Hackers are getting better at what they do.

For years we have warned of hacktrepreneurs – part hacker, part entrepreneur. Now, sadly the reality is these individuals have grown to the point where they have corporations – just like legitimate entrepreneurs.

The U.S. Justice and Treasury departments took action last week against a Russian hacking group known as “Evil Corp.,” which stole “at least” $100 million from banks using malicious software that swiped banking credentials, according to a joint press release.

Moreover, we know Iran has been hacking U.S. corporations. Before this happened, the U.S.-based Stuxnet virus infected their nuclear centrifuges causing them to spin out of control.

In response, Iran has attacked a Dam in Rye, New York as well as financial institutions and more recently IoT devices – rendering them useless.

Holiday time is supposed to be a time of cheer where people exchange electronic and paper cards with one-another.

Typically, people let their guard down.

The challenge is, hackers know this and use the holidays against unsuspecting users.

Once click can lock up an entire computer network and hold an organization for ransom.

One example comes from StarTribune:

The e-mail looked legitimate, so Danielle Radin clicked on the link it contained, expecting to have her products included in a holiday gift guide.

“I instantly regretted it,” says Radin, owner of Mantra Magnets, a website that sells wellness products. “It took me to some random website that looked like those pop-ups telling you that you’ve won the lottery.”

Within days of that click three weeks ago, Radin began getting notifications that people in Ecuador, China and elsewhere were trying to access her e-mail account. She wasn’t surprised; she knew her San Diego-based small business had been the target of a phishing scam.

Your workers need to understand the phishing threat increases around the holidays and they need to be prepared for it.

Only education can ultimately keep organizations safe.

How do you stay secure or at least drastically reduce the risk? Follow these three steps to start:

1) Read cybersecurity essentials – a simple list which will help most organizations become far more secure.

2) Go to a phishing simulation vendor now and sign up for one of their offerings. Phishing Box, KnowBe4 and Phish360; are all great. This is needed to train workers by testing them without their knowledge by sending real-looking emails to their inboxes. If they click, they are immediately trained on what not to do.

3) We also recommend you get a free evaluation of your cybersecurity risk from an MSP/MSSP immediately – they can also help you build in the needed compliance to reduce the risk of being fined