惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
L
LINUX DO - 最新话题
Recorded Future
Recorded Future
月光博客
月光博客
博客园 - 【当耐特】
博客园 - 叶小钗
宝玉的分享
宝玉的分享
量子位
雷峰网
雷峰网
博客园 - 三生石上(FineUI控件)
The Cloudflare Blog
Vercel News
Vercel News
L
LangChain Blog
B
Blog
Y
Y Combinator Blog
爱范儿
爱范儿
GbyAI
GbyAI
S
Security @ Cisco Blogs
T
The Blog of Author Tim Ferriss
A
About on SuperTechFans
博客园 - Franky
P
Palo Alto Networks Blog
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
云风的 BLOG
云风的 BLOG
C
Cisco Blogs
Scott Helme
Scott Helme
I
Intezer
T
The Exploit Database - CXSecurity.com
MyScale Blog
MyScale Blog
T
Tor Project blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Troy Hunt's Blog
N
News and Events Feed by Topic
大猫的无限游戏
大猫的无限游戏
F
Fortinet All Blogs
www.infosecurity-magazine.com
www.infosecurity-magazine.com
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
S
Security Affairs
Cyberwarzone
Cyberwarzone
PCI Perspectives
PCI Perspectives
小众软件
小众软件
D
DataBreaches.Net
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Know Your Adversary
Know Your Adversary
Forbes - Security
Forbes - Security
S
Securelist
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
C
Cyber Attacks, Cyber Crime and Cyber Security
The Last Watchdog
The Last Watchdog

The Duo Blog

Duo + PlainID: Dynamic Authorization Meets Enterprise Identity | Cisco Duo Continuous identity security explained | Cisco Duo Salesforce The modern MFA toolkit: push, biometrics, and security keys | Cisco Duo Cisco Duo Identity Summit Preview | Cisco Duo Duo Brings Identity and Authorization Across AI Agent Gateways | Cisco Duo Passwordless for Microsoft 365 starts with federation Custom Admin Roles: Granular control for every Duo admin Token theft, vendor abuse, and the new identity threat surface How Duo Directory automates user lifecycle management Cisco Systems Named a Customers’ Choice in Gartner Peer Insights™ 2026 Voice of the Customer for Access Management Identity provider resilience: backup and split IdP approaches | Cisco Duo Agentic AI Security: Three Threats Your Team Should Know | Cisco Duo Secure client access at scale with Duo and Meraki | Cisco Duo IdP Concentration Risk: Why Single-IdP Dependency Puts You at Risk | Cisco Duo Endpoint Management as an Attack Vector: Lessons from Stryker | Cisco Duo Passwordless authentication without cookies: Duo Push updates Introducing Duo Agentic Identity Solving the double prompt: Better UX with AMR in Duo SSO Simplify compliance with MFA, device trust, and policies Cisco Systems Named a Customers’ Choice in Gartner® Peer Insights™ 2026 Voice of the Customer for User Authentication Why identity-led security matters for MSPs right now The Hitchhiker’s Guide to Shibboleth Launching Active Directory Defense: Strengthen On-Prem AD Security | Duo Security Industry specific IAM for MSPs Duo delivers: 99.99% uptime SLA for every customer Cisco Secures 125K user identities with Duo while advancing passwordless journey NIST AAL2/3 compliance with Duo Mobile Proximity Verification From protocol to practice: Secure the AI agent ecosystem with Duo Simplify MSP technician authentication with Duo Delegated Access Standing out in a crowded MSP market Securing for third-party risk with Duo for identity management Thwarting adversary-in-the-middle attacks with Proximity Verification OAuth 2.0's next chapter: Enabling the AI security revolution The dawn of a simpler, helpful policy experience
How to secure the holidays & prep your 2026 IAM strategy
kyang@duo.com (Katherine Yang) · 2025-12-18 · via The Duo Blog

Industry News

Headshot of Katherine Yang, Product Marketing Specialist

Katherine Yang

6 minute read

The holiday season is an intense time for retail, travel, hospitality, and other industries—intense good, and intense bad. While seasonal demand drives sharp increase in business activity, organizations must also onboard temporary employees, contractors, and third parties at speed, dramatically expanding who needs access to internal systems.

The risk of suffering an outage or data breach due to phishing, social engineering, and other cyberattack tactics invariably go up, along with a new growing area of concern: external users, including season staff, contractors, vendors, and partners often require fast access to internal systems and fall outside standard employee identity controls.

Experts predict a rise in third-party risk

Along with heightened exposure to the usual suspects—fraud, ransomware, and remote attacks on IT workers—a new report predicts a rise in third-party risk this shopping season. According to the 2025 Holiday Season Cyber Threat Trends Report, members of the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) saw notable spikes in third-party data extortion and anticipate a continued trend of account takeover and business email compromise attempts.

So, what should you get your security & IT teams this year?

With more threats sprouting up across your vendor, partner and customer ecosystems, adding third-party defense strategies to your shopping list makes sense this year. Read on for a few powerful “Pro Tips” that might help do the trick—we’re sharing them early, before the “holi-daze” hits full stride.

