When the Boss Is Away… Don’t Let the Security Slip

With managers away, risks like poor passwords, unlocked screens and slow reporting can quietly escalate, and this article explains why it happens and how to stop it.

Why Summer Leave Demands Heightened Password Hygiene

In 2025, just over four in ten UK businesses (43 per cent) reported experiencing a cyber security breach or attack during the previous 12 months, with that figure rising to 67 per cent in medium-sized firms and 74 per cent in large ones. Phishing remained the dominant method of attack, affecting 85 per cent of organisations that identified breaches.

Seasonal reductions in staff numbers, remote working and less oversight can allow small mistakes, such as reusing passwords, to have much bigger consequences. According to the Royal Institution of Chartered Surveyors, 27 per cent of UK businesses were hit by a cyber attack in the past year, up from 16 per cent the year before. These figures highlight the growing risk, particularly during periods with less supervision.

Use Modern Password Standards and Move Beyond Forced Expiry

UK cyber guidance now discourages regular forced password changes unless there has been a suspected breach. This is because, when users are prompted to change credentials frequently, they often create weaker, predictable passwords, for example by simply adding a number or punctuation mark.

Instead, the National Cyber Security Centre (NCSC) recommends the use of longer passphrases made up of three random words, separated by full stops. These are both stronger and easier to remember than traditional passwords. The NCSC also advises organisations to adopt password managers and, where possible, passkeys. These tools can generate and store unique credentials securely, reducing the risk of password reuse or staff writing details down.

MFA

Multi-factor authentication (MFA) remains one of the most effective ways to protect business-critical systems. Yet despite its benefits, only around 40 per cent of UK businesses have implemented MFA across all user accounts. Email accounts are especially vulnerable, as they can often be used to reset access to other platforms. Ensuring these are protected with MFA is considered a baseline measure by most UK security professionals.

Lock Screens and Devices Immediately When Unattended

An unattended device with an open screen is one of the easiest targets for opportunistic attacks or accidental misuse. Whether it is a visitor in the office, a contractor passing by or a well-meaning colleague, leaving access open can result in emails being forwarded, data copied or malware being introduced via USB.

The Information Commissioner’s Office (ICO) advises that screens should lock automatically after two or three minutes of inactivity. Staff should also be trained to manually lock their devices every time they step away from their desks. This is especially important during summer when office routines may be more relaxed and the mix of people in the workplace can change.

Recent incidents show that even organisations with secure buildings can fall victim to social engineering or internal threats if unattended devices are left exposed. Automatic screen locking, combined with a strong culture of responsibility, helps reduce the risk significantly.

Ensure Quick Incident Reporting When Supervision Is Reduced

When teams are leaner, delays in reporting suspicious activity can allow small issues to spiral. For example, even a single phishing email that goes unreported could result in credential theft, malware infection or wider compromise of the organisation’s systems.

The ICO reminds organisations of their legal obligation to report serious personal data breaches within 72 hours. However, underreporting remains an issue. For example, a (2023) Cybsafe survey found that many employees still hesitate to report security issues, fearing they will be blamed or seen as incompetent. Some of them attempt to fix problems themselves, often making the situation worse.

Clear Policies

Clear policies and non-judgemental internal reporting procedures can also help. For example, businesses should reinforce the message that early reporting is vital, regardless of the perceived severity of the issue. When fewer people are available to detect problems, every employee becomes part of the security perimeter.

Vigilance Essential

Major cyber attacks on well-known UK retailers in early 2025 highlighted how attackers often exploit gaps in supervision. For example, in one widely reported case, criminals impersonated staff during a helpdesk call to reset login credentials at a large national department store chain. Using publicly available information and a convincing pretext, they persuaded internal support teams to grant access to privileged systems. The attackers then used this access to infiltrate the company’s ordering and stock systems, causing widespread disruption to online deliveries, store stock management and customer services across the UK.

The NCSC has since updated its guidance to stress the importance of identity verification, particularly during periods when usual contacts may be away. Organisations should ensure that all staff know who to contact in case of a suspected breach and that backup procedures are in place when key individuals are on leave.

Also, Proofpoint’s 2024 threat report showed a rise in phishing campaigns timed around bank holidays and summer breaks, many of which referenced internal systems or posed as absent executives. These tailored scams are more convincing and more dangerous when teams are under pressure or lacking oversight.

Promote a Culture of Accountable Vigilance Year-Round

It’s worth noting here that security does not begin and end with IT departments. In reality, everyone in the organisation has a role to play, particularly when fewer colleagues are present to notice if something goes wrong.

As Richard Horne, CEO of the NCSC, recently warned “businesses ignore advice at their peril,” thereby highlighting that even basic security measures can reduce insurance claims by over 90 per cent. However, the latest government figures show that fewer than one in ten UK organisations are currently certified under Cyber Essentials, the UK’s official baseline standard.

The ICO and NCSC both emphasise that technical tools must be matched by behaviour and awareness. That includes locking screens, using secure credentials, escalating concerns early and understanding that cyber security is not someone else’s job.

What Does This Mean For Your Business?

A key takeaway here is that there’s no seasonal exemption from cyber threats. In fact, if anything, the summer period heightens the risk, as gaps in supervision and more flexible routines make it easier for poor habits to slip through unnoticed. For UK businesses, this is not just a matter of good practice but of operational resilience. Attacks timed during holiday cover or lean staffing can have a disproportionate impact, especially when response times are slower and reporting structures unclear.

The broader lesson is that culture really matters. Password policies, screen-locking procedures and incident response plans are only effective when staff at all levels understand them and use them without hesitation. For security teams and senior leaders, this means investing in clarity and communication as much as in software or hardware.

UK regulators are already making expectations clear. With the ICO strengthening its stance on breach reporting and the NCSC repeatedly highlighting the need for accountability beyond the IT department, there is growing pressure on organisations to prove that cyber responsibility is being taken seriously throughout the business. That includes facilities managers, HR teams and anyone with access to systems or data.

What this means for UK businesses is a need to treat holiday periods not as downtime, but as a potential test of their internal defences. For insurers, regulators and supply chain partners, lapses in protocol will look less like an accident and more like a failure to plan. For customers and clients, the reputational damage from a breach can be immediate and lasting.

Avoiding that outcome does not require complex changes. It comes down to reinforcing a few non-negotiables. Strong, unique passwords. Locked screens. Prompt reporting. And a shared understanding that good security is not a favour to the IT team but a safeguard for the whole organisation.