As the festive season approaches, many organisations either shut down or operate on skeleton crews. While executives and key employees in departments like IT, finance and security are enjoying a well-earned break, cybercriminals are ramping up their activity.
In fact, industry data shows that ransomware attacks spike by around 30% during the holiday period. Because of this, businesses need to be especially intentional about managing human risk and reinforcing security protocols before their core teams sign off.
“Just because your employees are on holiday, doesn’t mean that threat actors are,” states Anna Collard, SVP of content strategy & CISO advisor at KnowBe4 Africa.
Collard points to a recent report finding that 47% of ransomware attacks occurred on a weekend or holiday.
“Many organisations reduce their IT security workforce by 50% or more during weekends and holidays, and that’s precisely when attackers then will – and do – strike,” she says.
The vulnerability of the ‘B-Team’
It is easy to understand what makes businesses more vulnerable over the holidays. With many senior employees on leave, the office is often manned by more junior personnel or temporary contractors who may not have the institutional knowledge to spot a sophisticated attack.
“Fewer people means more pressure, more multitasking and less oversight, which are perfect conditions for fraud, phishing and human-associated risks,” Collard explains.
Depending on the organisation, workloads may either increase or come to a complete halt. With fewer eyes on the network and bad actors actively probing for weaknesses, neither scenario is ideal. It is precisely because of this reduced vigilance and overworked skeleton teams that cybercriminals are able to exploit security gaps.
“Attackers get a window to infiltrate, persist, escalate privileges, or deliver payloads without detection,” comments Collard.
Attackers often perform reconnaissance weeks in advance. They trigger ‘Out of Office’ auto-replies to map out exactly who is away, who their backup is, and when the office will be most vulnerable – not to mention the often personal contact details then auto-supplied in the process. This allows them to time social engineering attacks with surgical precision.
The CEO fraud spike
One of the most favoured methods of attack during this period is CEO fraud, also known as Business Email Compromise (BEC).
“These scams involve criminals impersonating a trusted person, like a CEO or vendor, to trick employees into sending money or revealing sensitive information,” Collard explains.
Because the actual CEO is likely on vacation, a junior employee receiving an “urgent” WhatsApp request from them is less likely to question it. The criminals rely on the fact that the employee cannot easily walk over to the CEO’s office to verify the request.
Process under pressure
When regular routines and senior oversight are disrupted, strong processes are needed most.
“Organisations cannot rely on instinct or informal knowledge-sharing during skeleton-crew periods,” Collard states. “Clear, well-documented escalation paths ensure that junior employees know exactly who to contact when something feels wrong.”
To secure the holiday period, Collard advises implementing specific procedural guardrails:
- Dual approval: Enforce mandatory dual approval for any movement of money or changes to sensitive systems. This creates an essential safeguard against both error and social engineering.
- Pre-defined playbooks: Incident playbooks – from handling suspicious emails to responding to system alerts – remove ambiguity. Personnel should be able to act quickly and confidently without having to guess the right course of action under pressure.
- The ‘Designated Driver’: Clearly identify who is on call for security escalations, and ensure they are actually reachable.
Empowering people, not just technology
Technology also needs to be beefed up. Proactive, preventive measures are essential, whether it is reinforcing awareness training, restricting privileged access, or enforcing strong controls such as multi-factor authentication (MFA) and running secure backups.
However, technology can only go so far – human judgement remains the first and last line of defence.
“Leaders need to communicate the risk internally,” advises Collard. “Senior leadership must understand that ‘it’s just a quiet time’ is exactly when attackers choose to strike.”
Crucially, leaders must give explicit permission to their teams to slow down, verify requests, and escalate anything suspicious.
“When people feel trusted and supported, their judgment sharpens,” Collard concludes. “A culture where a junior employee feels safe questioning an ‘urgent’ request from a director is a culture that survives the festive season intact.”
