IT’s the Season for Cyber Hygiene: Secure Your Business Over Summer

The holiday season (especially in Australia when the Ashes are on!) is a natural time for businesses to pause, but cyber risks and threat actors don’t take time off (perhaps they don't follow cricket?).

Being proactive and deliberate with your preparation for the slowdown period will minimise the opportunity for exploiting of vulnerabilities during this period when staffing is limited and operations slow down.

Holiday downtime changes how you face risk. 

Doors and windows matter. So do passwords, firewalls and wifi!

To stay secure over summer, you need both physical and cyber hygiene working together.

Physical v's online risk at holiday time

When people leave the office, physical risks increase. Empty buildings attract break-ins, theft of devices, and tampering with networking gear or cabinets. At the same time, online threats spike, with more phishing, remote access attacks and account takeovers while IT teams run on skeleton staff.​

Think of it this way:

• Physical risk focuses on who can reach your premises, hardware and printed information.​
• Cyber risk focuses on who can reach your systems, data and accounts from anywhere in the world.​

Your holiday cyber hygiene plan should explicitly address both sides and how they interact.

Physical gaps increase cyber exposure

Physical and online worlds meet at your devices, network equipment and shared spaces.  If someone can walk into your site or access an unattended laptop, they may not need to “hack” your systems at all.​

Key physical weaknesses that quickly turn into cyber incidents include:

• Unlocked offices and comms rooms where attackers can plug into the network or steal equipment holding sensitive data.​
• Laptops, tablets or phones left on desks, in cars or hotel rooms without full-disk encryption and strong login protection.​
• Passwords on sticky notes, printed reports and whiteboards visible through windows or to cleaners, visitors and contractors.​
• Network gear and Wi‑Fi access points accessible from public areas, allowing reset, tampering or rogue device connection.​

We recommend starting your pre-holiday time with a full security audit, for both cyber and physical risks.

Cyber Risks

• Focus on system updates and patch management to close known vulnerabilities.
• Confirm that antivirus and endpoint security software is current and functioning across all devices and servers.
• Limit exposure by disabling or tightening remote access where possible.
• Remove temporary or inactive user accounts and ensure privileged access is restricted to essential personnel only.
• Schedule automatic offsite backups before shutting down operations, and verify their integrity to ensure data can be quickly recovered if a breach or failure occurs.

Physical Risks

• Lock down the building before you leave for the season. Check doors, windows, alarms, cameras and lighting before the break. Confirm security patrols or checks with landlords or property managers.
• Secure IT spaces by locking comms rooms and cabinets. Restrict keys and access cards to a short list of authorised staff over the break.​
• Enforce device controls by turning on full‑disk encryption, requiring strong logins and time‑outs, and mandating that unattended devices are locked away, not left visible.​
• Clear the open space of any printed reports, notebooks and visible passwords from desks and meeting rooms before staff go on leave.​

Microsolve’s existing cyber hygiene guidance on patching, backups, account clean‑up and remote access control becomes even stronger when paired with these physical basics.

We've made an easy Cyber Security Holiday Checklist that you can download and use when preparing your systems.

  ​

Reducing Risk During Staff Absences

With staff taking leave, and peoples minds pre-occupied with more festive thoughts, the risk of overlooked alerts or unreported incidents increases. It's crucial to establish clear out-of-office communication plans, including updated contact lists for IT response teams who remain on duty. Share incident response protocols widely so employees know exactly how to report suspicious activity or emergencies during this time.

Implement multi-factor authentication to protect critical systems from unauthorised access. During this time, it's also highly recommended you restrict administrative privileges to a minimal number of trusted users to reduce insider risk. Consider deploying network monitoring tools that alert security teams to unusual activity automatically.

Regularly educate staff on holiday-specific cyber threats, such as phishing campaigns leveraging seasonal greetings, charity requests or fake delivery notifications. Reinforce the importance of vigilance, even when workload is light, so employees act as a strong line of defence against cyber threats.

Social media, presence and privacy

Holiday posts can create physical and cyber openings at the same time. Publicly sharing that offices are closed or staff are overseas can signal opportunity to both thieves and cyber attackers.

