In most smaller mid-market companies that we look after at DATAZONE there is one IT person — sometimes two, often only one. That one person goes on holiday in summer. At the same time half the workforce is away, which reduces operational load. Sounds relaxed, and mostly is. But: experience shows that this very phase produces a disproportionate amount — phishing waves with travel bait, unplanned patch cycles, hardware defects, server-room AC failures in summer heat.
This article is an honest practical guide, not a marketing piece. It sums up what our customers typically need to work through before the holiday season — and which on-call models are realistic for small teams.
The emergency playbook — and the escalation tree
The most important thing first: when the IT person is away, everyone in the company must know who calls whom when. That is not a “document” — that is a postcard pinned in the office, hanging on the server rack and lying in the management drawer.
A usable escalation tree has three levels:
- Trivial: printer does not print, Outlook is hanging, password forgotten. The deputy in the office handles it, has access to the documented standard procedure.
- Medium: internet down, server service unreachable, backup error message. DATAZONE or external on-call provider is called — phone number plus contract reference on the postcard.
- Critical: ransomware suspicion, server fire, complete site outage. Managing director plus IT person (even on holiday) plus external provider. Immediately.
The rule in the escalation tree: whoever escalates one level higher is not at fault. If the deputy is unsure they call the external provider immediately — not an hour later, after trying to solve the problem on their own.
Deputy briefing — what really needs to be handed over
The deputy briefing is not “here is the server list”. It is a list of routine tasks that need to be reliably done during the holiday — and the access methods the deputy needs for them.
Routine tasks that typically belong:
- Daily visual check of backup status (which job ran yesterday, which complained)
- Weekly visual check of patch-Tuesday status (if patches are active)
- Triage helpdesk tickets (even if only “forward to external provider”)
- Weekly status report to management (short email)
Access for this:
- Password vault access for the deputy — as a second vault user, with read-only access to the “operational routine” category. Not the admin account, not the master vault.
- VPN access for emergency escalation (can be activated or configured, but the deputy must know how to use it)
- Clear list: “what may you do, what not?” — e.g. “you may triage tickets and call external providers. You may not make server changes, change firewall rules or modify backup jobs.”
Important: we recommend customers to keep the deputy briefing in writing — one A4 page is enough, but it sits in the deputy’s desk and is dated. Oral handovers after three weeks of holiday are a bad idea.
Duplicate alerts — not just to the holiday address
Classic mistake: monitoring mails go to it@firma.de, which the holidaying person has as their main mailbox. On holiday the mailbox goes into auto-reply, the alerts are not read, and after two weeks the backup pool is at 95% full and nobody has noticed.
Sensible setups:
- Distribution list instead of a personal address:
it-alerts@firma.dewith IT person, deputy and external provider - Alert routing by severity: critical alerts go to the IT on-call number (e.g. via webhook into a Slack channel or via SMS gateway), non-critical ones into the weekly-report inbox
- Proactive verification before the holiday: two weeks before departure trigger a test alert and check whether the deputy really gets notified
With TrueNAS Halfmoon and newer OPNsense versions alert routing can be configured fairly granularly now — anyone still running older setups should check this before the holiday season.
Backup verification before the holiday
A backup strategy is only effective once you know that restore works. That is not new. But before the holiday this topic gets additional urgency:
- Latest successful restore test in the suitcase: before departure run at least one fresh restore test — a VM, a dataset, a document share. Document date and result.
- Check snapshot retention: does current retention last for the holiday period? If the IT person is away three weeks and an encryption-suspicious incident happens on day 1, the snapshot from day 0 must still exist when someone wants to work it through after return.
- Offsite backup verification: is replication to the offsite backup target healthy? When was the last successful sync?
- Check air-gapped / immutable layer: if immutable backups are in use, verify the immutability period now — not after the incident.
A 30-minute restore test before the holiday saves the entire restore quarter in case of doubt.
Patch freeze — yes or no?
That is the hardest single decision. There are two camps:
Pro patch freeze in the holiday period:
- If a patch breaks a service, nobody is there to quickly roll back
- The deputy is not qualified for patch troubleshooting
- Mid-holiday outages cost disproportionate attention
Against patch freeze:
- Security patches are often time-critical (Exchange, edge devices, OPNsense)
- “Freeze” turns into “forgotten” in practice — the patch backlog in September is real
- Attackers do not take holidays
Pragmatic line that we recommend to customers:
- Security patches with CVSS ≥ 8 or known exploits in the wild: never freeze. Anyone who cannot apply this promptly has it done by the external provider.
