12 Security Checks Your Business Needs Before Christmas

Practical security checklist for SMBs before the Christmas shutdown. Protect your business during the holiday period.

Download Printable PDF Checklist

The Christmas shutdown period is high-risk for business security. Reduced staffing, delayed responses, and distracted teams create opportunities that attackers actively exploit.

This isn’t about fear-mongering. It’s about practical preparation.

We’ve put together 12 security checks your business should complete before everyone heads off for the holidays. Most take less than an hour. All of them reduce your risk over the Christmas period.

If you’re running a business with 10 or more staff, share this with your IT team or IT provider. If you’re managing IT yourself, block a few hours this week to work through the list.

The 12 Checks

1 Multi-Factor Authentication Audit

Why it matters: MFA prevents 99.9% of account compromise attacks (Microsoft’s data, not marketing). Over Christmas, with skeleton staffing and delayed incident response, a compromised account has longer to cause damage.

What to do:

  • List all business-critical systems (email, cloud storage, finance, remote access)
  • Verify MFA is enabled on every account
  • Check for any accounts where MFA was disabled for “convenience”
  • Pay special attention to admin accounts – these are highest risk

Time required: 30-60 minutes

2 Access Review – Leavers and Joiners

Why it matters: Someone left in July. Their email was disabled. But they might still have VPN access, shared drive permissions, or admin rights to your finance system.

What to do:

  • List everyone who left this year
  • Verify they’re removed from ALL systems, not just email
  • Review access for everyone who joined – is their access still appropriate for their current role?
  • Check for “temporary” elevated access that was never revoked

Time required: 1-2 hours depending on team size

3 Backup Verification

Why it matters: “We have backups” and “We have working backups” are very different statements. Ransomware attackers specifically target holiday periods when businesses are understaffed.

What to do:

  • Don’t just check backups are running – test an actual restore
  • Pick a random file or folder, restore it, verify it’s complete and usable
  • Check you have the credentials needed to access backup systems
  • For cloud backups, verify the restore process hasn’t changed since you last tested
  • For on-premise backups, check drives are connected and showing recent dates

Time required: 30-60 minutes

4 Out-of-Office Message Security

Why it matters: Most out-of-office messages reveal too much. “I’m away until January 6th with no access to email. For urgent matters contact Sarah in finance on…” tells a scammer exactly who to target and when.

What to do:

  • Brief staff on secure out-of-office messages before they set them
  • Don’t give exact return dates
  • Say “limited access” not “no access”
  • Point to general contact numbers, not named individuals
  • Don’t mention you’re on holiday – just say “out of office”

Example of a better message:

“I’m out of the office with limited access to email until early January. I’ll respond to messages when I return. For urgent matters, please contact our main office on [switchboard number].”

Time required: 15 minutes to brief the team

5 Gift Card Scam Briefing

Why it matters: CEO fraud attempts spike every December. The pattern: urgent message from “the boss” asking someone in finance to buy gift cards for clients or staff. It’s always fake.

What to do:

  • Brief your team in person or on a call (email isn’t enough for this one)
  • The rule: any request for gift card purchases gets verified by phone call to the requester. Not reply email. Not WhatsApp. Phone call.
  • Make sure anyone with purchasing authority under a certain threshold knows this – scammers stay just under approval limits

Script for your team meeting:

“If you get a message asking you to buy gift cards – for clients, for staff, for anyone – verify it’s genuine before you do anything. Even if it looks like it’s from me. Even if it’s urgent. Verify by phone call.”

Time required: 5 minutes in a team meeting

6 Delivery Phishing Awareness

Why it matters: Your staff are expecting parcels. Work parcels, personal parcels, client gifts. Everyone’s clicking through to track something. That’s exactly what scammers rely on.

What to do:

  • Brief staff: if expecting a delivery, go directly to the courier’s website. Don’t click links in texts or emails.
  • Royal Mail, DPD, Evri – none of them ask for payment details via text for small customs charges
  • This is especially important for staff working from home who are juggling work and personal deliveries on work devices

Time required: 5 minutes in a team meeting or quick email

7 Remote Access Security Review

Why it matters: If your team are accessing systems remotely over Christmas, you need confidence that access is secure. With fewer people around to notice unusual activity, remote access becomes higher risk.

What to do:

  • Audit VPN users – do they all still need access? Are credentials being shared?
  • Check admin accounts have MFA and strong passwords
  • Review third-party access (IT support, software vendors, consultants)
  • Revoke any temporary access that’s no longer needed
  • Verify RDP isn’t exposed directly to the internet

Time required: 1-2 hours

8 Emergency Contact List Update

Why it matters: When something goes wrong over Christmas, your skeleton staff need to know who to call. Not just “IT support” but actual names and mobile numbers.

What to do:

  • Update emergency contact list with current details
  • Include: IT support emergency number, internal on-call contacts, critical suppliers (internet, phones, hosting), key decision-makers
  • Print it out – don’t rely on the shared drive that might be inaccessible during an incident
  • Make sure skeleton staff know where to find it
  • Test the numbers to confirm they’re current

Time required: 30 minutes

9 Shared Password Audit

Why it matters: Someone left three months ago. Do they still know your WiFi password? Your supplier portal login? Your social media accounts?

What to do:

  • List every shared password (social media, shared email accounts, supplier portals, WiFi, alarm codes)
  • Document who currently knows each one
  • Change passwords where ex-staff still have knowledge
  • Plan to change passwords after temporary Christmas staff finish
  • Consider implementing a password manager if you haven’t already

Time required: 1-2 hours

10 Incident Response Plan Check

Why it matters: If something goes wrong on December 27th, does your team know what to do? Who has authority to make decisions when the directors are on a beach somewhere?

What to do:

  • Review your incident response plan (or create one if you don’t have one)
  • Verify it covers: who makes initial assessment, who has decision authority, who gets notified, external contacts (IT support, insurance, legal)
  • Print it out and save it somewhere outside your main network
  • Make sure skeleton staff know it exists and where to find it
  • Check their authority level – can they authorise emergency IT spending?

Time required: 1-2 hours

11 Supplier Access Review

Why it matters: How many third parties have access to your systems? Your IT company, software vendors, web developers, accountants, marketing agencies, former consultants…

What to do:

  • List every external company with system access
  • Check when they last used it
  • Verify they still need it
  • Confirm MFA is enabled on their access
  • Revoke access for anyone who doesn’t need it anymore
  • Update your documentation

Time required: 1-2 hours

12 New Year Security Resolutions

Why it matters: You’ve identified gaps while working through this checklist. Don’t let them get lost in January chaos.

What to do:

  • Document what needs addressing in 2026
  • Assign ownership – who’s responsible for each improvement?
  • Set realistic timescales
  • Allocate budget if needed
  • Schedule quarterly reviews
  • Book time in early January to properly plan implementation

Time required: 30-60 minutes

The Quick Version

For businesses short on time, here are the absolute essentials:

  1. MFA everywhere – especially admin accounts and remote access
  2. Test your backups – actually restore something, don’t just check the logs
  3. Brief staff on gift card scams – 5 minutes could save thousands
  4. Update emergency contacts – print them out, don’t rely on network access
  5. Check out-of-office messages – don’t reveal too much

These five take under 2 hours combined and address the highest risks.

Download the Printable Checklist

Want a printable version to work through with your IT team? We’ve created a one-page PDF checklist you can print out, stick on the wall, or hand to whoever’s managing IT.

Need Help?

If you’re a Liverpool, Wirral, or Cheshire business and want help implementing any of these checks before Christmas, get in touch.

HiltDigital – IT security and support for businesses that want it done properly.