Experienced security leaders know that attackers are patient.
Attackers can infiltrate corporate chat systems like Slack or Microsoft Teams and just … watch. For months, they monitor conversations, learn who the experienced staff are, and take notes on upcoming vacation plans and each team member’s communication style. Then when the company shifts to a skeleton crew — perhaps during a major holiday or summer break — they strike.
For one organization, this silent reconnaissance had devastating results, says Ed Skoudis, president of the SANS Institute and founder of Counter Hack. An attacker posed as a trusted colleague in a chat channel and tricked a junior employee into making critical configuration changes while many team members were on vacation. The employee, isolated and eager to help, had no reason to doubt someone who was inside the company’s trusted environment. The attacker’s patience, timing, and social engineering created a perfect storm — one that underscores the need for verification, vigilance, and better operational safeguards during periods of reduced staffing.
Whether it is the slow week between Christmas and New Year’s Day in Western countries, the European summer break in August, or other periods during the year when large numbers of employees go on vacation, organizations with a global footprint must maintain cybersecurity continuity during regional slowdowns. Holidays like Lunar New Year in Asia and the Eid feast days in the Middle East often mean fewer workers overseeing critical operations. When part of the workforce scales down, attackers ramp up.
“This is a very hard problem,” says Skoudis, noting that fewer people at the helm leaves organizations vulnerable to attack. Security leaders have the challenge of protecting their environments when half the security team is offline.
Why Cybercriminals Like Holidays
With remote workforces, companies have fewer touchpoints with employees. Add holidays to the mix, and security teams face a slew of potential risks during these times.
“Attackers go on crime sprees during the holidays,” Skoudis says. “They know organizations are downscaling operations. Combine that with staff who may be junior, unfamiliar with procedures, or isolated, and you have an ideal time for attackers to strike.”
Beyond direct threats, these slow periods also exacerbate operational gaps. Patching schedules, configuration monitoring, and incident response times can lag.
It’s not just defense, says Chris Niggel, a regional CSO at Okta. It’s about making sure operations continue to run smoothly when teams are short-staffed.
“The biggest challenge is making sure that your teams can maintain the service-level agreements and are able to react to threats quickly, even when the teams are smaller,” Niggel says.
For example, the critical vulnerability in Log4j was discovered toward the end of December 2021, a time when many organizations were operating with minimal staff. Addressing the flaw required immediate and prompt action, and many businesses struggled to respond quickly enough. Attackers, well aware of the delays in response, seized the window of opportunity to exploit unpatched systems.
“Teams were already thin, but still had to react,” Niggel says. “That’s where having solid communication plans and fallback strategies is essential.”
Niggel also notes that organizations that fared better during Log4j had prepared for such scenarios by implementing automated monitoring tools, preemptive patching plans, and clear escalation paths for when key personnel were unavailable. These measures ensured that vulnerabilities could be prioritized and addressed, even with a reduced workforce.
Preparation Is Key to Bridging the Gaps
By identifying risks, training employees, leveraging technology, and strategically distributing workloads, companies can create a safety net that protects both systems and operations. The key is not waiting until the last minute; preparations must be in place before staff members sign off.
Organizations can mitigate holiday risks with proactive strategies:
-
Create a plan in advance. Identify staffing levels and clearly outline escalation paths. “It’s like Tetris blocks,” Skoudis says. “You need to fill the hours, define decision-makers, and avoid leaving critical choices to the most junior staff.”
-
Always verify. Train employees to verify requests for urgent actions, particularly during downtime. Skoudis recommends simple measures: callback phone numbers, video chats to confirm identity, and using photos in a corporate directory. Never trust a message at face value, he says. “You’re looking to get more measures of verification that this person is who they say they are,” he says.
-
Deploy technology and automation. Automate alerts and verifications to reduce human error. Niggel says Okta’s method of notifying employees about unusual log-ins includes automation that allows security to focus on important signals. “If an employee logs in from a unique location, they’ll get a message in Slack,” he says. “If an employee is logging in from grandma’s house, they can click yes to verify.”
-
Freeze changes for critical systems. Code and configuration freezes during slow periods reduce operational risks. “A freeze requires extra effort to make changes,” Skoudis says. “It prevents attackers and limits the chance of accidental mistakes.”
-
Adopt a “follow-the-sun” model. Multinational organizations can distribute workloads across time zones. Mark Lance, head of DFIR at GuidePoint Security, suggests using teams in regions where holidays are not being observed. “It’s about balance,” he says. “When one region steps back, another steps up.”
Culture, Collaboration, and a Healthy Dose of Paranoia
The human element is also critical to any security plan — even when fewer employees are on the clock. Lance says fostering collaboration and reducing isolation during skeleton crew periods is key to defense.
“Better decisions happen when you’re not alone,” Lance says.
Having escalation paths and ensuring junior employees know where to turn when something feels off can make all the difference. Niggel agrees, emphasizing the importance of properly training staff on how to handle these types of situations.
“Policies exist for a reason,” he says. “Employees need to know they can fall back on established processes and ask for help.”
Vigilance must remain high, no matter the season. Attackers don’t take breaks — and neither should enterprise defenses. While companies can’t always predict when an attack might occur, preparedness, verification, and smart staffing strategies help bridge security gaps when part of the team is off. As holiday seasons and global events come and go, staying one step ahead requires a mix of technology, planning, and teamwork.
“Always be suspicious,” Skoudis says. “If something feels wrong, verify it. You might stop a disaster.”
https://www.darkreading.com/cybersecurity-operations/managing-threats-when-security-on-vacation