5 tips for secure IT during the Christmas holidays

So the company is protected, even when you are on vacation.

How to secure your company's IT during the Christmas holidays

Christmas is approaching, the calendar is full, and soon the office will be half empty with auto-replies and turned off screens.
But when employees go on vacation, IT threats don't.

If you want to go on Christmas vacation with peace of mind, also in terms of IT, it requires a little more than antivirus and a firewall “that usually works fine.” Here you will find a simple and practical guide on how to secure your company's IT during the holidays.

Get help with IT security

Why holidays are extra vulnerable

During holiday periods there are typically:

  • Fewer people keeping an eye on the systems

  • Longer reaction time if something looks wrong

  • More people working from home or from insecure networks

  • Human errors can quickly occur when everyday life is replaced by Christmas presents, appointments and family time.

This makes holidays an ideal time for attacks, errors, and crashes.
“It’s okay” is not a strategy.

1. Monitoring and alarms - who is watching?

Before you close down for the Christmas holidays, you should make sure that:

Monitoring is running actively

  • Logging from servers, networks and critical systems

  •  Alarms for unusual activity (login attempts, traffic, CPU load, etc.)

Alarms go to the right place

  • Who gets notified by email, SMS or app if something looks wrong?
  • Are there holiday guards on duty, or do the alarms end up in a shared inbox that no one checks?

You have tested that it works.

  •  Make a test alarm before the holidays: Will it go off? And will it be responded to?

Ask yourself: “If something goes wrong on Christmas Day at 1:03.12 AM, will we even notice?”

2. Access control: Who can enter and how?

When many people work from home leading up to the holidays – and few are on duty during the holidays – it is extra important to have control over access.

At a minimum, review:

VPN and remote access
– Does everyone who has access have need for den?
– Are there accounts that should be temporarily closed during the holidays?

MFA (two-factor login)
– Is it enabled on all critical systems (mail, ERP, CRM, remote desktop, etc.)?
– If not, it is one of the most important measures you can take to get it in place.

Old and temporary users
– Do former employees still have active logins?
– Are temporary consultant accounts disabled?

Systems that should not be accessible from the outside
– Are there servers or systems that should only be accessible internally during the period?
– Consider temporarily closing unnecessary access and services.

3. Backup and recovery: Can you recover quickly?

Backup is good.
Backups that are tested and can be restored quickly are better.

Before the Christmas holidays you should:

  • Check that backup actually running (no errors in logs)

  • Ensure that backups are separated from the environment they protect (so they don't get caught in an attack)

  • Make one test-recreation of at least one critical system or database

  • Know the answer to:
    – How much data can we tolerate losing (hours/days)?
    – How long does it realistically take to recreate a system?

The goal is not perfection, but that you can explain to management:
“If something goes wrong, we can recreate X in about Y time.”

4. Emergency plan: Who does what - and when?

A small, concrete emergency plan makes a huge difference if something goes wrong.

It does not have to be a 40-page document, but should at least contain:

  • Contact list
    – Who is contacted first (IT manager, external partner, management)?
    – Telephone number and email – also privately, if agreed.

  • Priority on systems
    – Which systems should always be up first (e.g. email, ERP, production systems)?
    – What can wait until after the holidays, if necessary?

  • First steps in case of an incident
    – When do you turn off access to a system?
    – When will you inform management and possibly customers?

Keep the plan where people can actually find it, not just in an intranet that might be down when you need it.

5. During the holidays: Minimal staffing – maximum effect

You don't need to have full IT preparedness throughout Christmas, but you should have:

  • A clear watch arrangement
    – Who is on duty on which days?
    – What is expected of that person (active monitoring or “on call”)?

  • Agreement on external help if things get serious
    – Do you have a partner who can help if an attack or breakdown exceeds your own resources?
    – Do they know your environment, or do they first need to get to know it in the middle of a crisis?

Short checklist: Are you ready for the Christmas holidays?

You may want to use this list at your next meeting:

  • Monitoring and alarms have been reviewed and tested
  • Clear duty schedule and responsibilities during the holidays
  • Access rights and VPN have been cleaned up and tightened
  • MFA is enabled on all critical systems
  • Backup is tested including restoration
  • A brief emergency plan has been updated and shared
  • Any external partner is informed and ready to help if needed

If you can tick most of the above, you are better off than many other companies.

Do you want peace of mind – even after Christmas?

IT security during the holidays is not about painting the devil on the wall, but about taking the most obvious risks seriously, in a practical and manageable way.

At RAW IT, our IT consultants work daily to:

  • Monitor and secure customers' IT environments

  • Advise on specific measures before holiday periods

  • Assist when incidents occur that require a quick and qualified response

If you are unsure how well your business is secured for the Christmas holidays, the next step is simple:

Have a non-binding dialogue with us about your current setup and risks - and we will help you get a concrete plan that gives you peace of mind.

Book a review of your IT security