In the IT world, there is something quietly sinister about a bank holiday. It’s not the holiday itself – who doesn’t love a bank holiday – a long weekend, a reason to grill something in unpredictable weather, the particular pleasure of feeling like you’ve slipped a Monday… The sinister part is structural. Cyber attacks on bank holidays follow a pattern that most organisations have not properly reckoned with, and it has less to do with the sophistication of the attacker than with the architecture of the defence left behind when everyone goes home.
Attackers have read the long-weekend agreement, they just don’t comply.
In May 2017, WannaCry ransomware tore through the NHS on a Friday afternoon and spent the weekend doing its worst: Trusts went dark, operations were cancelled and the damage ran to an estimated £92 million in disrupted services and emergency IT work. The attack itself was not especially sophisticated. What made it catastrophic was the combination of unpatched systems and a weekend with no one watching closely enough to stop it spreading before Monday came around.
Six years later: Capita’s breach in March 2023, which later resulted in a regulatory fine for data protection failings, unfolded over a period when delayed detection allowed attackers to move quietly through the environment. The dwell time, the period between an attacker getting in and anyone noticing, ran to weeks. According to Mandiant’s M-Trends 2024 Report, the global median dwell time for a breach now sits at 10 days. That number has come down significantly over the years, which sounds reassuring until you read the rest of the sentence: a decade ago it was over 200 days, and the reduction has come almost entirely from organisations that invested in continuous detection, not from attackers becoming easier to spot.
A bank holiday is three days. Three days inside an environment with reduced monitoring, a support model built on tickets and call queues, and a security stack sitting in a completely separate part of the organisation from the people managing the infrastructure can carry more exposure than the calendar makes them look. Cyber attacks on bank holidays are not an anomaly; they are a logical consequence of a model that was designed to work in office hours and left to fend for itself outside them.
Why The Legacy IT Model Fails At Exactly This Moment
The model most businesses are running was not designed for continuity:
- An MSP manages the infrastructure.
- A separate MSSP monitors for threats.
- A pen testing firm visits once a year, produces a PDF, and disappears again.
These three relationships have different contracts, different escalation paths, and no shared context. When something moves through an environment at 4pm on a Friday before a bank holiday, the gap between those vendors is exactly where it finds room to breathe.
This is not a failure of the individual vendors, it is a failure of the model. Legacy IT delivery was built around a helpdesk, a monthly invoice, and a reactive posture that waits to be told there is a problem before doing anything about it. It was never designed to run without people in the room, because it was never expected to have to.
The evidence for why this matters is not theoretical. Cyber attacks on bank holidays, weekends and out-of-hours periods are well-documented in incident reports precisely because the window of reduced cover is predictable, exploitable, and wide. Security teams with enough resources to monitor continuously close breaches in hours. Security teams relying on a rota and a call queue close them in days, if at all.
What Continuous IT and Security Management Actually Means
The answer is not a bigger on-call rota. Throwing bodies at a bank holiday weekend treats the symptom without touching the cause, and it is expensive cover for a problem that should not exist in the first place.
What organisations actually need is an IT and security model that does not depend on a human being available before it acts. That means monitoring which runs continuously, not on a schedule tied to office hours. It means security and IT managed by the same team, with the same context, so that when something moves through the infrastructure at 11pm on a Sunday, the people who understand the environment are already looking at it. It means fixes shipped the moment problems are found, not logged in a queue and triaged on Monday morning. It means a single point of accountability for everything, so there is no gap between the infrastructure vendor and the security vendor where an incident can quietly develop.
This is not an especially radical set of requirements. It is simply what a well-run IT function looks like when it is designed around the threat rather than around the working week.
ThreatSpike was built to deliver exactly this. Agentic AI runs through every layer of the platform, watching the environment continuously and responding to threats within 2 to 5 minutes. Fully managed IT and complete security sit in the same platform, run by the same team, with a forward-deployed engineer embedded in each customer environment year-round. Nothing waits until Tuesday.
For businesses still running the fragmented model, the question raised by cyber attacks on bank holidays is worth sitting with seriously. The WannaCry figure bears repeating: £92 million, across a single weekend, inside one of the country’s largest organisations. The Capita breach unfolded over weeks, not because no one cared, but because the model in place was not structured to see it happening in real time.
The Structural Answer
Cyber attacks on bank holidays will keep happening as long as the IT model underneath them is designed to react rather than prevent. Staffing up on bank holidays patches the symptom. Replacing the reactive model with one that runs itself addresses the cause.
ThreatSpike replaces every MSP, MSSP and security vendor with a single platform, a single team and one fixed monthly price. Managed IT and complete security delivered together, continuously, with agentic AI running the operations and forward-deployed engineers accountable for the outcome. The model that allowed WannaCry to spend a weekend inside the NHS unchecked is still the dominant model in UK businesses today. The only difference is that now, with the right platform in place, it doesn’t have to be yours.
The bank holiday is three days. Cyber attacks on bank holidays take considerably less time than that to cause damage that lasts considerably longer.
