My Black Friday Cybersecurity Wishlist

Black Friday and Cyber Monday always bring bargain buys as consumers hunt for deals to make the upcoming festive season special, but they are also a bonanza for cybercriminals. Attacks spike during the holiday season as cybercriminals take advantage of workers being out of their usual routine and less vigilant than normal. This makes for far from happy holidays for the businesses affected. However, what many organizations don’t realize is that often they already have the tools to protect themselves in their security armory; they just haven’t activated them.

Based on our own data gathered from analyzing exposures arising from misconfigurations in customers’ existing security tool stacks, here is my Black Friday list of the most common controls that organizations already have, that I wish they would use:

1. SSL decryption and URL filtering

Encrypted traffic now makes up the majority of network data, yet many organizations still inspect only a fraction of it. Failing to enable SSL decryption and comprehensive URL filtering leaves blind spots that attackers exploit for command-and-control and data exfiltration.

2. MFA for password resets and device joins

Most companies deploy MFA for log-ins, but overlook enforcing it during critical recovery and enrolment actions. Yet attackers are well aware that password reset and device registrations are often excluded from MFA, making this an easily abused identity gap.

3. Conditional access and sessions controls

Granular identity policies, such as location- or device-based session limits, are often an unused feature in identity and access management consoles. Yet setting maximum session durations and requiring re-auth on risky sign-ins can significantly reduce exposure from compromised tokens of stale sessions.

4. Endpoint custom detections

Endpoint Detection and Response (EDR) platforms ship with powerful detection frameworks, but security teams frequently rely on the vendor’s default configuration. Customized indicator of attack or behavioral rules that are aligned with your environment can catch activity that standard configurations miss, yet they’re among the least-tuned features.

5. Attachment and file-type blocking in email gateways

Blocking basic extensions, such as .exe and .bat, are easy wins, but modern phishing campaigns grow smarter every day. Now they rely on less obvious vectors including RDP, ISO, or even PDF files with embedded payloads. Fine-tuning attachment blocking based on observed campaigns can stop threats before they reach inboxes.

These observations stem from our experience in post-incident analysis, where we regularly find that the attack would have been prevented if these tools had been turned on; it’s not a case of having the wrong tools, but rather of having the right tools, wrongly configured.

Why are these controls inactive?

If reading down this list has made you panic about unmanaged risk in your security tool stack, you are not alone. In a world where security architects are responsible for large numbers of tools from multiple vendors, and must keep up with huge volumes of updates, these problems are incredibly common. It isn’t surprising that most solutions are deployed in their default configuration and stay there.

Besides the age-old challenge of not having enough time and resources to ensure every tool is tuned to perfection, several factors contribute to the complexity of the situation.

At the top of the list is the difficulty of gaining full visibility into the cybersecurity environment. Tools often operate in siloes, timely data is hard to extract, and interdependencies are often unclear and undocumented. This problem is both created and compounded by a lack of centralized governance for managing security technology deployment and changes.

A lack of visibility and clear governance leads to one of the biggest “silent” security risks: configuration drift. Changes that seem to be simple and straightforward can have unpredictable security impacts that go unnoticed as the environment evolves. Manual review processes often lag behind, allowing an exposure to go unnoticed and providing attackers with a clear window of opportunity.

Tension between operational and security teams can also be a blocker. There may be a clear security case for expanding MFA to cover more user interactions, as I described in point 2, but if the operational team believes this will negatively impact user experience, they may push back on the request to implement, creating friction between two teams that are both just trying to do their job. This is especially true if there is a perception that the configuration change will be difficult or time-consuming to implement.

It isn’t hard to see how the above factors contribute to a cascade of complexity. They make the job of optimizing cybersecurity a task similar to painting the Golden Gate Bridge – no sooner have you finished than you need to start again back at the beginning. Few organizations have the resources required to succeed using manual processes alone, which is where dedicated AI agents promise to make a major difference. These agents undertake the heavy lifting of analyzing cybersecurity tool stacks, identifying misconfigurations, drift, or underutilized tools, and prioritizing the necessary changes to reduce exposure. They’ll also provide context around each weakness identified, sharing its security value, impact on users, and the operational burden of making the change, helping smooth the path to remediation.

This Black Friday, get ahead of cybercriminals by activating the tools you already own. From MFA and anti-phishing to encrypted traffic monitoring and custom detections, the key to success lies in the correct configuration. And when you are ready to take things to the next level with a continuously optimized environment, I advise exploring how AI agents can act as a force multiplier for your security team by identifying, prioritizing, and even fixing exposures… faster than humanly possible.