As the year winds down and many teams scale back to holiday hours, organizations worldwide are entering a period of elevated risk. Around weekends, public holidays and major business events, cyber-attackers increasingly launch ransomware campaigns, precisely when companies are more vulnerable. This is not a coincidence. Attackers are exploiting predictable human and operational patterns. For organisations seeking resilience, closing the gap between knowing the risks and having the right people to defend against them has never been more urgent.
Holidays and after-hours: attack windows organisations often ignore
Recent data shows that many security alerts and ransomware attempts now occur outside of normal business hours. According to the 2025 Arctic Wolf Security Operations Report, 51% of all security alerts globally were triggered outside standard working hours, and around 15–17% were recorded over the weekend. (arcticwolf.com)
This trend lines up with broader findings that adversaries are timing attacks to coincide with long weekends, holidays and other periods when staffing — especially in security teams — is reduced. (itpro.com) The logic is simple: fewer staff online means slower detection, less scrutiny and, ultimately, a better chance for attackers to breach and hold systems for ransom.
According to new research by Semperis, 52% of organisations across ten countries experienced ransomware attacks during weekends or holidays. The study also found that 60% of attacks occurred around material business events such as mergers, acquisitions, IPOs and layoffs, when governance is disrupted and security focus is diverted. (Australian.cybersecuritymagazine.com.au).
The rise of identity-based ransomware: credentials as the new attack vector
Ransomware attackers are shifting away from noisy, exploit-heavy tactics. Instead, they’re increasingly using “stealth” methods, entering through compromised credentials or abused access rights. The 2024 report from Cisco Talos highlights that identity-based attacks dominated incident response cases last year. (blog.talosintelligence.com)
Among confirmed ransomware incidents, nearly 70% began with valid accounts. (blog.talosintelligence.com) Public-facing applications and cloud services are high on attackers’ target list, and many organisations continue to struggle with identity hygiene, misconfigured access controls or outdated privilege governance. (blogs.cisco.com)
In a world where identities, sessions and access rights, rather than exploitable bugs, are increasingly the doorway for ransomware, having staff who understand and can manage identity systems properly becomes critical.
Why the cyber workforce shortage compounds the problem
Even as threats grow, the global shortage of skilled cybersecurity professionals continues to deepen. Many organisations now struggle not just with headcount, but with the right kind of skills. A growing consensus among security leaders is that these gaps dramatically increase the chances of successful breaches. According to 2025 readiness data from Cisco, many positions remain unfilled even as the complexity of threats rises. (newsroom.cisco.com)
When security teams are understaffed, especially during after-hours, holidays or peak business-cycle periods, the chance of a breach going undetected until it’s too late increases sharply. Coupled with identity-based tactics, which require nuanced understanding of access control, credential hygiene and incident response, the risks multiply. In other words: limited staffing + insufficient skills = predictable blind spots for attackers
Holiday season and year-end business dynamics: a perfect storm
The end of the year brings more than reduced staffing. It often involves business changes, system updates, shifting responsibilities and human distraction. All of these create fertile ground for cybercrime.
Threat actors know this. They exploit the combination of holiday fatigue, reduced vigilance and identity weaknesses. Meanwhile, organisations may deprioritise routine security audits or delay necessary patches, assuming “nothing urgent is happening.”
Moreover, as cloud adoption, remote work and third-party tools proliferate, the identity attack surface grows. Without continuous monitoring and well-trained staff, it’s increasingly easy for attackers to slip in using legitimate credentials, especially during off-hours.
What organisations should do and why upskilling is critical
While identity controls, monitoring tools and automation all play a role in reducing ransomware risk, it’s important to place equal emphasis on strengthening the skills of the people who use these technologies every day. As identity-based attacks rise and tools evolve quickly, continuous upskilling helps teams make the most of the capabilities they already have. Get in touch if we can help.
