TL;DR
- Year-end is peak season for phishing, fraud, and opportunistic attacks, especially with distracted teams and holiday schedules.
- Simple habits like updating passwords, enabling MFA, patching devices, and backing up data dramatically reduce personal and organizational risk.
- Extra care with links, social media, home/public Wi-Fi, and app permissions helps shrink your attack surface during heavy online activity.
- Encrypting devices, monitoring financial accounts, and doing periodic security cleanups make incidents easier to contain and recover from.
- Long term, staying curious and investing in ongoing learning turns these habits into a stronger security career and culture.
The end of the year is a strange mix of busy and quiet. Projects are wrapping up, people are traveling, inboxes are full of shipping alerts and sales emails, and security teams are juggling staff vacations with steady alerts.
Attackers know this.
Holiday periods often bring an uptick in phishing, fraud, and opportunistic attacks. The good news is that a handful of simple habits can dramatically reduce the risk for you, your family, and your organization.
To help you close out the year on a strong note, here are Cybrary’s 12 Days of Cyber Smarts. Use them as a daily checklist, a team challenge, or a reminder to reset your own personal security baseline.
Day 1: Update critical passwords and turn on MFA
If you only do one thing this season, start here.
Focus on the accounts that would hurt most if they were compromised:
- Primary email accounts
- Identity providers (Google, Apple, Microsoft)
- Banking and investment accounts
- Work accounts and admin portals
Change any password that is reused, weak, or old. A strong password is long, unique, and hard to guess. Phrases work well because they are easier to remember and still difficult to crack.
Then turn on multi-factor authentication (MFA) wherever it is available. Use an authenticator app or hardware key when you can, and SMS as a fallback. MFA will not stop every attack, but it adds a meaningful extra hurdle for anyone trying to log in as you.
Day 2: Patch your devices
Unpatched systems are one of the most common ways attackers gain a foothold. Many high profile breaches started with a missing update that had been available for weeks or months.
Take time to:
- Run system updates on your laptop and desktop
- Update your phone and tablet to the latest stable version
- Update browsers, password managers, and critical apps
If you manage systems at work, confirm that your normal patch schedule will continue to run during the holidays and that someone is responsible for reviewing and approving urgent fixes. A quiet week is not the time to relax patching.
Day 3: Back up your data
Hardware fails. Devices get lost. Ransomware still happens. A recent backup turns all of those from disasters into annoyances.
For personal devices, aim for a simple “3–2–1” style approach:
- At least three copies of important data
- Stored on two different types of media
- With one copy offsite or in the cloud
Use built-in tools like Time Machine, File History, or cloud backup services, and let them run on a schedule. For workstations and servers, confirm that backups are recent, protected from tampering, and tested. A backup that has never been restored is a backup you cannot trust.
Day 4: Use a password manager
Trying to invent and remember dozens of unique passwords is not realistic. That is why so many people reuse the same few passwords across accounts, which is exactly what attackers rely on.
A password manager stores your credentials in an encrypted vault and fills them in for you. Once you set it up, you only need to remember one strong master password. Everything else can be long, unique, and random.
Start by saving the passwords for your most important accounts, then gradually add others as you log in. Over time you will replace weak or reused passwords without feeling overwhelmed.
For teams, an enterprise password manager helps:
- Reduce the sharing of credentials in chat or email
- Offboard users cleanly
- Enforce policies for password length and uniqueness
Day 5: Verify links before you click
Holiday messages blur together. Shipping notices, sales promotions, year-end alerts, and charity requests all compete for attention. Attackers use the same channels and rely on quick clicks.
Slow down slightly and build a simple habit:
- Hover over the link to see where it really leads.
- Check the sender address carefully, not just the display name.
- When in doubt, go directly to the website in a new tab instead of clicking the link.
Teach this habit to your family and to non-technical colleagues. It is one of the easiest ways to prevent credential theft and malware infections.
Day 6: Lock down social media
Social profiles can reveal far more than you intend. Vacation photos, workplace details, and personal milestones can all be used for social engineering, password guessing, or targeted phishing.
