Industrial operations relying on always-on, highly automated systems face a growing cyber risk during holidays, weekends, and major corporate events, according to new research from identity security specialist Semperis. The company’s 2025 Holiday Ransomware Risk Report finds that most ransomware campaigns are still timed to hit when security teams are thinnest on the ground.
The global study, which surveyed organisations in the U.S., UK, France, Germany, Italy, Spain, Singapore, Canada, Australia, and New Zealand, reports that 52% of respondents were targeted on holidays or weekends. At the same time, 78% of companies cut security operations centre (SOC) staffing by 50% or more during these periods, and 6% shut down SOC coverage entirely. For 24/7 industrial operations, that is an obvious weak point.
“Threat actors continue to take advantage of reduced cybersecurity staffing on holidays and weekends to launch ransomware attacks. Vigilance during these times is more critical than ever because the persistence and patience attackers have can lead to long lasting business disruptions,” said Chris Inglis, the first U.S. National Cyber Director and Semperis Strategic Advisor. “In addition, corporate material events such as mergers and acquisitions often create distractions and ambiguity in governance and accountability — exactly the environment ransomware groups thrive on.”
Semperis highlights that 60% of observed ransomware attacks occurred after a material corporate event, such as an IPO, merger or acquisition, or round of layoffs. Of those attacked following such an event, 54% were hit after a merger or acquisition. For industrial groups consolidating production networks, integrating legacy plant systems, or spinning up new shared service environments, those figures underline how attractive periods of organisational flux have become to attackers.
Although the report is centred on identity systems and access infrastructure, the implications are squarely operational. Modern ransomware campaigns routinely move from compromised identity stores into operational technology (OT) networks and industrial control systems. Once there, the impact is measured not in data loss, but in halted production, missed shipment windows, and safety-critical shutdowns — exactly the outcomes most industrial businesses can least afford during peak season or maintenance outages.
The study also points to a mismatch between detection and recovery planning. Identity threat detection and response (ITDR) is gaining traction, with 90% of respondents reporting plans that detect identity system vulnerabilities. However, only 45% of those plans include remediation procedures, and only 63% automate identity system recovery. In an industrial setting, that gap translates directly into longer plant downtime and slower restart of production lines after an attack.
Reasons for reduced SOC staffing are depressingly familiar: 62% of organisations cited the need to preserve employee work/life balance, 47% said their business is closed on holidays and weekends, and 29% simply did not expect to be attacked at those times. For industrial operators whose equipment runs regardless of office hours — from process plants and automotive lines to logistics hubs and utilities — the assumption that the “business is closed” looks increasingly out of step with attackers’ behaviour.
For manufacturers and asset-intensive operators, the takeaway is blunt rather than novel: identity security and incident response cannot operate on a nine-to-five, Monday-to-Friday footing when the assets being protected do not. As industrial groups push deeper into IT/OT convergence and centralised identity architectures, the holiday and transaction calendar is becoming just as important to ransomware groups as the production schedule itself.
