UK small and medium-sized enterprises preparing to close for the Christmas period risk leaving digital vulnerabilities exposed, according to new research commissioned by cybersecurity provider Kaspersky.
A survey of 500 UK SME owners found that a quarter will have no one monitoring IT systems while the business is closed over Christmas. Nearly one in three respondents said their organisation would shut for three to five days, while others plan closures of a week or more. In total, more than 80 per cent of SMEs will pause operations for at least a day during the festive period, with only 19 per cent remaining fully operational.
The findings expose a recurring security gap as business leaders wind down for the year. While half of SMEs reported access to in-house or external IT support, a quarter said they rely on non-specialist staff for cybersecurity, and around one in eight take no protective actions before closing. Many companies focus on routine steps such as backing up data and installing standard updates, but few test incident response plans or alert staff to elevated seasonal phishing risks.
Evidence suggests these lapses coincide with heightened attack activity. Late last month, Semperis’s 2025 Holiday Ransomware Risk Report found that over half of ransomware incidents reported globally occurred on holidays or weekends, when security staffing is reduced, and that many organisations cut security operations centre coverage by 50 per cent or more during these periods.
That pattern — of threat actors timing attacks to exploit reduced vigilance — is mirrored in SME experiences. Despite 82 per cent of businesses expressing confidence in their holiday-period cybersecurity, 35 per cent reported having suffered a confirmed or suspected cyber incident in a previous festive season.
Kaspersky’s research also highlights a potential over-confidence gap among business owners. Almost a quarter said they are not worried about specific cyber threats over Christmas, even though phishing and ransomware were among the most concerning risks for those who were concerned. Looking ahead to 2026, while many SMEs acknowledge the need to strengthen defences, only 19 per cent say they will definitely invest in cybersecurity next year.
“December can be one of the most stressful times of the year,” said Anna Papla, UK territory channel manager at Kaspersky. “A toxic selection box of holiday pressures, year-end work deadlines, financial demands, and social obligations means IT security can slip off the ‘to do’ list for some. Cybercriminals will take full advantage of vulnerabilities as many businesses shut down operations. But extended closures don’t have to mean extended exposure. With the right alerting and backup practices, SMEs can enjoy a very Merry Christmas.”
