We’re back with another expert interview! This time, we’re joined by Matt Warner, CEO and co-founder of Blumira, to talk about how businesses can stay ahead of cyber threats during the summer months and why this quieter season might be the best time to strengthen their security defenses.
It’s the holiday season, and attacks often spike during this time. So, what does the threat landscape look like right now, and what should businesses be watching for?
Yes, it is one of the big patterns we see, that things slow down in the summer. Everyone starts going on holiday, focus shifts away from work, and then activity starts to pick up again later in the year. For us in IT and cybersecurity, that period is a good chance to step back and review things such as checking systems, access, and where we might have given too many permissions. Sometimes, if someone returns from holiday and doesn’t even notice their access has changed, it’s a good sign we’ve identified over-permissioning.
It’s about using that time to look at your environment, including legacy systems, current setup, and plans for the rest of the year. Especially if you’re in a region where geopolitical tensions can drive more attacks, this is when you want to get ahead of the year-end push from threat actors and ransomware groups. That means checking what’s exposed to the internet, whether you’re still using things like SSL, VPN, and if so, how secure it is. Are you using MFA? Are you on platforms with known issues? If yes, now’s the time to ask: how fast can we patch, and would we notice if something unusual happened?
It all comes down to visibility. Do you know what’s happening in your environment, and how people are leveraging and connecting to it? Considering the type of organization or any business that shares data, it’s worth reviewing FTP, SFTP, or managed file transfer systems in your DMZ. Ask if they’re secure, how data is brought to the environment, and how to improve processes to keep them secure.
Attackers will focus on these areas as the year goes on, looking for what’s exposed, what they can target, and which phishing tactics might work. The slower months give the time to check coverage, what happens at the endpoints, and even with something as simple as an off-site employee clicking a phishing link—can the organization contain those threats? But it’s less about the threats and more about understanding the risks and having open conversations as a team before the busy season kicks in.
Aside from the usual holiday-themed phishing and scams, we’re now seeing more AI-powered attacks. What other threats do businesses often overlook during this time?
AI-powered phishing has definitely become a bigger problem. We’ve heard people say to look for poorly written emails or ones that just don’t sound right. Now, AI helps attackers make their messages clear and convincing. That said, in many cases, the attacks aren’t that different from what we saw five or ten years ago. The methods may be more complex, like token stealing in Microsoft 365, but it still starts with phishing, getting someone to click, and then authenticating. The result is the same: attackers take over an account, move deeper into the environment, and make changes to hide their activity.
At Blumira, we say that attackers’ techniques may seem like magic, but in many cases, they need to take specific actions to break into the environment. Often, that means bypassing MFA. If MFA isn’t turned on, the holidays are a great time to enable it. If attackers do get in, they’ll often set up mail rules to hide incoming messages, take what they need from the account, and then move deeper into your environment. The same goes for infrastructure attacks, whether cloud or on-prem, they have to make certain moves once they land, so you need tools like SIEM or EDR to detect and respond when something gets in.
AI helps attackers launch targeted campaigns faster, but their steps are the same. This season, I’d expect more geopolitical phishing and malvertising. For example, someone with extra time during the summer searching for a tool might land on a fake download page, and the fake version can install ransomware within days. Attackers leverage timing, current events, and AI-generated content to strike effectively. That’s why visibility is key. Being able to monitor accounts and endpoints in real time lets you act immediately, instead of discovering the attack a week later when it’s too late.
You’ve suggested the holiday period is a good time for security teams to be proactive. What does that look like in practice?
Proactivity is the best way to reduce threats in your environment. Taking time to step back, evaluate what’s happening, and identify risks is key. You can’t solve threats unless you know what they are.
Hosting an actual tabletop conversation is one of the most effective approaches we’ve seen. Gather whoever’s available from every level, including executives, IT staff, legal, and finance, and ask questions like: “What if we were attacked today? What if the CEO were targeted while on holiday? Would we know right away? How far could an attacker get?” You won’t solve every problem in real time during an incident, but these discussions help uncover risks before they happen.
