Security Experts:

Connect with us

Hi, what are you looking for?


Management & Strategy

Holiday Cybersecurity Staffing Levels a Difficult Balancing Act for Companies

The effect of reduced staffing levels doesn’t just attract more cybercriminals, it makes the outcome of attacks more severe

The effect of reduced staffing levels doesn’t just attract more cybercriminals, it makes the outcome of attacks more severe

It’s difficult to know the extent to which cybercriminals make use of weekends and holidays to launch their attacks; but it is generally accepted that they do. Crime, unlike business, is not a Monday to Friday, 9-to-5 occupation. And business, unlike crime, is understaffed over holiday/weekends. 

Extensive dwell times means an attack may have begun on a holiday, but not become apparent until much later. However, it is much easier to quantify the effect of cyberattacks that were launched and discovered over a weekend – they are generally more severe, harder to redress, and more expensive than weekday attacks.

Both the Colonial Pipeline and JBS attacks, for example, occurred over holiday weekends.

A global study of 1,023 cybersecurity professionals, conducted in September 2022 by Cybereason and titled Ransomware Attackers Don’t Take Holidays, highlights the extent of the attacks and the effect of reduced staffing over holiday/weekends. In the US, weekend and holiday staffing levels are on average less than 50% of normal levels. In Germany, this figure encompasses 91% of organizations. France, UAE, Singapore and South Africa firms are all in the 70% to 80% range.

More dramatically, 21% of the respondents said they cut cybersecurity staffing levels by as much as 90%, while only 7% maintained staffing at 80% or more of normal weekdays.

The effect of reduced staffing levels doesn’t simply attract more cybercriminals, it makes the outcome of the attack more severe. More than one-third of those companies that admitted to a holiday/weekend ransomware attack said they lost more money as a result. This is a 19% increase over a similar study in 2021. Individual sectors fared worse – a 42% increase in the education sector and a 48% increase in the travel and transportation industry. 

When an attack occurred, just over one-third of all respondents said it took longer to assemble the incident response team, took longer to assess the scope of the attack, and took longer to recover from the attack. “Ransomware actors tend to strike on holidays and weekends because they know companies’ human defenses often aren’t as robust at those times,” said Lior Div, Cybereason CEO and co-founder. “It allows them to evade detection, do more damage, and steal more data as security teams scramble to mobilize a response.”

It’s a difficult balancing act for companies. While the skills gap continues to be a problem, employers need to retain the staff they already have. Depriving them of family time over holiday/weekends increases stress levels, increases burn out, and increases the possibility of staff looking for greener pastures. Companies are literally caught between a rock and a hard place.

“Eighty-eight percent of respondents said they had missed out on either a holiday celebration or weekend event due to a ransomware attack,” notes the report. “These numbers were higher in the US, Germany, and in the financial services industry, where nine out of ten respondents (91%, 95%, and 95%, respectively) said the same.”

With the probability of having to reduce staff levels at such times, defenders’ only recourse is to increase security. Apart from adequate detection and response defenses – which are of course already required 24/7 – Cybereason offers a few suggestions. One option is to consider transferring the risk to a managed detection and response (MDR) provider. It then becomes the responsibility of the third party to provide full cover over holiday/weekends.

This would be a type of ‘remote working’, and a more imaginative use of remote working, remote resources and staff working from home on stand-by during holiday/weekends could also be explored.

Another option is to lockdown privileged accounts on holiday/weekends to restrict attackers’ lateral movement and privilege escalation before deploying a payload. “Security teams should create highly secured, emergency-only accounts in the active directory that are only used when other operational accounts are temporarily disabled as a precaution or inaccessible during a ransomware attack,” suggests Cybereason.

Meanwhile, and perhaps worryingly, there seems to be a growing perception of the inevitability of becoming a ransomware victim. Twenty-seven percent of respondents said their organization had set up a crypto wallet presumably for rapid payment of a ransom, while another 27% said the organization is learning how to negotiate with ransomware gangs.

Related: Cyber Defenders Should Prepare for Holiday Ransomware Attacks

Related: CISA, FBI Warn of Increase in Ransomware Attacks on Holidays

Related: South Carolina County Suffers Weekend Cyberattack

Related: USCYBERCOM Warns of Exploitation of Atlassian Bug Ahead of Holiday Weekend

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...