If you work in an office, chances are you and your coworkers have played Secret Santa at some point during the holidays. Every year between Thanksgiving and Christmas, colleagues participate in this game to boost their morale and strengthen interpersonal connections¹. However, your office’s Secret Santa is far from a secure environment. For example, your coworkers may wish to steal gifts that you have purchased for your chosen recipient, or you might claim a colleague’s intended gift as your own. Additionally, with cybersecurity threats and vulnerabilities growing faster than evergreen branches, organizations worldwide have begun implementing zero-trust principles and practices for enhanced security². In this article, we will explain best practices for organizing a festive, secure, and predictably awesome Secret Santa this holiday season.
(Image courtesy of https://www.drawnames.com/secret-santa-office-party)
When organizing your office’s Secret Santa, you can go the old-fashioned route and randomly select names out of a hat, but a more modern approach would entail calling, emailing, or texting your coworkers their designated giver and/or recipient names after creating a top-secret list of who is assigned to whom³. Here is where the zero-trust part kicks in. After making your list in Word or Excel and preferably checking it twice, you must utilize a blockchain application to ensure that it is created and stored properly⁴.
Compiling a list matching your office’s Secret Santas to their designated recipients is essential, but what if you accidentally delete this file, or a disgruntled colleague deletes it maliciously? If the data in your Secret Santa gift list is breached, the consequences can be disastrous, or even terminal for smaller companies⁴. Consider that the average data breach worldwide costs $4.45 million, according to IBM, and the average U.S. data breach a staggering $9.48 million⁵. Keep in mind, too, that 60 percent of all small businesses must close their doors forever within six months if they are attacked⁶. In short, you need a zero-trust policy in place to keep malicious parties from infiltrating your business’s sensitive files – including the Secret Santa list.
Additionally, when creating the Secret Santa list, you may be tempted to do so on your smartphone, be it on your phone’s proprietary note-taking app, Google’s Keep Notes, or Google Docs⁴. However, utilizing a mobile device to track office gift-giving and receiving poses even more risks for your business’s security⁴. According to Kiersten Todt, the Cyber Readiness Institute’s managing director, “There is technology that exists that encrypts not just messaging but video, phone, etc., and that’s where we have to go” ⁴. Consider downloading an encrypted messaging and calling app like Signal, an encrypted email app such as ProtonMail, and a file encryption app like CoverMe to protect your Secret Santa list and other sensitive business files from theft⁷. In summary, data encryption is paramount for ensuring your office’s Secret Santa is secure.
(Image courtesy of https://www.howtogeek.com/howto/33949/htg-explains-what-is-encryption-and-how-does-it-work/)
Zero-trust security models encrypt your data both at rest and in transit before moving it to cloud-based storage⁸. Even if the data in your company’s Secret Santa list is breached, no one can read it except you and your intended recipients⁸. Additionally, returning to mobile security risks, Todt says, “You can no longer absolve yourself of responsibility in the tech space if you’re using a phone to do anything” ⁴. Just as lack of compliance on Santa’s part would spell disaster, you will find yourself in trouble if you fail to take appropriate precautions in creating and storing your Secret Santa list⁴.
Once you know all your designated Secret Santas and recipients, you must then craft guidelines for purchasing the gifts themselves. One best practice is to establish a price limit for every gift. For example, you should keep your colleague’s Secret Santa gift less than $25¹. Why $25, you ask? According to etiquette expert Maggie Oldham, the $25 limit is neither “too small where you’re getting someone a junk gift” nor “too large where it might put someone out of their budget,” especially if that budget is tight¹. On a related note, you may be tempted to splurge on gifts for close friends, but you should keep your Secret Santa gift within the designated price limit regardless¹. Furthermore, you must not purchase too inexpensive a gift, either. Buying a $5 item when the price limit is $25 will only sully your reputation¹. In short, establishing proper gift-buying rules will help you and all your colleagues keep your respective bank accounts and reputations intact.
Finally, while you can conduct the office Secret Santa under a zero-trust model, you must conduct a risk assessment before implementing your plan⁴. Treat this like any other security initiative for your business, be it installing new Sophos firewalls as we described in a previous article, or a data loss prevention (DLP) system like those we highlighted in a different article⁴. Although hackers and other malicious actors lurk across the dark web, the chances of them stealing your Secret Santa list and gift purchase-related credit card information are slim⁴. Now ask yourself if the risk is “truly high enough to merit the investment” in a zero-trust system for your business⁴.
The answer is simple: it is. While chances are your Secret Santa list and gift-buying information such as emailed transaction summaries will not be exposed in a data breach, you must still clearly identify your business’s sensitive data and protect it from any such exposure². Then, and only then, can you guarantee a festive, secure, and predictably awesome office Secret Santa this holiday season.
Navitend can help you. Call 973.448.0070 or setup an appointment today.
Sources:
¹Entrepreneur. “The Do’s and Don’ts of the Office Secret Santa” by Lisa Evans. Retrieved from https://www.entrepreneur.com/growing-a-business/the-dos-and-donts-of-the-office-secret-santa/253819.
²CSO Online. “Five Best Practices for Implementing Zero Trust” by Megha Kalsi and Jon Medina. Retrieved from https://www.csoonline.com/article/3656800/five-best-practices-for-implementing-zero-trust.html#:~:text=Five%20Best%20Practices%20for%20A%20Zero%20Trust%20Implementation,5%205%29%20Consistently%20Monitor%20Traffic%20and%20Sustain%20.
³Elfster. “What Is Secret Santa? Rules for How to Play a Secret Santa Gift Exchange Online.” Retrieved from https://www.elfster.com/content/secret-santa-rules/.
⁴Informa PLC. “Santa and the Zero-Trust Model: A Christmas Story” by Curtis Franklin. Retrieved from https://www.darkreading.com/edge-articles/santa-and-the-zero-trust-model-a-christmas-story.
⁵IBM Security. “Cost of a Data Breach Report 2023.” Retrieved from https://www.ibm.com/downloads/cas/E3G5JMBP.
⁶Cybersecurity Ventures. “60 Percent of Small Companies Close Within 6 Months of Being Hacked” by Robert Johnson III. Retrieved from https://cybersecurityventures.com/60-percent-of-small-companies-close-within-6-months-of-being-hacked/.
⁷Digital Guardian. “15 Free Mobile Encryption Apps to Protect Your Digital Privacy” by Nate Lord. Retrieved from https://digitalguardian.com/blog/15-free-mobile-encryption-apps-protect-your-digital-privacy.
⁸Encryption Consulting. “Zero Trust Security.” Retrieved from https://www.encryptionconsulting.com/education-center/zero-trust-security/#:~:text=The%20Zero%20Trust%20Security%20model%20protects%20the%20data,can%20read%20the%20data%20except%20the%20intended%20person
Contact us at 973.448.0070