top of page

12 steps to protect your business from cybercrime this Christmas

Out of office doesn't mean out of mind - remember to keep your business secure over the Christmas holidays otherwise you'll be as grumpy as the Grinch! But don't forget we're here, along with all the other regional Cyber Resilience Centres in the UK, in a Yuletide emergency, to put a great big smile on somebody's face.

Picture this: the clock is close to striking five on Friday, December 24; keys in hand you’re ready to lock the office doors and send your staff home for the festive season. You’re already daydreaming of relaxing by the fire with a glass of mulled wine. But this all gets rudely interrupted at 4.55pm when all your systems go down.

Would you know who to call if you found yourself in this situation? What actions would you take if this happened on Christmas Day, or the days in-between Christmas and New Year’s Day? Would you know how to reach your key contacts if there was a total system lockout?

At Christmas, when your business defences are down and there’s an extended period where the majority of the workforce is out of the office, this presents a prime opportunity for a cybercriminal to buy more time and poke around in your systems undetected.

In the days leading up to July 4, a cybercrime gang infiltrated US IT firm Kaseya and posted a $70m ransom demand on the business’s blog on Independence Day. It had global repercussions affecting more than 1,000 companies in their supply chain.

But you don’t need to be turning over millions to attract the bad guys. In fact, it’s the micro and smaller-sized enterprises that are uniquely at risk. Your business’s digital door may be shut, but are you confident that it’s locked securely? It doesn’t take much for hackers to barge their way in and gain access to sensitive data, and if vulnerabilities aren’t appropriately identified and fixed, you could end up being repeat business for online criminals.

A report by telecoms giant Vodafone found that more than 1.3 million small and medium-sized businesses across the UK could fold given the cost of an average cyberattack, which government data states is nearly £8,500 - a sobering thought indeed. We hope this never happens to you.

Ways to protect your business this Christmas

Organisations and business owners are now gearing up for the Christmas period, which means radars should be on a higher alert due to increased risk exposure and more of your staff heading off for annual leave.

We can’t stress enough how important having a security plan is for SMEs. The National Cyber Security Centre has provided preparatory guidelines in five simple steps - think of this invaluable resource as your response and recovery bible - to weaken some impact should an attack occur.

12 Tips to stay secure this Christmas

  1. Use a Password Manager to keep track of your passwords - don't write them down on post-it notes!

  2. If you receive a scam email or text message, don't click any links or attachments, if you’re unsure that it is genuine. Clicking a link in a phishing email could download viruses onto your computer, or steal personal information. Send them to the Suspicious Email Reporting Service: and forward any suspicious text messages to 7726.

  3. If you purchase any new devices this month, don't forget to install the latest updates and patches. Installing the latest updates can stop criminals from exploiting faults in old systems or software.

  4. When you use different passwords for your important accounts, it can be hard to remember them all. A good way to create strong, memorable passwords is by using 3 random words (for example; teakettlebarbecue) and adding numbers and/or special characters after them (teakettlebarbecue87!)

  5. Avoid giving hackers the toolkit to attack your website, make sure you have a website firewall installed, update your CMS and control access management.

  6. When creating backups, keep them separate, in a different location from your network and systems, or in the cloud.

  7. When you're out shopping use mobile data or hotspot devices instead of public Wi-Fi where possible.

  8. Don’t advertise when you’re out of the office for your Christmas party. Post the office Christmas party photos (those that are publishable!) after the event. Cybercriminals might try to hack your systems if they know staff are away.

  9. Keep your social media accounts secure by making sure you know which staff members have access and which devices are signed into each account.

  10. Two-factor authentication (2FA) ensures that any new device trying to log in or make account changes needs a second layer of security before access is given. 2FA includes single-use codes being sent via SMS, email, phone, or smartphone application.

  11. Download the NCSC's Cyber Security Guide for Small Businesses for an overview of the basics.

  12. Stay secure when you’re working from home with guidance from the NCSC.

Got a security plan in place but want further support? The Cyber Resilience Centre for the East Midlands can assist you with additional options:

  • Security Awareness Training - the key to security awareness training is to equip all your employees with a level of awareness to combat online threats. Employees need to be taught what clues to look for that indicate threats, and how to respond when they see them.

  • Cyber Essentials - this is a government scheme that helps you make your business more resilient against cyber-attacks. Cyber Essentials includes £25k insurance for SMEs and also immediate access to a helpline to support you in the early stages of a cyber-attack. So there’s someone there for you 24/7/365. To find out more about that process, we have a number of trusted partners who can work with you to achieve the qualification.

Our aim is to lend a hand to SMEs in the East Midlands, so please do get in touch if you want to know more about this or anything cyber-related. Here’s to a peaceful and problem-free Christmas and a Happy New Year!



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page