Estimated reading time: 5 minutes
New Report Warns of Rising Cyberattack Risk When Staff Switch Off
“When the cat’s away, the mice will play.” Or for the scholars, in Latin, “Dum felis dormit, mus gaudet et exsi litantro” captures the mood of today’s threat actors. When security teams nap for holidays or corporate shakeups, attackers celebrate, nay, “rejoice”. A new Semperis report shows that ransomware crews time their next cyberattack for moments of maximum distraction.
Ransomware Loves Weekends, Holidays, and Corporate Upheaval
The 2025 Ransomware Holiday Risk Report paints a picture that lacks holiday cheer. More than half of the surveyed organizations hit by ransomware were attacked on a weekend or holiday. The report states that 52% of reported ransomware attacks struck during off-hours. The danger spikes further after major corporate events. Researchers found that 60% of ransomware incidents followed a “material corporate event.”
Most of those attacks came after mergers or acquisitions. In that group, 54% of victims were attacked after an M&A deal closed. Former US National Cyber Director Chris Inglis issues a clear warning. “Persistent and patient attackers will strike again if our vigilance fades,” he says in the report.
Semperis experts explain why these moments invite trouble. During mergers, layoffs, and IPOs, governance often turns messy. Teams juggle new systems, overlapping policies, and rushed timelines. Attackers see confusion and weak controls and move fast.
SOCs Shift In-House but Go Dark After Hours
The study shows a big operational shift in security operations centers.
Ninety-six percent of surveyed organizations now maintain a SOC. A substantial majority, 76%, say they now run that SOC in-house.
However, coverage drops sharply when people head home. Among organizations with a SOC, 78% cut staffing by at least half on weekends and holidays.
Another 6% shut down monitoring entirely outside the regular workweek.
The top reason for reduced staffing is work-life balance. Sixty-two percent of respondents cite this rationale. Younger staff and smaller firms also show a dangerous optimism bias. They often believe they have never faced a cyberattack or will not be targeted.
Semperis Director of Incident Response Jeff Wichman offers blunt advice. “If you want your employees to be out for the holiday, you need to plan and prepare,” he says. “You need to have some type of monitoring… There is no time off.”
AI tools now handle more tier-one alert triage. Crisis lead Courtney Guss notes that automation reshapes SOC economics. Routine tasks are shifted to AI, while human analysts tackle complex threats. For cyber insurers, that blend of automation and human coverage will shape risk assessments.
Identity Becomes Ground Zero for Cyberattack Impact
Semperis has long preached identity-centric defense. This year’s data supports that focus. Ninety percent of respondents report having an identity threat detection and response (ITDR) strategy. Almost all of them scan for vulnerabilities in directory services like Active Directory, Entra ID, and Okta.
Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!
Former Australian Prime Minister Malcolm Turnbull explains the stakes. “These are the digital keys that determine who can access what within an organization,” he says. In “nearly every major ransomware incident,” weak or stolen credentials open the door.
Yet the report exposes a painful gap between visibility and action. Only 45% of organizations with vulnerability scans also have clear remediation procedures. Identity recovery planning lags as well.
Disaster recovery plans include recovery for:
- 66% of Active Directory environments
- 55% of Entra ID environments
- 42% of Okta environments
Just 63% of respondents automate identity system recovery. Semperis Strategic Advisor Simon Hodgkinson calls recovery “the most critical thing from an operational resilience perspective.” Without trusted recovery, organizations risk restoring the attacker along with production systems.
For cyber insurers, these gaps matter. Identity controls influence both breach likelihood and loss severity. Weak remediation plans often mean longer outages, higher incident costs, and more contentious claims.
Watch Our Podcast on Ransomware Negotiation
Resilience, Not Just Prevention, Drives Future Risk
The report urges leaders to treat cybersecurity as a strategic capability. Cyber teams must plug into the early stages of M&A and restructuring. Due diligence should include identity system mapping, technical debt, and integration risk. Guss highlights the challenge. “When you do merger and acquisition valuations… consider what you are inheriting or offloading,” she says.
Skipping deep cyber diligence may speed the deal. It also imports hidden vulnerabilities and identity misconfigurations. The report also calls for broader crisis playbooks. Semperis CISO James Doggett stresses the importance of communication and governance during a cyberattack. Leaders must know who can shut systems down, who speaks to regulators, and what restores first.
Mayo Clinic’s Heather Costa frames the larger goal. “Technology resilience is focused on any disruption,” she notes. The mission is to keep core services running during both daily glitches and catastrophic events.
Turnbull adds a governance twist: “Cyber resilience is not the sole responsibility of the IT department; it is a collective obligation across the entire organization.”
For insurers and risk managers, that message feels familiar. Cyberattack resilience now depends on board-level engagement, staffed SOCs, and tested identity recovery plans.
All that Put to Poetry:
When workers head home and the office grows still,
The hackers pop up with a laugh and a thrill.They sneak through your systems and jiggle each lock,
And whisper, “No watchers! Let’s open this dock!”They love holiday breaks and a sleepy SOC team
It’s the perfect soft moment to launch a bad scheme.But strong checks and planning can keep them at bay,
So guard your identities night, noon, and day.Stay patched and prepared and you’ll spoil their fun
Those sneaky-night hackers will pack up and run!
RELATED CYBER INSURANCE POSTS
