The week before Christmas, in the early hours of Christmas Day, a security system detected something unusual. A desktop device inside a company’s network had been compromised. Then the attackers moved laterally, reaching two domain controllers. The controllers began making suspicious connections to endpoints linked to known ransomware operations.
The security platform alerted at every stage. Every lateral movement. Every suspicious connection. Every indicator of compromise.
No one acted.
“Although the system had alerted to this activity at every stage,” the security company later reported, “the security team was under great stress during the December period and did not manage to action even these highly critical alerts.”*
The attackers waited. On Christmas Eve, after business hours, the threat re-emerged. Suspicious executables were written. Data was exfiltrated. And in the early hours of Christmas Day, while most employees were offline opening presents with their families, the ransomware payload executed.
The alerts had done their job. The coverage gap turned a detected threat into a full-scale breach.
How would your team manage this situation? Take The 3 AM Test
When Attacks Actually Happen
This wasn’t an isolated incident. Cybercriminals have learned exactly when organizations are most vulnerable.
Research shows that 76 percent of ransomware encryption attempts begin outside regular business hours—nights and weekends when security teams are understaffed or absent entirely.*
A 2025 industry study confirmed the pattern: 52 percent of ransomware attacks hit during weekends and holidays.** The timing is deliberate. Attackers know your schedule better than you think.
Nights. Most IT departments don’t have overnight staff. Alerts pile up until morning.
Weekends. Even organizations with monitoring often have reduced coverage. Saturday night into Sunday morning is particularly popular.
Holidays. Skeleton crews, distracted staff, and delayed response times. Major ransomware attacks frequently launch on holiday weekends—like the attack on July 4th weekend 2021 that hit 1,500 organizations, or the Christmas Day 2023 attack on a Massachusetts hospital that exposed 316,000 patient records.***
Time zone gaps. If your IT team is in one time zone and your offices span multiple zones, there are windows when no one is watching.
The Staffing Reality
The coverage gap isn’t just about technology—it’s about people. Research shows 78 percent of companies cut their security operations center staffing by 50 percent or more during holidays and weekends. Nearly half reduce staff by 70 percent.**
This creates exactly the window attackers exploit. Industry research found that ransomware attacks during holidays and weekends resulted in:****
• 60 percent longer time to assess the attack’s scope
• 50 percent more time needed to mount an effective response
• 33 percent longer recovery periods
• 36 percent greater financial losses
The security team in the Christmas case wasn’t negligent. They were overwhelmed. December stress, competing priorities, and the assumption that nothing critical would happen during the holidays created the perfect conditions for disaster.
The Coverage Gap Problem
Most small and mid-sized organizations have some version of the same vulnerability:
Monitoring without response. Security tools generate alerts 24/7. But if no one’s reviewing those alerts in real-time, detection doesn’t matter. An alert at 3 AM that sits until 8 AM is five hours of unimpeded attacker activity.
First-responder limitations. Even if someone is nominally on-call, can they actually respond? Do they have remote access? Do they have the authority to take systems offline? Do they know what to do?
Escalation failures. The on-call person sees an alert. Is it serious or routine? Do they wake up the IT director? Call the security vendor? Most people err on the side of waiting until morning—exactly what attackers count on.
Holiday and vacation gaps. Who covers when the primary person is out? Is that backup equally capable? Does the coverage actually exist, or is it theoretical?
The True Cost of Coverage Gaps
The difference between detecting an attack immediately and responding hours or days later isn’t incremental. It’s the difference between two completely different incidents:
Immediate response: Account compromised. Account disabled. Investigation launched. Attacker locked out. Business impact: minimal.
Delayed response: Network compromised. Backups encrypted. Data exfiltrated. Ransomware deployed. Business impact: catastrophic.
The detection was the same. The alert was the same. The outcome was entirely different because of when someone actually looked at it.
What Effective 24/7 Coverage Looks Like
Genuine around-the-clock security isn’t just “someone available if we really need them.” It requires:
Active monitoring. Human eyes on alerts in real-time, not just logging events for later review. When something fires at 3 AM, someone sees it at 3 AM.
Immediate triage capability. The ability to quickly determine if an alert is critical or routine. This requires expertise—you can’t just hand someone a phone and call it coverage.
Response authority. The person monitoring needs the ability to take action. Disable accounts. Isolate systems. Initiate incident response. If they have to wait for approval, you’ve lost critical time.
Documented playbooks. Clear procedures for common scenarios. If X happens, do Y. Reduces decision paralysis and ensures consistent response.
Escalation paths. When something is serious enough to wake people up, everyone knows who to call and in what order. No ambiguity at 3 AM.
Options for Small and Mid-Sized Organizations
You don’t need a 20-person security operations center to close coverage gaps. Several approaches can work:
Managed Detection and Response (MDR). Third-party security specialists monitor your environment 24/7. They see alerts in real-time and can often take immediate action. Cost is typically a fraction of building internal capability.
Shared on-call rotation. If you have multiple IT staff, rotate true on-call responsibility. But make sure on-call actually means immediate response capability, not “check your phone when you wake up.”
Automated initial response. Some actions can be automated. Unusual login from a new country? Automatically disable the account pending investigation. Buys time even without human intervention.
Risk-based prioritization. If you can’t monitor everything 24/7, identify what matters most. Critical systems, high-privilege accounts, and sensitive data repositories deserve more attention than everything else.
Questions to Ask About Your Coverage
Think about your current security posture and ask:
• If an alert fires at 3 AM tonight, who sees it? When do they see it?
• Can that person actually respond, or only observe?
• What happens on holidays? During major vacations?
• How long would an attacker have between detection and response on a Saturday night?
• Do you even know when most alerts occur?
The answers reveal your actual coverage, not your theoretical coverage.
The Christmas Day Lesson
The organization in this case study had invested in security tools. They had detection capability. The technology worked exactly as designed—alerting at every stage of the intrusion.
What they didn’t have was someone watching during the December crunch. Someone who could act on Christmas Eve when the attackers made their final move.
Attackers know when you’re not paying attention. The question is whether you know—and whether you’ve done something about it.
Take The 3 AM Test
centrexIT provides 24/7 security monitoring for San Diego organizations that can’t afford coverage gaps. Want to know if your organization would catch an attack at 3 AM? Take our free assessment and find out.
References
* “I’m Sorry, We’re Closed: Why Most Ransomware Attacks Happen Out of Hours,” Darktrace Blog, March 2021
** “2025 Ransomware Holiday Risk Report,” Semperis, November 2024
*** “Anna Jaques Hospital ransomware breach exposed data of 316,000 patients,” The Record, 2024; “Kaseya VSA supply-chain ransomware attack,” CSO Online, July 2021
**** “Organizations at Risk: Ransomware Attackers Don’t Take Holidays,” Cybereason, 2022