Why Cyber Risk Doesn’t Pause, Even When Organisations Do

Posted: Friday, Jan 16

KBI.Media
$
Why Cyber Risk Doesn’t Pause, Even When Organisations Do

Karissa Breen, crowned a LinkedIn ‘Top Voice in Technology’, is more commonly known as KB, and widely known across the cybersecurity industry. A serial Entrepreneur and co-founder of the TMFE Group, a holding company and consortium of several businesses all relating to cybersecurity. These include an industry-leading media platform, a marketing agency, a content production studio, and the executive headhunting firm, MercSec. She is also the former Producer and Host of the streaming show, 2Fa.tv. Our flagship arm, KBI.Media, is an independent and agnostic global cyber security media company led by KB at the helm of the journalism division. As a Cybersecurity Investigative Journalist, KB hosts her renowned podcast, KBKast, interviewing cybersecurity practitioners around the globe on security and the problems business executives face. It has been downloaded in 65 countries with more than 300K downloads globally, influencing billions of dollars in cyber budgets. KB is known for asking the hard questions and getting real answers from her guests, providing a unique, uncoloured position on the always evolving landscape of cybersecurity. She sits down with the top experts to demystify the world of cybersecurity, and provide genuine insight to executives on the downstream impacts cybersecurity advancement and events have on our wider world.

i 3 Table of Contents

Why Cyber Risk Doesn’t Pause, Even When Organisations Do

From Karissa Breen

Late November in the US marks a slowdown for most organisations. Early November if you’re in Australia post the famous Melbourne Cup horse race. Teams thin out from then onwards. Decision making compresses. Attention shifts elsewhere. For attackers, it’s a window.

The Semperis 2025 Holiday Ransom Report reinforces a reality security leaders already know but rarely plan for well enough.

“Cyber risk doesn’t take time off, even when we desperately want to,” says Simon Hodgkinson, Senior Advisor at Semperis.

If anything, threat activity accelerates when defenders are stretched.

“Cyber is a cat and mouse game,” Hodgkinson adds. “Both defence and offence will be changing their tactics… pretty much every day.” After four decades in the field, it’s not an abstract observation… it’s operational truth.

End-of-year pressure compounds risk.

“As you go through an intense year, you get towards the back end. There’s an awful lot of pressure for lots of organisations,” Hodgkinson says. “It is genuinely exhausting and that can lead to loss of focus on things you should be caring about.”

Hodgkinson notes a shift in how cyber risk is being discussed, not only in technical terms, but physiological ones.

“In 40 years in tech, we’d never talked about the physiology,” he says. Stress and fatigue don’t just affect performance, they shape outcomes.

Attackers understand this dynamic unfortunately well.

Moments of organisational transition create exposure. IPOs, mergers, restructures — all introduce complexity, urgency, and distraction.

“You’re adopting a whole bunch of risks that you’re not really aware of,” Hodgkinson says. “And obviously the attackers are fully aware of what’s being adopted.”

In high-pressure M&A environments, speed becomes the priority. “Potentially, there’s more encouragement to pay the ransom if those sorts of things occur.”

Layoffs heighten the risk further.

“That clearly increases the insider risk,” he says, stressing that this includes both malicious and non-malicious behaviour. “If you’ve just been told you’re being laid off and you’ve got financial concerns, you’re perhaps not going to be on your A game.”

These aren’t edge cases. They’re predictable conditions attackers plan around.

Economic uncertainty is reshaping security operations. “Across the world at the moment there’s an enormous amount of economic uncertainty which is leading organisations to cut operational costs,” Hodgkinson says. That pressure often collides with attempts to protect staff wellbeing.

“I think there’s an issue globally around the whole work-life balance,” he notes. Reduced coverage is frequently offset with automation, sometimes too optimistically.

“More and more organisations are now using technology to automate activity,” Hodgkinson says. While automation provides coverage during weekends and holidays, “it could be false assurance… or an overconfidence on technology during those periods.”

Intent matters, but execution determines risk.

Hodgkinson is up front about the toll long term cyber response takes.

“I’m probably the worst person in the world to talk about work-life balance,” he says. “I was on 24 by 7… I never switched off because I was always thinking about what’s the next thing that’s going to happen.”

During a serious insider incident at BP, the strain was acute. “I reckon I slept an hour a night for about four or five weeks,” he recalls. Even off shift, the pressure followed him home. “You may have physically been at home, but you weren’t mentally at home.”

These experiences aren’t unique. They’re common and often invisible across many security teams.

Looking ahead, Hodgkinson expects sustained instability. “I think we’re going to be in a period of economic uncertainty because of the geopolitical tension,” he says. “Certainly at least three to five years.”

“No organisation should be making their people ill by overburden. The intent is honourable. But this suggests the execution is perhaps not where it needs to be.”

Cyber defence will always require vigilance. But resilience can’t be built on exhaustion alone. Sustainable security means designing systems technical and human, that assume pressure, plan for fatigue and don’t rely on people being permanently on edge.