Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
This is the first article in an ongoing series that will explore issues or recent developments in data, cybersecurity and artificial intelligence governance.
In a world where every day brings new data, cyber and artificial intelligence updates, it can sometimes be helpful to take a step back and explore a wrinkle or other recent development. This "thought for the week" is a reflection on such a development and its implications for organizations.
It would not surprise any professional in our space that the holidays are prime time for cyberattacks. I recommend you check out the recent Semperis 2025 Ransomware Holiday Risk Report, which surveyed 1,500 IT and security professionals across multiple jurisdictions and industries. The report found that 52% of respondents who had experienced ransomware attacks said they occurred during a weekend or holiday. It also found that 78% of respondents had cut security operations center staff by 50% or more during holidays and weekends, primarily to provide a work-life balance for employees.
Threat actors are aware of this trend of lighter staffing during the holidays and often launch attacks during holidays to capitalize on the disruption. As noted by the Semperis Director of Incident Response Jeff Wichman, "If you want your employees to be out for the holiday, you need to plan and prepare. You need to have some type of monitoring, even if it’s third-party monitoring with extra diligence over that period. There is no time off."
So, how should companies respond to the potential for increased threats during the holidays?
Data and cyber professionals should be thinking about how they can provide their organization with some holiday gifts that can help address the increased risks during this most wonderful time of the year for threat actors. The specifics will vary depending on the size and complexity of the organization, as well as its industry and other factors. Several cyber preparation "gift-giving ideas" include the following.
Refresh your organization's 'out-of-band' communications channels
All members of the executive leadership team, as well as the core members of the incident response team, including IT/security, legal and other units, should be ready to switch to a suitable "out-of-band" communications channel, such as Signal, Proton mail, etc., at any time if needed during a cyber incident.
Depending on the nature of the attack and the situation, use of such a communication channel could be essential, such as if a ransomware has disabled company email and communications channels or simply prudent, e.g., where law enforcement notifies that a nation state or other threat actor is in the environment, and the company wishes to avoid tipping off such threat actor. However, out-of-band communication channels should not be used as a default for all incidents given there can be challenges with company record retention procedures and privilege concerns, as well as practical limitations on ease of use. Still, if it's essential or prudent for the organization to use such a channel, it will save valuable time and avoid confusion if it is ready to go when needed.
Remind leadership of the incident response plan and key lessons learned from prior tabletop exercises or incidents
It would be helpful to remind senior leadership about the organization's incident response plan, and perhaps a few key lessons learned from prior tabletop exercises or incidents. This can give them just a little extra context if indeed a notification pings them while they are enjoying their eggnog with family and friends.
Consider enhancements to threat detection and response solutions
It's a good time to pose a question to the IT and security team as to whether there is anything that could or should be done to enhance data loss prevention, endpoint detection and response, or other threat detection and response solutions during the holiday time.
Particularly if, all or part of the company closes during this period, ask if the solutions could be dialed up for not only enhanced monitoring but perhaps — at least in some ways — enhanced automated blocking of potential malicious traffic. This approach may be appropriate since most employees will not be working and the typical downsides of blocking for false positives might not be as significant.
Assure proper staffing for security monitoring and incident response
Reconfirm appropriate internal staffing levels for IT and security. Also, if the organization leverages a managed security service provider, confirm they will adequately staff and support the threat detection and response activities during the holiday period. On the privacy and cyber legal and compliance side, assure that a core team is available to respond during this time, even if some of the team members will truly be "off" during the holiday period. Also, it would be helpful to confirm whether one or more board members designated as cybersecurity leads will be available if any issue arises.
Confirm external counsel, forensics and other key providers
It is helpful to confirm the availability of external counsel, forensics and other potential key providers, such as a ransomware negotiator. The external counsel and forensics are arguably the most significant, as these will be the first calls, and others will follow as needed depending on the situation.
What other "cyber gift-giving ideas" would you have for your organization during this holiday time? Tis the season.
Brian Hengesbaugh, CIPP/US, is the global chair of data and cyber at Baker McKenzie.