Take ten minutes on each platform you use and:
- Review who can see your posts, friends list, and profile details
- Remove or hide information that is not necessary
- Turn on login alerts so you are notified of new sign-ins
- Consider limiting who can message you or tag you publicly
This is especially important for anyone in sensitive roles, such as finance, executives, or system administrators. The less someone can learn about you from a quick search, the harder you are to impersonate.
Day 7: Secure your home Wi-Fi
Home networks now carry personal, work, and smart-home traffic. A weak Wi-Fi configuration can expose all of it.
Log in to your router’s management page and check:
- Network name and admin password. Change default values to something unique.
- Security mode. Use WPA2 or WPA3. Avoid older options like WEP.
- Guest network. Enable a guest network for visitors and untrusted devices, and keep it separate from your main network.
- Firmware updates. Apply any available updates from the vendor.
If you work from home, treat your router like part of your office environment, not just another appliance.
Day 8: Be cautious with public Wi-Fi
Airports, cafes, hotels, and conference centers often provide convenient Wi-Fi. They also create opportunities for eavesdropping, spoofed networks, and rogue hotspots.
If you must use public Wi-Fi:
- Avoid logging into banking, payroll, or other highly sensitive sites
- Prefer mobile data for anything involving financial or work systems
- Use a reputable VPN to encrypt your traffic when possible
Remember that “free Wi-Fi” is not a guarantee of safety. The safest option for sensitive work is still a trusted network you control.
Day 9: Monitor your financial accounts
The holiday shopping season is prime time for fraud. Attackers test stolen cards with small purchases, or use account credentials harvested earlier in the year.
Take a few minutes to:
- Turn on transaction alerts for your bank and credit cards
- Review recent statements for unfamiliar charges
- Confirm your contact details are correct so alerts reach you
If you see something that looks off, report it quickly. Financial institutions are much more effective at stopping fraud when they hear about it early.
Day 10: Clean up unused apps and permissions
Old apps and forgotten authorizations quietly expand your attack surface. Each unused account is another place for a password to be reused or a vulnerability to appear.
On your devices:
- Remove apps you have not used in months
- Revoke permissions for apps that do not need access to your camera, microphone, or location
In your online accounts:
- Review “connected apps” or “third-party access” pages
- Remove tools and services you no longer use
For organizations, periodic access reviews help confirm that contractors, former employees, and old integrations are not lingering with more access than they should have.
Day 11: Enable device encryption
If a laptop or phone is lost or stolen, full-disk encryption can prevent your data from being browsed by whoever finds it.
Most modern devices support encryption:
- Windows: BitLocker (on supported editions)
- macOS: FileVault
- iOS and Android: built-in encryption when a passcode is set
Confirm that encryption is turned on and that you have a secure passcode, PIN, or password. For work devices, check that encryption is enforced through your organization’s policies and that recovery keys are stored securely.
Day 12: Stay curious and keep learning
Security is not a one-time project. Threats evolve, tools change, and your environment will look different a year from now than it does today.
The most effective professionals and teams share one trait: they keep learning.
That might mean:
- Working through a new course on cloud or network security
- Practicing in hands-on labs instead of only reading about attacks
- Joining a study group or internal brown-bag session
- Mapping your skills to a role and building a clear development plan
If you are ready to turn that curiosity into a structured path, Cybrary’s IT and Cybersecurity Foundations career path is a strong starting point. It covers core concepts across networking, security fundamentals, and real-world tools, and it gives you a framework for long-term growth.
Bringing It All Together
None of these twelve habits are complex. Taken together, they create a meaningful layer of protection for you and your organization:
- Accounts are harder to break into
- Devices are better protected and easier to recover
- Data is backed up, encrypted, and monitored
- People are more aware of the tactics attackers rely on
Use this checklist with your team as a simple end-of-year tune-up. Share it with friends and family who ask you for “that one quick security tip.” And if you are responsible for a broader security program, treat these steps as a reminder of how much impact basic hygiene can have.
If you are ready to build deeper skills and help your organization move beyond the basics, explore how Cybrary can support you with structured paths, labs, and role-based training.
Stay cyber smart, and enjoy a safe, secure holiday season.