Use simple AI-driven simulations to explore “what if” scenarios in different departments of the organization: How would we detect it? How far could it go? How did it start? This exercise helps assess both visibility and the ability to stop an attacker. It ties back to defence-in-depth, ensuring you can see and respond at every stage, from phishing to endpoints, servers, and cloud identities. When operations slow down, it’s the perfect time to evaluate risks and plan. These discussions set the stage for securing the budget and making strategic changes to strengthen defences for the rest of the year.
How can security teams create a culture where employees feel safe reporting mistakes, such as falling for phishing, and use those experiences to strengthen overall defenses?
In cybersecurity, there’s long been debate over whether phishing is the user’s fault, but in reality, falling for it is often inevitable. Research shows that with persistent phishing attempts, most people can be caught within a few tries, especially with AI making attacks easier and more convincing. The priority should be creating a safe, open path for employees to speak up.
Encourage reporting by sharing real phishing examples across the organisation via Teams or Slack, or by creating a security alert channel to share findings and turn them into conversations. Security awareness training is also essential, including spotting suspicious domains and unknown senders. Make sure to turn on the security features in 365 and Google Workspace to identify phishing emails. But there’s the inevitability that people always fall for the phish; blaming them for it couldn’t be more wrong!
Phishing comes in many forms. It can be fake DocuSign requests, personalised lures, or even impersonations of family members of executives. Some will inevitably fall for it. Make sure they report. If they don’t, bring the issue back to the broader team, explaining what happened, and sharing lessons learned without blame. Involve vendors in post-incident reviews to strengthen defences.
A big part of improving security is shortening detection time, knowing when something happened and why it happened. That goes beyond standard awareness training; it’s about having an ongoing, open conversation with staff about the incidents. Many wouldn’t expect that the attacks are persistent. It’s important not just for staff to share details, but also for you to share back.
A common security gap is failing to share incidents with staff and reassure them you’re there to support them. Expecting perfection is unrealistic. Everyone, from the CISO to the CEO to the floor staff, is vulnerable.
How can businesses maintain a proactive security mindset after summer and carry those lessons into the rest of the year?
If I could get anyone to do something proactive for the rest of the year, it would be holding regular monthly tabletops with different departments. Sit down with a department for 30–45 minutes and run through one or two scenarios. For example, ask customer success: “What if a customer sent a file that was a Trojan? Would you have opened it? How would we know if it impacted your system? What would we do if we had to shut down our ticketing system?”
Take every month as a learning opportunity, building up knowledge of risks across the organisation without taking too much time. Even identifying risks you can’t currently solve is valuable, as it shows leadership where attention and investment are needed.
Being proactive means having evidence to support requests for resources or tools. Talk to people across departments, ask how attacks could impact their work, and plan ahead. For example, if a retail company faces ransomware during a critical period, decisions made in the moment may be suboptimal. Planning ahead, like deciding how to process transactions if servers go down, prepares the organisation and strengthens the case for proactive investment.
Final thoughts?
Probably the biggest thing is making sure we talk to each other in IT and cybersecurity and, just as importantly, talk to the broader organisation. Our job is to support the organisation and keep things running as they should. Going back to the idea of tabletops, it’s about knowing what we’re doing and avoiding random security acts that might feel good but don’t actually make us safer.
As we move through the rest of the year, the key is to have those conversations and figure out where the risks are, what we can do to improve, and what the impact would be if we made changes. That might mean better patching, reducing the attack surface, increasing security awareness training, or sharing more information. In the end, being transparent never hurts. Most people won’t know the work you’re doing unless you talk about it, and that’s how you reduce risk.
Watch the full interview here: YouTube
Dilki Rathnayake is a cybersecurity content writer and the Managing Editor at Information Security Buzz, with a BSc in Cybersecurity and Digital Forensics. She is skilled in computer network security and Linux system administration. Dilki has also led awareness programs and volunteered for communities promoting best practices for online safety.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.