Holiday cyberattacks are coming. Here’s how to prepare
It is, as the song goes, the most wonderful time of the year. But, as an IT pro, you know it’s also a sustained period of elevated security risk.
For the next several weeks, your users will be connecting from airport lounges, hotel business centers, and their in-laws’ guest bedrooms while your IT coverage runs thinner than usual. Attackers understand this pattern well, and they’ve been exploiting it for years.
Although the holidays are upon us, there’s still time to shore up your defenses for the weeks ahead. A few hours of focused preparation can make the difference between a quiet end-of-year period and one spent scrambling to contain a breach.
Holidays are prime time for attackers
Malicious actors have been targeting holidays for years. Colonial Pipeline got hit on Mother’s Day weekend 2021. JBS took a ransomware hit over Memorial Day weekend the same year, and Kaseya’s supply chain attack landed over the July 4th weekend. More recently, Blue Yonder suffered a ransomware attack right before Thanksgiving 2024, disrupting operations at Starbucks and several major grocery chains.
According to the Semperis 2024 Ransomware Holiday Risk Report, nearly nine in ten organizations hit by ransomware that year were targeted when IT security staffing was at its lowest—nights, weekends, and holidays. The 2025 edition of the report found that 64% of attacks occurred specifically during holidays or weekends, when incident response capacity tends to be weakest.
The staffing gap attackers exploit
Even organizations that maintain 24/7 security operations centers scale back during holidays. Semperis’s 2025 report notes that 68% of organizations reduce SOC staffing by half or more on weekends and holidays, and 43% eliminate SOC coverage entirely during these periods. When asked why, 67% of respondents said they don’t expect an attack. That assumption is exactly what attackers are counting on.
If you’re running a one-person shop or leading a small team, you don’t have an SOC to begin with—and you’re probably also trying to take some time off yourself (wouldn’t that be nice?). The staffing gap that enterprises create by choice is something you already live with year-round.
Cybereason research found that holiday and weekend attacks took longer to assess and respond to at 60% of organizations surveyed, and more than a third believed the attacks succeeded specifically because they had no contingency plan and limited staff available. These findings are concerning, but they also point to an opportunity. With some advance planning, you can address the gaps that attackers are exploiting.
Keeping traveling users secure
Your traveling colleagues will inevitably connect from networks you don’t control—airport Wi-Fi, hotel business centers, that coffee shop near their parents’ house—on devices that may or may not be properly secured. If you already have VPN and MFA in place for remote access, now is a good time to verify those controls are actually being enforced consistently and that no exceptions have crept in. Conditional access policies that require additional verification for logins from unfamiliar locations or devices can add another layer of protection without creating friction for normal use.
Laptops get left in rental cars, and phones fall out of pockets at TSA checkpoints. Make sure you can remotely wipe devices if needed, and confirm that your team knows how to quickly report a lost device—even if that means texting you late on Christmas Eve.
Talk to your C-suite travelers about social engineering attacks, which spike during the holiday season. Since so many people use their personal devices for work email, just one employee clicking on a malicious link while doing online holiday shopping could give cybercriminals access to the company network.
AI-generated phishing has made these attacks harder to spot. Long gone are the days of the Nigerian prince scam. These days, the grammar is cleaner, the personalization is sharper, and the pretexts are more convincing than they were even a year ago. A quick reminder about verifying unusual requests through a separate channel, especially financial ones, could prevent a costly mistake while an executive is distracted and traveling.
Planning coverage before incidents happen
Full coverage during the holidays probably isn’t realistic for most small IT teams, so the goal becomes ensuring that whatever coverage you do have focuses on what matters most.
If you have a team, set up skeleton crew rotations with explicit handoffs and clear documentation of who has authority to make decisions in various scenarios. The person on call shouldn’t have to spend precious time tracking down approvals that won’t come because everyone else is unreachable.
If you’re solo, simplify your monitoring focus. Identify which alerts actually require immediate action versus the ones that can reasonably wait until you’re back at full capacity. A simple decision tree—if X happens, do Y; if Z happens, it can wait—helps you triage without having to think through every scenario in the moment.
This might also be a good time to test whether engaging an MSP for temporary monitoring support makes sense for your situation. Even limited third-party coverage can buy you peace of mind while you’re trying to enjoy dinner with your family.
Responding to incidents when key people are unreachable
Holiday travel has a way of scattering exactly the people you’d need to reach in an emergency. Your CFO might be on a cruise with spotty cell service while your sysadmin is in a remote cabin without Wi-Fi, and the person who actually understands the legacy billing system is visiting relatives overseas. Building redundancy into your incident response before everyone disperses can prevent a manageable problem from becoming a crisis.
For every critical system or decision point, identify at least two people who can handle it. If only one person currently knows the credentials for a critical system, fix that gap before the holiday break starts.
Your emergency runbook doesn’t have to cover every possible threat. If you’re pressed for time, focus on the five or six scenarios most likely to cause real damage. What do you do if ransomware is detected? What if a critical cloud service goes down? What if someone reports a compromised executive account? Documenting these responses means whoever’s on call can take decisive action without first having to track you down.
Before you leave for the break, verify that your backups are current and that you can actually restore from them. This shouldn’t take too much time, and it could save you days of disaster recovery time if something goes wrong while you’re away.
Set communication expectations with your team and key stakeholders before the holidays begin. Let them know how quickly they should expect responses during this period, and establish an escalation path for genuine emergencies. Managing expectations upfront often proves just as valuable as the technical preparations.
The calendar is your friend
Holiday attacks succeed largely because defenders are predictable. Attackers know when IT teams are short-staffed, distracted, and hoping nothing breaks. That predictability cuts both ways, though. You know when these periods of vulnerability are coming, which means you can prepare for them. A few hours invested now in access controls, coverage planning, and incident response documentation will put you in a much stronger position to enjoy your holidays without constantly checking your phone.
