As the festive season approaches, many organisations either shut down or operate on skeleton crews. While executives and key employees in departments like IT, finance and security are enjoying a well-earned break, cybercriminals are ramping up their activity.
In fact, industry data shows that ransomware attacks spike by around 30% during the holiday period. Because of this, businesses need to be especially intentional about managing human risk and reinforcing security protocols before their core teams sign off.
“Just because your employees are on holiday, doesn’t mean that threat actors are,” states Anna Collard, SVP of content strategy & CISO advisor at KnowBe4 Africa.
Collard points to a recent report finding that 47% of ransomware attacks occurred on a weekend or holiday.
“Many organisations reduce their IT security workforce by 50% or more during weekends and holidays, and that’s precisely when attackers then will – and do – strike,” she says.
The vulnerability of the ‘B-Team’
It is easy to understand what makes businesses more vulnerable over the holidays. With many senior employees on leave, the office is often manned by more junior personnel or temporary contractors who may not have the institutional knowledge to spot a sophisticated attack.
“Fewer people means more pressure, more multitasking and less oversight, which are perfect conditions for fraud, phishing and human-associated risks,” Collard explains.
Depending on the organisation, workloads may either increase or come to a complete halt. With fewer eyes on the network and bad actors actively probing for weaknesses, neither scenario is ideal. It is precisely because of this reduced vigilance and overworked skeleton teams that cybercriminals are able to exploit security gaps.
“Attackers get a window to infiltrate, persist, escalate privileges, or deliver payloads without detection,” comments Collard.
Attackers often perform reconnaissance weeks in advance. They trigger ‘Out of Office’ auto-replies to map out exactly who is away, who their backup is, and when the office will be most vulnerable – not to mention the often personal contact details then auto-supplied in the process. This allows them to time social engineering attacks with surgical precision.
The CEO fraud spike
One of the most favoured methods of attack during this period is CEO fraud, also known as Business Email Compromise (BEC).
“These scams involve criminals impersonating a trusted person, like a CEO or vendor, to trick employees into sending money or revealing sensitive information,” Collard explains.
Because the actual CEO is likely on vacation, a junior employee receiving an “urgent” WhatsApp request from them is less likely to question it. The criminals rely on the fact that the employee cannot easily walk over to the CEO’s office to verify the request.
Process under pressure
When regular routines and senior oversight are disrupted, strong processes are needed most.
“Organisations cannot rely on instinct or informal knowledge-sharing during skeleton-crew periods,” Collard states. “Clear, well-documented escalation paths ensure that junior employees know exactly who to contact when something feels wrong.”
To secure the holiday period, Collard advises implementing specific procedural guardrails:
- Dual approval: Enforce mandatory dual approval for any movement of money or changes to sensitive systems. This creates an essential safeguard against both error and social engineering.
- Pre-defined playbooks: Incident playbooks – from handling suspicious emails to responding to system alerts – remove ambiguity. Personnel should be able to act quickly and confidently without having to guess the right course of action under pressure.
- The ‘Designated Driver’: Clearly identify who is on call for security escalations, and ensure they are actually reachable.
Empowering people, not just technology
Technology also needs to be beefed up. Proactive, preventive measures are essential, whether it is reinforcing awareness training, restricting privileged access, or enforcing strong controls such as multi-factor authentication (MFA) and running secure backups.
However, technology can only go so far – human judgement remains the first and last line of defence.
“Leaders need to communicate the risk internally,” advises Collard. “Senior leadership must understand that ‘it’s just a quiet time’ is exactly when attackers choose to strike.”
Crucially, leaders must give explicit permission to their teams to slow down, verify requests, and escalate anything suspicious.
“When people feel trusted and supported, their judgment sharpens,” Collard concludes. “A culture where a junior employee feels safe questioning an ‘urgent’ request from a director is a culture that survives the festive season intact.”