Pro Tip 1: Give the gift of strong IAM, beyond basic MFA

In addition to fraud, last year’s most common threats included phishing, ransomware, and credential harvesting—all techniques that can be countered by strengthening identity security.

Since about 80% of breaches still involve humans and often credentials, the first step in avoiding risk should be making sure anyone trying to connect and access your company resources is who they say they are. Apply strong IAM consistently to both internal and external users, since both introduce identity risk during the holiday period.

Avoid growing threats by extending your strong access controls to validate more third-parties as thoroughly, and as easily as you do your internal workforce. Multi-factor authentication (MFA) is a crucial component of identity and access management (IAM). Strong MFA helps manage the risk that comes with allowing suppliers, contractors, consultants, and customers to access your company’s systems and data.

Last year, we explored security tips to combat holiday phishing. Traditional forms of MFA like SMS, callback, and hardware tokens are not only clunky to use and disruptive to users, but also no longer sufficient in defending against evolving phishing attacks. Duo balances security with user experience, covering the widest range of MFA options to fit organization needs. To defend against MFA-targeting attacks, deploy modern risk-based authentication (RBA) and token-free, phishing-resistant Proximity Verification—a reliable method of authenticating independent contractors, service technicians, and other third parties accessing sensitive systems onsite.

One size definitely won’t fit all

Secure-by-default, Duo makes it super easy to verify external identities and block unauthorized access. Flexible user directory capabilities help IT streamline access by both internal and external identities and manage them separately or together.

The recent addition of Duo Directory lets admins set up, segment, and manage third parties in alternate directories in the same way—but not the same place—that they do employee data. A safe and simple place to store third-party identities, Duo’s cloud-based directory can broker authentication across multiple Identity Providers. After all, protecting your company against external risk protects your entire supply chain; it’s the gift that keeps on giving!

Pro Tip 2: Verify trust in devices

There’s no getting around it: everyone multi-tasks around the holidays. That means employees and external users may be doing their holiday shopping—creating accounts, resetting credentials, sharing links, and entering payment data—all from some of the same devices they use to access your network. While shopping itself doesn’t change the need for device trust, it does increase the chances that those devices are exposed to risky links or downloads, raising the likelihood of compromise and directly impacting the security of your environment.

Strong identity security validates trust in devices as well as users themselves. This includes workforce and third-party devices; both must meet your security bar before accessing internal systems. MFA alone won’t keep everybody safe, particularly when your IT team can't see or control their devices. That’s why Duo’s strong identity security solution validates trust in devices themselves as well as users.

Duo Device Trust delivers strong security for third-party access without requiring people to add new hardware or mobile device management (MDM). Duo automatically runs health checks on external endpoints—managed or unmanaged BYOD devices—and spots red flags like outdated software that could easily be exploited. With Duo’s Trusted Endpoints, easily stand up a policy that denies access from any unknown device.

Real-time device telemetry gives admins the same visibility they use to manage internal device health, including detection of jailbroken devices and what OS version the endpoint has running. This way, automatically block access until users bring their devices into compliance with company policies.

Pro Tip 3: Turn AI into your security & IT team’s helper

According to RH-ISAC, the 2025 Holiday Period will likely be defined by an unprecedented scale of automation. With generative AI traffic predicted to grow 520% in the 10 days leading up to Thanksgiving, the lines between good bot, bad bot and human will be significantly blurred.

The same AI traffic surge targeting consumers will also overwhelm workforce identity systems. Higher access volumes and increasing number of employees becoming phishing risks, especially as threat actors on Santa’s naughty list use AI to scale their attacks. This is where Duo’s AI Assistant can help by unifying logs, and user context and device posture in one place to accelerate decisions rather than looking through various pages to find an answer. An admin can simply ask the AI Assistant, “Show me all devices this employee used to access corporate resources this week and tell me if it’s safe to grant him access from his Android device.”

As much as we try to separate personal and corporate activities, employees often use the same devices for personal holiday shopping and work. Securing identity at the point of login becomes critical to maintaining resilience during this time.

Holiday Bonus Tip: Give the gift of passwordless

Sometimes less is more. Getting rid of passwords is a gift that makes life easier for users and IT while making everyone, and your organization, safer.

Even at work, we may have a wish list, like just being able to login faster without the headache of typing and remembering all the different passwords. Do your employees and external users a favor this year by reducing this friction and give them the gift of passwordless.

Duo enables end-to-end passwordless identity security, a foundational element of end-to-end phishing resistance and one less thing for everyone to worry about as they flip from app to app. A bonus for sure, but one every Grinch in your ecosystem can appreciate.

Download the free playbook

Get the free guide to modern, security-first identity and access management and get ahead of your identity strategy in the new year. Download the Guide to Restoring Trust in Identity.

With that we’d like to wish everyone a safe and joyous holiday rush and a healthy, prosperous 2026. See you then!