New data reveals that while UK small businesses wind down for the festive period, many leave their digital doors open, creating a prime opportunity for criminals.
UK small and medium-sized enterprises (SMEs) that are preparing to switch off for Christmas will leave themselves vulnerable to attack, according to new research commissioned by global cybersecurity company Kaspersky.
The survey of 500 SME owners
across the UK reveals that Christmas shutdowns have become a major
cybersecurity blind spot. Nearly a third will close for three to five days,
while others extend their break to a week or longer. More than four in five
SMEs plan to close their business for at least a day over Christmas, while just
19% will remain fully operational throughout the festive period.
Worryingly, IT oversight during
holiday season downtime is inconsistent at best. While half of SMEs rely on
in-house IT teams or external providers, a quarter will leave cybersecurity in
the hands of non-specialist staff, and one in four admits that no one monitors
their systems at all while the business is closed.
This risk is sharpened by PwC’s Minimum Viable Company (MVC) concept, which highlights the essential
services and systems that must remain protected to keep an organisation
operational during disruption. For SMEs — whose critical functions are often
concentrated in just a few technologies, processes and suppliers — even a short
lapse in monitoring over Christmas can expose precisely the assets needed to
stay viable.
Despite this lack of specialist
coverage, 82% of SMEs describe themselves as confident in their cybersecurity
during the Christmas period. This over-confidence, combined with a lack of
vigilance, is especially concerning, given that 35% of SMEs have experienced a
confirmed or suspected cyber incident during a previous holiday season.
The research shines further light on the potential for complacency, with almost a quarter (22%) of SME owners saying they are not worried about any particular cyber threat over Christmas, though phishing and ransomware remain among the most feared risks for those who are concerned. When asked what preparations they make before closing for the holidays, SMEs most commonly cited backing up data or installing routine updates, but roughly one in eight take no cybersecurity precautions at all, and only a minority test their incident response plans or warn staff about seasonal phishing scams.
Looking to 2026, many SMEs acknowledge the need to strengthen their defences, but plans remain vague. While businesses express interest in improving backups, threat detection and staff training, only 19% say they will definitely invest in cybersecurity in the year ahead, and almost as many say they are unlikely to invest at all.
“A toxic selection box of holiday pressures, year-end work deadlines, financial demands, and social obligations means December can be one of the most stressful times of the year. This is especially true for small business owners, who often take on more than their fair share of the workload over the festive period. IT security can slip off the ‘to do’ list for some,” warns Anna Papla, UK Territory Channel Manager at Kaspersky, adding: “Cybercriminals will take full advantage of vulnerabilities as many businesses shut down operations. But extended closures don’t have to mean extended exposure. With the right alerting and backup practices, SMEs can enjoy a very Merry Christmas.”
