Christmas is fast approaching, which, for many people, means a week or two of well-deserved time off. Unfortunately, for cybersecurity professionals within lean security teams, downing tools this Christmas may not be an option. 

Earlier this year, just before the Labour Day weekend in the United States, the FBI and CISA warned organisations that cybercriminals don’t take annual leave. If anything, as the bi-agency team was keen to remind, criminals prefer to strike when most offices are likely to be closed or understaffed (i.e., on holidays and weekends). To illustrate their point, the two agencies highlighted three recent, significant ransomware attacks, all of which coincided with major holidays in the United States: the Colonial Pipeline attack (Mother’s Day), the meat giant JBS hack (Memorial Day), and Kaseya breach (the fourth of July holiday weekend). 

As of this writing, no similar advisory has been issued for the upcoming holiday period. However, if a look at past incidents is anything to go by, many security professionals may well find their Christmas breaks cut short by cyberattacks. And although the news headlines are almost always dominated by attacks on huge companies, that doesn’t mean that SMEs won’t be affected. According to CISA, “Attackers view holidays and weekends — especially holiday weekends — as attractive timeframes in which to target potential victims, including small and large businesses." 

Why cyber attacks are often unwanted gifts for SMEs

It's mostly thanks to the countless talented individuals on the cybersecurity frontline that only a fraction of the two thousand or so cyberattacks launched each day are successful. Indeed, for any cybercriminal, proactive security teams are no doubt the biggest hindrance to the success of an attack. This is exactly why, according to industry professionals, hackers often purposely plan their attacks for periods when they know fewer IT professionals will be at their desks. 

During peak holiday times, most IT staff tend to be out of the office or operating within a skeleton team. For teams that are lean to begin with, and made even leaner because of staff absences, both monitoring networks and remediating threat alerts during these periods becomes impossible. This gives hackers the perfect opportunity to probe networks for weak points by brute-forcing unsecured remote desktop protocol endpoints or exploiting stolen credentials. In some instances, cybercriminals may already be inside a victim's network but wait until everyone is likely to be on holiday to deploy an attack. Because it takes time for ransomware to propagate through a network, the longer the attack goes unnoticed, the more damage threat actors can do. And with many IT professionals taking time off during Christmas, cybercriminals know that the chances of someone seeing and interrupting an attack are very slim. 

It doesn’t help that organisations that are hacked during weekends or holidays are typically unable to react as quickly as they would on a regular working day. Some cybersecurity professionals may be travelling and therefore hard to reach, whereas others may not have access to their work devices. Depending on the sector an affected organisation is in, cybercriminals know that attacks during holiday periods can increase their willingness to pay a ransom. For example, a retailer who suffers a ransomware attack during the run-up to Christmas or New Year sales will have a stronger inclination towards paying a ransom than they might during an average week in spring. 

About the author

David Atkinson, Founder and CEO, SenseOn

Before moving into the cyber security industry, David spent over 15 years working within the UK’s specialist military units where he was the first cyber operative. His combined experience and technical abilities gained from his background in military, government and the private sector has led him to challenge the current approaches to cyber security and to create SenseOn.

Lean teams are at high risk

Ultimately, the risk of holiday cybercrime is something every organisation faces. However, for SMEs with few dedicated cybersecurity staff, the Christmas cyber threat level is particularly acute. Although 80% of SMEs now feel safer than ever due to increased investment in cybersecurity, as the holiday season approaches, the number of SMEs that will get hacked is only likely to grow. In a recent survey of 1,206 cybersecurity professionals in the UK, US, Germany, France, Italy, Spain, Singapore, South Africa, and the UAE, 89% of respondents admitted they were worried about a repeat cyber attack ahead of the holidays.

Part of the reason why is that despite spending more on security, most organisations struggle to do so in a way that actually makes them safer. Worldwide, SMEs spent $57 billion on cybersecurity in 2020, and by 2025, this figure is expected to rise to $90 billion. However, it is unlikely that much of this investment went/will go towards increasing the size of organisations’ cybersecurity teams. In its Cyber security strategy 2021: An urgent business priority report, PwC notes that in the UK, only 42% of organisations want to expand their cybersecurity teams compared to 51% of organisations globally. Furthermore, 22% of UK organisations expect to shrink the size of their cybersecurity teams versus 16% globally.  Even if businesses wanted to increase their headcount, the ongoing cybersecurity skills crisis makes hiring security staff a challenge. It is estimated that at least four million additional cybersecurity professionals are needed worldwide, and 70% of organisations now feel like they have been impacted by the cyber talent gap. Another study found that 68% of organisations that saw more cyberattacks last year were understaffed. 

On the other side of the cybersecurity equation, there are more threat actors than ever. New ransomware gangs are emerging each month, and some of the most prominent RaaS groups have joined forces to form cyber cartels. Throw in the pandemic, plus the shift to remote work that came with it, and is it any wonder that more than half of security professionals and incident responders report experiencing burnout? With 65% of these individuals admitting they considered leaving their job because of extreme stress, it’s clear that focusing on buying more cybersecurity tools (which is what many organisations are doing) isn’t working. 

While more tools may create the illusion of greater security, in reality, all they achieve is more alerts — the average organisation today sees 10,000 alerts per day. Leans teams don’t have enough bandwidth to go through all the alerts they get, many of which are false positives or trivial true positives (alerts that, while technically true, are irrelevant). Especially during the holidays, when security teams are even more understaffed than usually, important alerts may end up buried under these false positives. As a result, lean teams may miss alerts that could help them identify and stop threats in their early stages. For security professionals that are called into work after an attack, 86% miss holidays or weekend activities with their families. Additionally, about three-quarters confessed to being intoxicated while dealing with a ransomware attack during the weekend or holidays, something that few organisations are likely to have taken into account when preparing incident response plans.

How to give your organisation the gift of security

Just because cybercriminals like to strike when security teams are on holiday doesn’t necessarily mean that your organisation will be affected this Christmas. However, with the stakes of falling victim to an attack higher than ever, even a minor increase in cyber risk is worth accounting for.

Mitigating extra risk this season starts with perfecting the cybersecurity basics. No organisation should wind down for the year without strong passwords and MFA, updated systems and software, and regular vulnerability scans in place. Additionally, as they rush to close projects before the Christmas break, employees need security training and reminders not to click on any suspicious links. Your organisation also needs to have an incident response plan in place that accounts for the fact that critical individuals may be unavailable when they’re most needed. 

Making proactive security more than just a seasonal effort means taking action against alert fatigue. However, rather than paring down the sensitivity of alerts or outright ignoring them (which is, unfortunately, what many security professionals do), it’s better to rethink your cybersecurity architecture altogether. 

Bloated cybersecurity stacks don’t work; they never have. Dealing with the high level of alerts that cybersecurity professionals are exposed to daily requires more staff, but with the way things are going, solving the cybersecurity staffing issue doesn’t seem likely anytime soon. What organisations require instead is one tool that can do the job of many. Not a holiday trend, this type of thinking needs to become standard going forward.