Holidays are coming, but businesses are leaving their cyber doors wide open, report warns

Cyber attackers are targeting holidays and weekends to cause maximum disruption, yet many businesses remain underprepared outside of standard working hours a new report has warned.

With the holiday season fast approaching – kicking off with US Thanksgiving next week – research conducted by cyber security firm Semperis, The Holiday Ransomware Report,  has found that organisations are leaving security teams understaffed during these critical times.

Semperis warns that understaffing outside business hours equals a greater risk of cyber crimes by opportune criminals who do not work to ‘Monday to Friday,’ nine to five clocks.

The report brings together global data from its study of almost 1000 IT and security leaders working in various sectors across the US, UK, France and Germany.

The research found that over 70% of organisations reported experiencing ransomware incidents during holidays and weekends when security teams aren’t working at full capacity.

 The study highlights how businesses remain at considerable risk, especially when their SOC (Security Operations Centre) is under-resourced outside of business hours.

Notably, the finance and manufacturing sectors are identified as highly susceptible, with almost 80%  of global respondents from finance and 75% from manufacturing and utilities confirming ransomware incidents on holidays or weekends.

 ‘Round the clock’ security teams operate at only 25% capacity

Despite the ongoing risk, over half (52%) of UK businesses admitted their SOC is only partially staffed on bank holidays and weekends. One in 20 don’t staff their SOC at all during those times. And 42% of respondents who claimed to maintain a 24/7/365 SOC said it only operates at 25% capacity.

The security firm warned that fewer eyes on the network traffic and less attention to suspicious activity means that hackers can slip in unnoticed – leaving organisations wide open to cyberattacks.

High-profile holiday-based cyberattacks include the Colonial Pipeline ransomware attack in the US on Mother’s Day. In the UK meanwhile, a 2023 weekend attack targeted the software MOVEit, used by payroll software provider Zellis, which affected British Airways, Boots and BBC staff.

The recent Transport for London hack, which highlighted the growing threat of cyberattacks on public infrastructure, started on a Sunday.

 “Cyber threats don’t take a holiday. In fact, attackers are exploiting quieter times when they know they may be more successful – using periods of understaffed security operations to their advantage.

“Our research report is an urgent wake-up call that you can never take your eye off the ball; the threat to business, critical infrastructure and consumers is constant,” said Dan Lattimer, area vice president, Semperis.

 Work-life balance vs cyber defence

 Asked why their organisation scaled back IT and security staffing at weekends and during holidays, a third of respondents said they “did not think full staffing was necessary considering most employees work only during weekdays.”

The same number said they “did not think our business would be targeted by hackers” and a third felt it wasn’t necessary because “their business has never been targeted in the past.”

 Other top reasons given were “our business is open Monday-Friday only” (30%) and “work/life balance is important” (30%) – highlighting that security gaps could arise from a weak security culture.

According to Simon Hodgkinson, former CISO at BP and strategic advisor at Semperis, it’s time businesses realised that cyber threats are present around the clock.

“The stark reality is that they are much more vulnerable when their SOC isn’t fully staffed. You really need to have someone on call all the time. Security teams could rotate responsibility with some employees taking weekdays off to ensure adequate staffing levels,” he said.

“In addition, organisations must have solid emergency procedures in place, with a tried and tested incident response plan that allows them to contain threats and restore operations quickly should an attack happen – regardless of whether the attacker strikes on a Sunday or a Tuesday,” he added.