- Feature patches (feature releases, major updates): yes, pause during holiday season
- Patch-Tuesday routine: do not skip entirely but tighten the bar — only what is really necessary goes during holiday
Anyone who has outsourced patch management to a provider can take summer more relaxed — patch triage runs automatically, intervention only when needed.
Summer phishing wave
Summer has recognisable phishing patterns. That is not a secret. Typical bait:
- “Your booking has been cancelled / postponed / requires action” — Booking, Airbnb, Lufthansa, Bahn
- “Your parcel could not be delivered” — DHL, Hermes, DPD; holiday season equals many deliveries
- “Travel insurance expires” — typical phishing pattern
- “Managing director urgently needs transfer” — CEO fraud exploits holiday absence because the MD is “hard to reach”
- “IT support: password expires today” — helpdesk impersonation, often with the logo of the real internal helpdesk
Preparation:
- Short phishing reminder mail to all before the holiday wave (one page, three concrete examples, one phone contact for suspicious cases)
- CEO fraud protection: firm company rule that transfers above X euro are never approved by email — always callback to the known landline number
- Helpdesk impersonation: internal IT never does password resets via mailed click-links — if such a mail arrives, it is phishing
On-call models
If the internal team is small, an on-call model is needed. Three options that we know from consulting practice:
1. Internal on-call
The IT person is reachable on holiday — mobile-required, with defined escalation rules. Works only if:
- It is clearly bounded (e.g. “calls only for level 3 of the escalation tree”)
- It is contractually/time-compensated
- The IT person really wants it — coercion does not work
Realistic for very small setups. Poorly scalable.
2. External on-call (DATAZONE on-call contract or similar)
External provider takes over a defined on-call scope during the holiday period. Before the holiday phase:
- Inventory handover (what runs where, who has which contracts)
- Monitoring access (read-only on central systems)
- Escalation agreement (which incident triggers which reaction)
Contracts come in many flavours — from a standard 8x5 business-hour on-call to 24/7. For most SMBs 8x5 plus on-call for critical incidents is enough.
3. Hybrid: internal deputy plus external provider as backup
The most common solution in our consulting practice. Routine tasks are done by the internal deputy, anything beyond level 2 escalation goes to the external provider. Benefits:
- Internal staff build IT understanding (good for bus factor)
- External provider is woken only for real incidents (affordable)
- The deputy knows when not to continue (clear escalation)
Checklist before the holiday
A pragmatic 30-minute checklist that every IT lead should work through before holiday:
- Emergency postcard with escalation tree visible (reception, server room, MD office)
- Deputy briefing in writing, with date, signed handover
- Deputy password-vault access verified
- Monitoring alerts on distribution list with at least two recipients
- Test alert triggered and reception confirmed
- Latest restore test documented and successful
- Snapshot retention lasts holiday duration plus buffer
- Patch-freeze strategy defined and communicated
- Phishing reminder mail to staff sent
- CEO-fraud protection rule reminded to accounting
- External on-call provider active and informed
- Holiday reachability defined (mobile yes/no, which levels)
DATAZONE recommendation
Holiday season is not a threat — it is a plannable phase with elevated risk profile. Anyone who works through the points above three to four weeks before departure leaves with a clear conscience.
At DATAZONE we offer on-call models in different flavours — from pure “we are reachable if you cannot continue” to active monitoring takeover. For most SMBs the hybrid solution (internal deputy plus external escalation) is the best compromise of cost, understanding and effectiveness.
Above all: do not let holiday season become an escalation. Poor preparation on departure day means poor recovery — and at worst a call from the beach that nobody wants.
Sources and further reading
- IT security checklist for SMBs — baseline hygiene that runs all year
- Disaster recovery for SMBs — DR planning with RTO/RPO
- Email security SPF/DKIM/DMARC — phishing protection at mail layer
Anyone who still needs on-call for the upcoming holiday phase: please get in touch — we discuss scope without lengthy sales.
More articles
Linux Server Hardening: 15-Minute Checklist
Ten concrete hardening steps for a freshly installed Debian, Ubuntu or Rocky Linux server — SSH, updates, firewall, auditing, sudo, limits, services, NTP, logging, kernel sysctl. With commands, doable in a quarter of an hour.
Cyber Insurance 2026: What Insurers Demand from SMBs
Insurers in 2026 demand increasingly detailed minimum standards — MFA everywhere, documented patch management, EDR, immutable backups, training, incident response plan, segmentation. What is on the pre-contract questionnaire and what gets checked in a claim.
Backup Encryption: Key Management Done Right
Encrypted backups are useless if key management is sloppy. Symmetric vs. asymmetric, vault options, rotation, recovery scenarios and the tool-level practice for PBS, Restic and TrueNAS.