Published by Jessica Weisman-Pitts
Posted on November 20, 2024
6 min readLast updated: January 28, 2026
Monday to Friday mentality means security teams are notoriously understaffed outside of
HOBOKEN, NJ – November 20, 2024: Cyber attackers are targeting holidays and weekends to cause maximum disruption, yet many UK businesses remain underprepared outside of standard working hours. With over half of UK organisations leaving security teams understaffed during these critical times, there is a greater risk of attacks that are designed to cause disruption to day-to-day life. This is according to new research conducted by Semperis, a pioneer in identity-driven cyber resilience.
The research found that 72% of UK organisations reported experiencing ransomware incidents during holidays and weekends when security teams aren’t working at full capacity. Similar trends were noted across other major countries, with 70% of US respondents and an astonishing 81% of respondents from France also reporting attacks.
The Ransomware Holiday Risk Report, which surveyed nearly 1,000 security professionals across various industries, highlights how businesses remain at considerable risk, especially when their SOC (Security Operations Centre) is under-resourced outside of business hours. Notably, the finance and manufacturing sectors are identified as highly susceptible, with 78% of global respondents from finance and 75% from manufacturing and utilities confirming ransomware incidents on holidays or weekends.
‘Round the clock’ security teams operate at only 25% capacity
Despite the ongoing risk, over half (52%) of UK businesses admitted their SOC is only partially staffed on bank holidays and weekends. One in 20 don’t staff their SOC at all during those times. And 42% of UK respondents who claimed to maintain a 24/7/365 SOC said it only operates at 25% capacity. With fewer eyes on the network traffic and less attention to suspicious activity, this means hackers can slip in unnoticed – leaving organisations wide open to cyberattacks.
The impact of this is clear in high-profile cyberattacks designed to hurt businesses and their customers as much as possible. In the US, the Colonial Pipeline ransomware attack caused widespread fuel shortages and hit on Mother’s Day, while in the UK, the 2023 attack on payroll provider Zellis unfolded over a weekend affecting tens of thousands of British Airways, Boots and BBC staff. The recent Transport for London hack, which highlighted the growing threat of cyberattacks on public infrastructure, started on a Sunday.
“Cyber threats don’t take a holiday. In fact, attackers are exploiting quieter times when they know they may be more successful – using periods of understaffed security operations to their advantage. Our research report is an urgent wake-up call that you can never take your eye off the ball; the threat to business, critical infrastructure and consumers is constant,” said Dan Lattimer, area vice president, Semperis.
Work-life balance more important than cyber defence
Asked why their organisation scaled back IT and security staffing at weekends and during holidays, a third (34%) of UK respondents said they “did not think full staffing was necessary considering most employees work only during weekdays”. The same number said they “did not think our business would be targeted by hackers” and a third felt it wasn’t necessary because “their business has never been targeted in the past”.
Other top reasons given were “our business is open Monday-Friday only” (31%) and “work/life balance is important” (31%) – highlighting that security gaps could arise from a weak security culture.
The problem doesn’t stop there. Identity is now the core entry point for the vast majority of cyberattacks and when attackers take the identity system – usually Microsoft Active Directory – down, the entire business grinds to a halt. However, the Semperis research also found that a quarter (25%) of UK respondents don’t feel their organisation has the necessary expertise to adequately protect it against identity-related attacks. Over one in five (22%) UK businesses don’t have an identity recovery plan in place.
Simon Hodgkinson, strategic advisor, Semperis comments: “It’s high time businesses realised that cyber threats are present around the clock. The stark reality is that they are much more vulnerable when their SOC isn’t fully staffed. In addition, securing business-critical infrastructure such as core identity systems should be at the top of every organisation’s priority list – not an afterthought. It is worrying to see that so many organisations don’t allocate enough time, budget and resources to protecting their most vulnerable assets.”
“You really need to have someone on call all the time. Security teams could rotate responsibility with some employees taking weekdays off to ensure adequate staffing levels. In addition, organisations must have solid emergency procedures in place, with a tried and tested incident response plan that allows them to contain threats and restore operations quickly should an attack happen – regardless of whether the attacker strikes on a Sunday or a Tuesday,” Hodgkinson added.
The full report, titled Ransomware Holiday Risk Report, which includes breakdowns of responses by vertical market and by country, is available at https://www.semperis.com/ransomware-holiday-risk-report
About Semperis
For security teams charged with defending hybrid and multi-cloud environments, Semperis ensures the integrity and availability of critical enterprise directory services at every step in the cyber kill chain and cuts recovery time by 90%. Purpose-built for securing hybrid identity environments—including Active Directory, Entra ID, and Okta—Semperis’ patented technology protects over 100 million identities from cyberattacks, data breaches and operational errors.
The world’s leading organisations trust Semperis to spot directory vulnerabilities, intercept cyberattacks in progress and quickly recover from ransomware and other data integrity emergencies. Semperis is headquartered in Hoboken, New Jersey, and operates internationally, with its research and development team distributed throughout the United States, Canada and Israel.
Semperis hosts the award-winning Hybrid Identity Protection conference and podcast series (www.hipconf.com) and built the community hybrid Active Directory cyber defender tools, Purple Knight (www.semperis.com/purple-knight/) and Forest Druid (www.semperis.com/forest-druid/). The company has received the highest level of industry accolades, recently named to Inc. Magazine’s list of best workplaces for 2024 and ranked the fastest-growing cybersecurity company in America by the Financial Times. Semperis is a Microsoft Enterprise Cloud Alliance and Co-Sell partner and is a member of the Microsoft Intelligent Security Association (MISA).
Learn more: https://www.semperis.com/ransomware-risk-report/
Ransomware is a type of malicious software that encrypts a victim's files, making them inaccessible until a ransom is paid to the attacker.
A Security Operations Centre (SOC) is a centralized unit that deals with security issues on an organizational and technical level, monitoring and analyzing security incidents.
Cyber resilience refers to an organization's ability to prepare for, respond to, and recover from cyber attacks while maintaining essential functions.
Identity theft occurs when someone unlawfully obtains and uses another person's personal information, typically for financial gain.
A cyber attack is a malicious attempt to damage, disrupt, or gain unauthorized access to computer systems, networks, or devices.
Explore more articles in the Technology category
