it's also a prime opportunity for cyber threat actors. With many employees on leave and organizations operating with reduced staffing, malicious activity can go unnoticed. Threat actors can exploit moments when individuals are more helpful or less vigilant, making the holidays a particularly vulnerable time.

Now is an ideal moment to review your organization's cybersecurity policies, procedures, practices, personnel readiness, and training protocols.

Building Readiness and Resilience

Many organizations conduct tabletop exercises to test their incident response plans. Yet, many remain underprepared for disruptive cyber incidents that may take weeks – or even months – to resolve. Often, multiple plans exist across departments, but they may not be integrated or rationalized at the enterprise level. Preparation should address:

• Strategic Alignment: Policies should provide high-level strategic direction, while procedures offer detailed guidance tailored to incident response, business continuity, disaster recovery, communications, and other critical functions.
• Business Change Challenges: Organizations undergoing expansion, reduction, or M&A activity should consider how to update and harmonize cybersecurity policies and procedures as well as employ more rigorous security testing and monitoring. These transitions are high-risk periods, and outdated documentation can create confusion – and technical gaps may leave openings for threat actors.
• Operational Capacity: Ensure your organization has the communications posture and personnel resources to manage normal business operations, respond to incidents, and meet mandatory reporting obligations simultaneously.

Readiness

Cyber defense is increasingly complex. Security tools may address known vulnerabilities but leave unknown gaps. Budget constraints often force organizations to choose between deploying new tools or conducting assessments.

• Tips: Budget in advance as a way to continually verify your security posture. Use automated tools to continuously assess your environment and consider engaging third-party assessors for independent validation and review, under attorney client privilege where appropriate.

Resilience

• Leadership and Culture: True resilience requires more than technology; it demands a culture of preparedness. Regular exercises, ongoing testing, and a willingness to expose and address weaknesses are essential.

With respect to security culture, government entities investigating organizations may take note of it, too. Creating a strong security culture will help you demonstrate the organization's consistent and prioritized approach to security. In enforcement actions, the Federal Trade Commission (FTC) and other agencies have alleged failures of companies to implement reasonable data security measures, particularly in the wake of major data breaches. Likewise, the Cyber Safety Review Board (CSRB), established under Executive Order 14028, published a report that evaluated some corporate cybersecurity cultures and practices, mentioning positive security steps as well as alleging areas of deficiencies and recommended improvement. Although the CSRB is currently inactive (following the dismissal of all board members in January 2025), its work shows how many in government view cybersecurity practices and culture.

• Operational Readiness: Every employee has an essential role in cybersecurity and incident response. Threat actors often target help desk personnel to gain illegal access into networks and data and target finance staff to pressure them to transfer funds. Remind front-line personnel that taking time to perform verifications and following company protocols is appropriate and expected and reassure them that leaders will not pressure them to deviate from security protocols. Encourage personnel to report suspicious emails, links, or other communications. Inform your workforce of ways to alert security and get additional help if cyberattacks turn personal. Prepare emergency schedules and backup coverage for key personnel, ensure 24/7 decision-making authority, and plan for extended recovery periods. Major incidents often require coordination across legal, technical, insurance, communications, and law enforcement teams. Having a plan for coverage can provide for more reliable scheduling.

Testing Under Stress

Tabletop exercises are useful–but sometimes are too narrowly scoped. They may not reveal the cracks that emerge under the pressure of a real incident. Stress testing in anticipation of weeks or months of business disruption is essential. For holiday planning in particular, consider addressing challenges related to communications, personnel planning for availability, and access to all necessary resources. Unfortunately, cyber threat actors continue using and refining attack techniques that exert pressure and may threaten employees or their families. Preparing employees to withstand such pressure and seek assistance quickly will demonstrate care as well as preparedness.

Live Exercises: Think of fire drills. We don't just talk about evacuation; we practice it. Yet few organizations conduct live cyber incident simulations. To limit downtime, consider using virtual environments or digital twins to simulate high-impact scenarios.

Cyber resilience isn't built overnight. It's the result of deliberate planning, cross-functional coordination, and a culture that prioritizes security. As the holiday season approaches, take time to strengthen your defenses–before threat actors take advantage of the season's distractions.

* Erin Joe is not admitted to the District of Columbia Bar. Supervised by principals of the firm who are members of the District of Columbia Bar.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.