Whilst it may be fun to post about your holiday plans, staff should be reminded to be weary of over-sharing online about office closures, travel plans or posting photos that reveal access badges, building layouts or any whiteboard content.

Other messages to tell your staff before the office closes, or they go on leave include:

• Set social media expectations: encourage staff to keep travel details and office closure specifics private or shared only with trusted contacts.​

• Tidy out‑of‑office messages: keep replies simple, avoid listing full internal structures or supplier names, and direct unknown senders to a shared mailbox rather than individuals.​

• Reinforce phishing awareness: remind staff that attackers use holiday‑themed emails, fake delivery notices and charity requests to exploit the extra information they find online.​

Best Remote Work Practices Over the Holidays

We know that many employees continue working remotely during holidays or access corporate resources from holiday destinations, which pose additional security challenges. Common risks include:

1. Using personal or shared devices for work without proper security, leaving business data on family computers or shared tablets.​

2. Working in public places where others can see screens or “shoulder surf” credentials.​

3. Leaving laptops or phones unattended in cafés, cars or hotel rooms, which can lead to both data theft and account compromise.

 With this in mind, here are our top tips for best remote work practices over the holidays:

1. Standardise equipment: provide managed, encrypted devices for remote work and make it clear staff must not use family or shared devices for business access.​

2. Protect the connection: require VPN for any access from outside your network, and discourage use of open public Wi‑Fi unless it’s secured with a trusted hotspot or VPN.​

3. Control the workspace: remind staff to work where screens are not easily visible to others and to lock devices whenever they step away.​

4. Travel guidance: publish a simple “working while travelling” checklist that covers carrying devices in hand luggage, hotel safe use and avoiding shared business centres.

Here are some further recommendations and tips: 

• Disable local admin rights to prevent malware installation.
• Remind employees to keep software and security patches up to date, and to avoid using personal email or messaging platforms for work communication.
• Use cloud collaboration tools with robust access controls and activity logging to maintain security transparency.
• Promote secure password practices and encourage the use of password managers to reduce the likelihood of credential theft.
  

Microsolve’s remote work tips on VPNs, endpoint protection, cloud collaboration tools and password managers align well with these physical controls and can be linked as your managed services option.

Holiday planning for any size organisation!

Different-sized organisations should approach physical–cyber integration in ways that match their capacity, while still aligning with Microsolve’s cyber hygiene checklist and managed services.​

Aa an absolute minimum:

• Nominate a single “holiday security owner” responsible for locking up, checking alarms and confirming backups and updates are complete.​
• Use simple checklists that cover both building and IT tasks, including shutting down or securing unused equipment and confirming offsite backups.​
• Lean on external partners like Microsolve for managed security monitoring when internal staff are away.​

When multiple sites are in play, or your team have varied operational hours and responsibilities over the break:

• Run a joint pre‑holiday review between facilities, HR and IT to align physical access, leave schedules and system monitoring.​
• Tighten access just for the holiday period, reducing building, system and admin rights to essential staff only, then restoring after the break.​
• Test incident response and contact trees with a short exercise that includes both a physical break‑in scenario and an after‑hours cyberattack.​

When you have specific security/infrastructure compliance and regulation requirements the following need to be on your to-do list:

• Treat the holiday window as a defined risk period with elevated monitoring, 24/7 alerting and clear escalation paths that cover both physical and cyber incidents.​

• Align building access systems, visitor management and network access controls so physical badges, Wi‑Fi, VPN and application access all follow the same least‑privilege rules.

• Use data from previous years such as incident logs, phishing reports and alarm activations to refine a standing “holiday hardening” plan for cyber hygiene and physical controls.​

Microsolve can embed these steps into a broader cyber security roadmap, linking technical controls, staff training and facilities processes under a single, practical plan.

By treating cyber hygiene as an essential part of holiday preparation, businesses can safeguard their systems, data, and reputation during this high-risk period. Discipline in pre-holiday security steps, clear communication during staff absences, and vigilant remote work policies combine to create a resilient defense no matter where the season takes your team.