Summer Checklist for SMBs: stay secure during the holiday period

The summer holidays are prime time for fraudsters banking on a half-empty office. Use this practical checklist to keep your SMB secure throughout the holiday period.

Summer means holidays — and that's exactly when things go wrong. Not because hackers suddenly work harder (though they do), but because the people who normally catch mistakes aren't around. The bookkeeper is in Crete, the director is hiking in Austria, and the intern has been told they can "keep an eye on the inbox". Before you know it, there's an urgent invoice sitting in the queue with a new IBAN, and there's nobody to "give a quick ring to check it's legit".

A few simple agreements before you leave the office half-empty in July and August can save you a world of trouble. Below is a practical list — not a thick procedural manual, just the things that genuinely make a difference.

1. Agree in advance who is authorised to approve what

The classic scenario: the treasurer is on holiday, an invoice arrives that "absolutely must be paid today", and someone else transfers the money "because it can't wait". Nine times out of ten, that's fine. The tenth time, it's fraud.

Before the holiday period, document:

• Who is authorised to approve payments up to what amount when the usual person is away?
• Who provides a second pair of eyes for payments above a certain threshold?
• Which payments can simply wait until after the holidays? (Spoiler: more than you'd think.)

For any new or changed IBAN: call the supplier using a number from your own records — not from the email. Always. Even in August.

2. Set an out-of-office — but don't give too much away

An out-of-office is helpful for clients and a goldmine for scammers. "I'm away until 14 August; for urgent matters please contact Jan (jan@company.com, 07700 900123)" tells a fraudster exactly how long they have and who they can impersonate.

Keep it brief: "I have limited availability until mid-August. For urgent matters: info@company.com." No exact dates, no personal mobile numbers, no names of stand-ins who can easily be impersonated.

3. Do a quick access check before the holidays

The last thing you want is a former employee — or a forgotten intern account — still able to get in while nobody is watching. Half an hour's work prevents a lot of headaches:

• Go through the user accounts in your email environment (such as Microsoft 365). Is there anyone who shouldn't still be there?
• Check who has admin rights. Does that list still look right?
• Review which external parties (accountant, marketing agency, freelancer) have access to which systems.

Find something that's no longer correct? Disable it. Reactivating an account in September takes five minutes; dealing with a compromised account takes a week.

4. Enable two-factor authentication on all important accounts

You've probably done this already — but double-check. Email, accounting software, banking, domain registrar, your website CMS. One account without 2FA is enough to ruin the entire summer.

Don't forget your backup codes. If the director's phone ends up in the sea off Ibiza, you don't want to discover that the codes needed to regain access were on that same phone. Print them out, or store them in your password manager under a separate category.

5. Who is keeping an eye on the inbox?

Not to reply to everything — but to spot if something doesn't look right. A suspicious login attempt, a password reset request, a supplier who "quickly" provides a different account number. Agree that one person scans the main mailbox(es) each week for anything unusual.

Also check your SPF/DKIM/DMARC reports if you receive them. Summer is a popular time for phishing in your name, simply because the chances of being caught are lower.

6. Backups: not just running, but verified

A backup that runs smoothly every night but has never been restored isn't a backup — it's just a file. Before the holidays, test whether you can actually retrieve a file. Five minutes of work, and you'll know for certain you won't be facing a ransomware incident and a useless backup in the first week of August.

7. Put a "who to call" list on paper

It sounds old-fashioned — because it is. But if everything goes down — email, phone system, laptop — a printed A4 sheet with the phone numbers of your IT provider, hosting partner, accountant and bank is worth its weight in gold. Pin it up at the office, and give a copy to whoever is holding the fort in August.

In brief

Summer isn't a security event in itself, but it is a period where the usual checks and balances are missing. Four things that make the biggest difference:

1. A second pair of eyes on payments, especially for new IBANs.
2. An out-of-office message that doesn't give too much away.
3. A quick check on who has access to what.
4. 2FA and backup codes for all important accounts.

Want a check before the holiday period to confirm your access overview is correct — who still has rights to what, and should they? Our access check does exactly that. And if a new supplier appears with a different account number: run it through the IBAN check before you transfer anything.