When managers are away, risks like poor passwords, unlocked screens and slow reporting can quietly escalate. This article explains why it happens and how you can make sure your IT Security doesn’t slide.
Estimated read time: 8 minutes
Why Password Hygiene Matters
Just over four in ten UK businesses (43 per cent) have reported experiencing a cyber security breach or attack during the previous 12 months. That figure rose to 67 per cent in medium-sized firms and 74 per cent in large ones. Many more incidents, particularly in SMEs and micro-businesses will have gone unreported. Phishing has remained the dominant method of attack, affecting 85 per cent of organisations that identified breaches.
Seasonal reductions in staff numbers, remote working and less oversight can allow small mistakes, such as reusing passwords, to have much bigger consequences. According to the Royal Institution of Chartered Surveyors, 27 per cent of UK businesses were hit by a cyber-attack in the past year. This is up from 16 per cent the year before. These figures highlight the growing risk, particularly during periods with less supervision.
Use Modern Password Standards and Move Beyond Forced Expiry
UK cyber guidance now discourages regular forced password changes unless there has been a suspected breach. This is because, when users are prompted to change credentials frequently, they often create weaker, predictable passwords, for example by simply adding a number or punctuation mark.
Instead, the National Cyber Security Centre (NCSC) recommends the use of longer passphrases made up of three random words, separated by full stops. These are both stronger and easier to remember than traditional passwords. The NCSC also advises organisations to adopt password managers and, where possible, passkeys. These tools can generate and store unique credentials securely, reducing the risk of password reuse or staff writing details down.
MFA
Multi-factor authentication (MFA) remains one of the most effective ways to protect business-critical systems. Yet despite its benefits, research suggests that many UK businesses have not yet rolled out MFA across all user accounts. Adoption levels vary widely by size and sector. Email accounts are especially vulnerable, as they can often be used to reset access to other platforms. Ensuring these are protected with MFA is considered a baseline measure by most UK security professionals.
Lock Screens and Devices Immediately When Unattended
An unattended device with an open screen is one of the easiest targets for opportunistic attacks or accidental misuse. Whether it is a visitor in the office, a contractor passing by or a well-meaning colleague, leaving access open can result in emails being forwarded, data copied or malware being introduced via USB.
Good practice guidance from UK security bodies recommends setting devices to lock automatically after a short period of inactivity—typically just a few minutes—to reduce the risk of unauthorised access. Staff should also be trained to manually lock their devices every time they step away from their desks. This is especially important during holiday periods when office routines may be more relaxed and the mix of people in the workplace can change.
Recent incidents show that even organisations with secure buildings can fall victim to social engineering or internal threats if unattended devices are left exposed. Automatic screen locking, combined with a strong culture of responsibility, helps reduce the risk significantly.
Ensure Quick Incident Reporting When Supervision Is Reduced
When teams are leaner, delays in reporting suspicious activity can allow small issues to spiral. For example, even a single phishing email that goes unreported could result in credential theft, malware infection or wider compromise of the organisation’s systems.
The Information Commissioner’s Office (ICO) reminds organisations of their legal obligation to report serious personal data breaches within 72 hours. However, underreporting remains an issue. Surveys have found that some employees hesitate to report security issues, often due to fear of blame, or a belief they should resolve problems themselves. This attitude can delay critical incident response. The impact on business reputation could be disastrous.
Clear Policies
Clear policies and non-judgemental internal reporting procedures are the cornerstones to creating the right attitude and culture. For example, businesses should reinforce the message that early reporting is vital, regardless of the perceived severity of the issue. Every employee should be trained to be part of the security perimeter. When fewer people are available to spot problems, everyone counts!
Vigilance Essential
Major cyber attacks on well-known UK retailers in early 2025 highlighted how attackers will exploit gaps in supervision. In some high-profile attacks, criminals have successfully used social-engineering techniques—such as impersonating staff—to trick helpdesks into granting system access. Once in, attackers can infiltrate ordering and stock systems, causing disruption to online deliveries, store stock management and customer services across the UK.
The NCSC has since updated its guidance to stress the importance of identity verification, particularly during periods when usual contacts may be away. Organisations should ensure that all staff know who to contact in case of a suspected breach and that backup procedures are in place when key individuals are on leave.
Threat-intelligence reports have highlighted that attackers often time phishing campaigns to coincide with holidays or staff absences, sometimes posing as executives or referencing internal systems to appear more convincing.
So how can you make sure your IT security doesn’t slide?
It’s worth noting here that security does not begin and end with IT departments or IT support providers. In reality, everyone in the organisation has a role to play, particularly when fewer colleagues are present to notice if something goes wrong.
As Richard Horne, CEO of the NCSC, recently warned, “businesses ignore advice at their peril,”. Even basic security measures can reduce the risk of a cyber attack, but the latest government figures show that fewer than one in ten UK organisations are currently certified under Cyber Essentials, the UK’s official baseline standard.
The ICO and NCSC both emphasise that technical tools must be matched by behaviour and awareness. That includes locking screens, using secure credentials, escalating concerns early and understanding that cyber security is not someone else’s job.
Opportunities for positive change
A key takeaway here is that there’s no seasonal exemption from cyber threats. In fact, if anything, holiday periods heighten the risk, as gaps in supervision and more flexible routines make it easier for poor habits to slip through unnoticed. For UK businesses, this is not just a matter of good practice but of operational resilience. Attacks timed during holiday cover or lean staffing can have a disproportionate impact, especially when response times are slower and reporting structures unclear.
The broader lesson is that culture really matters. Password policies, screen-locking procedures and incident response plans are only effective when staff at all levels understand them and use them without hesitation. For security teams and senior leaders, this means investing in clarity and communication as much as in software, hardware and employee training.
UK regulators are already making expectations clear. With the ICO strengthening its stance on breach reporting and the NCSC repeatedly highlighting the need for accountability beyond the IT department, there is growing pressure on organisations to prove that cyber responsibility is being taken seriously throughout the business. That includes facilities managers, HR teams and indeed anyone with access to systems or data.
What Does This Mean For Your Business?
Why not seize the opportunity to treat holiday periods not as downtime, but as a potential test of your internal defences? If you don’t test your protocols, insurers, regulators and supply chain partners may view any future lapses as less of an accident and more like a failure to plan. For customers and clients, the reputational damage from a breach occurring as a result of a protocol lapse can be immediate and lasting.
Avoiding the most common types of breach does not require complex changes. Reinforcing a few non-negotiables: strong, unique passwords; locked screens; employee vigilance; prompt reporting of suspicious emails, SMSs, phone calls or unusual activities, will go a long way to reducing risk. Developing a culture of understanding that good security is not a favour to the IT team but a safeguard for the whole organisation will make sure your IT Security doesn’t slide when the boss isn’t watching.
Our recommended cybersecurity awareness training package, Knowbe4, is designed to foster a company-wide culture of responsibility and accountability. More information can be found here
If you’re interested in getting professional advice on any of the topics mentioned above, please give us a call on 01535 358161 or use our contact form
For guidance on cyber security in general visit the National Cyber Security Centre
Content edited with assistance from ChatGPT.