Holiday leave, heightened risk: Managing human risk when your core team is away
As the festive season approaches, many organisations either shut down or operate on skeleton crews. While CEOs and key staff in departments like IT, finance and security are enjoying a well-earned break, cybercriminals are ramping up their activity. In fact, industry data shows that ransomware attacks spike by around 30% during the holiday period. Because of this, businesses need to be especially intentional about managing human risk and reinforcing security protocols before their core teams sign off, asserts Anna Collard, SVP of Content Strategy & CISO Advisor at KnowBe4 Africa.
“Just because your staff are on holiday, doesn’t mean that threat actors are,” she states. She mentions a recent report that found that for healthcare organisations, 47% of ransomware attacks occurred on a weekend or holiday. “Many organisations reduce their IT security staffing by 50% or more during weekends and holidays, precisely when attackers strike,” she says.
The risks of skeleton staff
It’s easy to understand what makes businesses more vulnerable over the holidays. “With many regular staff on leave or working minimal hours, there are fewer people to notice suspicious activity,” Collard explains, which leads to alert monitoring and incident response often operating at lower capacity.
“Fewer people means more pressure, more multitasking and less oversight, which are perfect conditions for fraud, phishing and smishing scams, and human error,” she elaborates. “Depending on the organisation, workloads may either increase or come to a complete halt. With fewer eyes on the network and bad actors actively probing for weaknesses, neither scenario is ideal.”
It’s precisely because of reduced vigilance and overworked skeleton staff that cybercriminals are able to exploit security gaps. “With fewer people, some of whom may not be properly trained, and slower response times, attackers get a window to infiltrate, persist, escalate privileges or deliver payloads without detection,” comments Collard.
Even routine “holiday notifications”, such as out-of-office emails, auto-replies and holiday-schedule announcements, can leak valuable information to attackers about who is away and who is available, enabling social engineering attacks to be timed more precisely.
Types of holiday cyberattacks
According to Collard, how cybercriminals target organisations during the holiday period varies. “They can send convincingly crafted phishing emails – everything from bogus IT warnings and fake password prompts to counterfeit delivery updates,” she notes. “These messages are designed to look legitimate and often hide dangerous links or attachments that deploy malware, including ransomware or credential-stealing spyware.”
Another favoured method of attack is CEO fraud, also known as business email compromise (BEC). “These sophisticated scams involve criminals impersonating a trusted person, like a CEO or vendor, to trick employees into sending money or revealing sensitive information,” Collard explains. “They rely on highly targeted social engineering to manipulate victims and often involve detailed research to create convincing requests, such as fraudulent EFT instructions or requests for gift-card serial numbers.”
Process under pressure
When regular routines and senior oversight are disrupted, strong processes are needed most. Collard maintains that process, the third pillar of human risk management alongside technology and people, should be reinforced before the holidays to maintain resilience, especially when decision-making shifts to less experienced or temporary staff.
She emphasises that organisations can’t rely on instinct or informal knowledge-sharing during skeleton-crew periods. “Clear, well-documented escalation paths ensure that junior staff know exactly who to contact when something feels wrong,” Collard states. “Dual approval for any movement of money or changes to sensitive systems creates an essential safeguard against both error and social engineering.”
In addition, she believes predefined incident playbooks – from handling suspicious emails to responding to system alerts – remove any ambiguity. “Staff should be able to act quickly and confidently without having to guess the right course of action under pressure,” she affirms.
The heightened security risks associated with the holiday period means technology also needs to be beefed up. “Proactive, preventive measures are essential,” says Collard, “whether it’s reinforcing awareness training, restricting privileged access or enforcing strong controls, such as multi-factor authentication (MFA) and running secure backups.
Empowering people, not just technology
However, technology can only go so far – human judgement should still be the first and last line of defence. What can leaders do to empower employees at every level to recognise and respond to suspicious activity during the holidays, even when key team members are on leave?
“Firstly, they need to communicate the risk internally,” advises Collard. “Senior leadership must understand that ‘it’s just a quiet time’ is exactly when attackers choose to strike.”
Secondly, she believes leaders need to give permission to their staff to slow down, verify requests and escalate anything suspicious. “When people feel trusted and supported, their judgment sharpens,” she concludes.
