December rolls around and your IT team starts thinning out. Half your staff takes vacation time, the other half mentally checks out for the year, and your security operations center runs on whatever coverage you can scrape together.
Cybercriminals have been watching this same pattern repeat itself for years, and they’ve built their attack schedules around it.
Recent research shows that more than half of all ransomware attacks during the past 12 months took place over a holiday or weekend, when organizations run minimal security staff. This happens because eight out of ten companies reduce their staffing by 50% or more during weekends and holiday periods.
The math is straightforward. Fewer people monitoring systems means more time for attackers to operate undetected. They can move through networks, steal data, and deploy ransomware while your skeleton crew handles a backlog of help desk tickets.
A Predictable Pattern
Q4 of last year saw 1,663 ransomware attacks, the highest quarterly volume ever recorded, with November alone accounting for 629 incidents as organizations prepared for year-end shutdowns.
You can also look at major breaches from recent years: Colonial Pipeline on Mother’s Day weekend 2021, JBS Foods over Memorial Day 2021, Kaseya on July 4th weekend. Attackers deliberately target long holiday weekends when response teams operate at reduced capacity.
Phishing attempts surge during holidays as well. Employees expect shipping notifications and vendor messages at year-end, making malicious emails harder to spot. Someone clicks a fake FedEx tracking link, and suddenly you’ve got an active threat moving through your network while most of your security team is out of office.
Why Organizations Cut Security Coverage
Most companies reduce staffing for understandable reasons: they want to provide work-life balance for employees, many businesses close entirely for the holidays, and some simply assume they won’t be targeted.
That last assumption costs organizations millions every year. Ransomware groups specifically hunt for companies that think they’re too small, too obscure, or too prepared to be worth attacking.
A significant portion of attacks also happen after major corporate events like mergers, acquisitions, or layoffs. These transitions create confusion about who’s responsible for what, and attackers exploit that chaos.
What You Can Actually Do
1. Maintain adequate monitoring – You don’t need full staffing, but someone needs to be watching for alerts. If you can’t afford 24/7 coverage, set up automated alerts for suspicious activity and make sure someone’s checking them regularly. Train your on-call staff to recognize common attack patterns.
2. Update everything before the break – Security patches often contain fixes for known vulnerabilities that attackers actively exploit. Push updates to all systems before your team heads out. Yes, updates can cause issues, but unpatched systems during a holiday weekend create bigger problems.
3. Enforce multi-factor authentication everywhere – Passwords get compromised constantly. MFA blocks most unauthorized access attempts even when credentials leak. Apply it to remote access, email, and any system that touches sensitive data.
4. Lock down unnecessary access – Review what remote access points are exposed and disable anything non-essential during the holiday period. If systems don’t need to be accessible externally while everyone’s out, shut down those entry points temporarily.
5. Test your backups now – Ransomware groups know that organizations with solid backups are less likely to pay. Make sure your backups actually work and that they’re stored somewhere attackers can’t reach them. The middle of a holiday crisis is a terrible time to discover your backup system hasn’t been working for months.
6. Have an incident response plan ready – Who gets called if something goes wrong? What systems get isolated first? Where are the recovery procedures documented? Answer these questions before everyone leaves, not during a panic on Christmas morning.
Managing Privilege During the Holidays
One often-overlooked risk during holidays is that fewer people around means more admin accounts sitting idle with full privileges. If an attacker compromises one of those accounts, they’ve got unrestricted access to your systems.
Our Endpoint Privilege Management solution addresses this by removing permanent admin rights entirely. Users get elevated privileges only when they need them, only for specific applications, and everything gets logged. If someone’s account gets compromised while they’re on vacation, the damage an attacker can do is severely limited.
This approach also helps with the skeleton crew problem. Your reduced holiday staff can still support users who need to install software or change system settings, because those users can elevate privileges themselves through approved workflows instead of waiting for IT.
Give Admin By Request EPM a try through our free plan for up to 25 seats, or book a demo to see it in action.
Don’t Be the Easy Target
Attackers count on organizations letting their guard down during holidays. They’ve built entire business models around exploiting reduced staffing and distracted employees.
The weeks leading up to major holidays are the time to tighten access controls, verify monitoring coverage, and make sure your team knows who to call if something goes wrong. A little preparation now beats a lot of panic later.
Frequently Asked Questions
Why do attackers specifically target holidays instead of attacking year-round?
They do attack year-round, but holidays offer better conditions for success. With reduced SOC staffing and slower response times, attackers have more time to move through networks undetected. They can exfiltrate data, establish persistence, and deploy ransomware before anyone notices. During normal business hours, those same activities might trigger alerts that get addressed within minutes.
Our business closes completely during holidays. Does that make us safer?
Actually, it often makes you more vulnerable. Attackers know nobody’s monitoring systems when businesses are closed. They can spend days moving through your network without any risk of detection. When you return from the break, the damage is already done.
How much security coverage do we really need during holiday periods?
At minimum, someone needs to be monitoring alerts and able to respond to incidents. This doesn’t require your full team, but completely eliminating coverage creates unnecessary risk. Many organizations use a rotating on-call schedule or contract with a managed security service provider for holiday coverage.
What if we can’t afford to keep security staff working through the holidays?
Set up automated monitoring and alerting before people leave. Configure your systems to flag suspicious activity and send notifications to whoever’s on call. You won’t catch everything, but you’ll have visibility into obvious threats. Also consider whether you can afford not to have coverage if an attack shuts down your business for weeks.
We have MFA and regular patching. Are we still at risk during holidays?
Yes. MFA and patching are important defenses, but attackers have multiple entry points. They might exploit a vulnerability you haven’t patched yet, compromise a third-party vendor, or use social engineering that bypasses MFA. The holiday risk comes from having fewer people watching for these attacks and slower response times when they do occur.
How do we balance employee time off with security needs?
Plan ahead. Rotate holiday coverage so everyone gets time off but systems stay monitored. Train multiple team members on incident response procedures so you’re not dependent on one person. Set clear escalation paths so whoever’s on call knows when to pull in additional help. The goal isn’t to eliminate holidays, but to maintain minimum security operations during them.
What’s the most common way attackers get in during holiday periods?
Phishing remains the top entry point. Employees are distracted, expecting legitimate holiday shipping notifications and year-end communications. Attackers craft emails that blend in with this increased volume of legitimate messages. Once they compromise one account, reduced monitoring gives them time to escalate privileges and move laterally before anyone notices.
