Holiday cybersecurity: when attackers strike

Every year Australian businesses enjoy a well-earned break over the December/January holiday period. For most organisations, this means fewer staff working over the holiday period, and more opportunity for cyber attackers to gain a foothold.

According to published evidence ¹, more than half of ransomware attacks occur on weekends and holidays. These attacks are designed to exploit the reduced monitoring and delayed responses of the companies they target to ensure maximum impact.

The SWIFT banking network attack on Bangladesh Bank in February 2016 is a prime example. Attackers executed transfer requests totalling $951 million on a Thursday evening in Bangladesh time, knowing that:

• Friday is the weekend in Bangladesh
• Saturday & Sunday are the weekend in New York
• the Lunar New Year holiday in the Philippines (where the money as being routed) was on the Monday.

At KSIB, we help organisations manage risk and cut through complexity. As we approach the holiday period, we want to share how leaders can proactively manage cybersecurity risk during the holiday shutdown.

Attackers target holidays

The Semperis 2025 Ransomware Holiday Risk Report ² surveyed 1,500 professionals across ten countries and found that over 50% of organisations that experienced ransomware attacks were targeted on weekends and holidays.

The reason is straightforward: eight out of ten organisations reduce their Security Operations Centre staffing by 50% or more during holiday periods. Sophisticated attackers know this, and time their attempts to maximise their dwell time: how long they can go undetected.

Organisations with severe security staffing shortages face $1.76 million higher breach costs than those adequately staffed.

IBM's Cost of a Data Breach Report 2024³ highlights that the global average breach costs $4.88 million. Breaches take an average of 194 days to identify and 64 days to contain. That’s six months of undetected access, with holiday attacks potentially extending this further. Reduced staffing typically delays the assembly of incident response teams, assessment of impact, and initiation of containment.

On the flip side, organisations that can detect breaches internally, through their own security capabilities, rather than learning about them from attackers or third parties, shorten the breach lifecycle by 2 months and save nearly $1 million in costs.

High-profile attacks confirm the pattern

Damaging cyber incidents of recent years have followed this pattern. The Kaseya supply chain attack launched in July 2021 was timed for the US Independence Day long weekend and affected about 1,500 downstream organisations globally. The WannaCry ransomware attack hit the UK's National Health Service on a Friday afternoon and spread across hospital systems over the weekend. St Vincent's Health Australia, the nation's largest non-profit healthcare provider, was hit on December 19, 2023. The Port of Lisbon was compromised on Christmas Day 2023.

These incidents represent systematic exploitation of known vulnerabilities, timed to coincide with reduced response capacity during holiday periods.

Australian businesses face unique exposure

Australian organisations face additional risk during December and January, when extended Christmas shutdowns of 2 to 4 weeks are common during the summer holiday period. This creates prolonged windows during which monitoring or response may be reduced, allowing attackers to exploit them.

The Australian Cyber Security Centre's 2024-25 Annual Cyber Threat Report ⁴ documented one attack every six minutes, with an average cost of $56K for small businesses and $202K for large companies.

During December 2024 and January 2025, the Clop ransomware gang listed more than 60 new victims as part of its Cleo data theft attacks, including Australian companies.

For Australian retailers, the stakes are particularly high. Holiday sales represent 20-30% of annual revenue for most retail businesses. A ransomware attack on Christmas Eve could derail a significant portion of the year's earnings. For healthcare providers, the consequences extend beyond financial impact.

Five questions boards and executives can ask

The good news is that holiday cyber risk is manageable. Organisations that have automated robust detection capabilities, adequately skilled staffing coverage, and verify out-of-band backups and recovery systems can significantly reduce the likelihood and impact of an attack.

Before the holiday period shutdown begins, leadership teams should be able to answer these questions:

1. Who will be monitoring for cyber risk during the holiday period?
   Identify specific individuals responsible for security monitoring and ensure genuine and focused 24/7 monitoring and response capabilities. Ask “how would we know if we had a cyber attack or data breach?”.

2. Can we reach critical personnel in an emergency?
   Verify key staff's contact details, conduct simulation exercises, and establish out-of-band communication channels that don't depend on corporate systems that may be compromised.

3. Have backups been tested?
   Confirm that backup systems are functioning, that restoration procedures have been validated, and that backups are stored offline or in immutable storage that cannot be encrypted by ransomware.

4. Are critical vendors contactable over the holiday period?
   Review your supply chain and confirm emergency contact procedures for managed service providers, cloud vendors, and other critical third parties, such as forensic investigators or law firms, that you may need to involve in an actual incident.

5. Are staff briefed on what to do?
   Ensure employees know how to report suspicious activity, who to contact in an emergency, and what actions require further authorisation or discussion before action. Cybersecurity incident playbooks can be especially helpful.

Be prepared

The best-practice approach to cybersecurity is to assume your company has already been breached. Your task is to understand how quickly you would discover it, what detection and alerting capabilities are in place, what containment controls exist to reduce the impact, and what recovery steps are available. For many, cybersecurity will be a “when”, not “if”, proposition, but with the right preparations, it doesn’t have to be disastrous.

The Australian Cyber Security Centre provides 24/7 support through the Australian Cyber Security Hotline (1300 CYBER1) and extensive guidance at cyber.gov.au. The Essential Eight framework ⁵ offers a baseline of protective controls that offer a solid foundation for those companies maturing their cybersecurity controls.

If you've been personally affected by a cyberattack or scam, IDCARE (idcare.org) provides free support to help individuals navigate identity theft and data breaches.

Holiday preparedness is one element of a broader framework, recognising that cybersecurity is a business risk issue, not merely a technology problem. At KSIB, we provide strategic guidance and practical advice to help Australian organisations manage cyber risk and build strong cyber resilience.