Heading on holiday this summer? Hackers can take advantage of people whilst they are out of the office. Javvad Malik, security awareness advocate at KnowBe4, shares his handy tips for staying secure over the summer holidays.
Everyone looks forward to the summer. The weather is more pleasant and the days are longer. If you’re lucky, you get a week or two away from the office.
Companies embrace the warmer months by allowing things like a relaxed dress code and more pub lunches. People begin to use their work devices for leisure - like searching for weekend breaks.
Though the hot weather can be distracting, it’s important that security practices stay in check. This is a concerning problem for organisations large and small. There are a number of ways in which attackers take advantage of the summer months. Knowing what to look out for is key.
Also of interest: What do you do after a data breach?
Phishing summer holidays?
Phishing emails are a problem for IT security professionals. They are especially present during the summer. With cheap holiday offers used to target bargain hunters, the appeal of last-minute holiday deals tends to create more clicks than regular phishing emails. Unsurprisingly, this causes a lot of problems for organisations.
According to the Travel association ABTA, fraudsters stole more than £7m from holidaymakers in 2018. The average financial loss was £1,380 per person. This doesn’t even take into account the potential losses should malicious links be clicked on a corporate device.
Once someone falls for a phishing attack, it becomes a game of trying to reduce losses. While a cheap summer holiday might look good at first glance, the cost of a cyber attack to an organisation far outweighs the benefits of clicking potentially dangerous links.
For the lucky ones who manage to bag an official last-minute deal, there are some precautions that are worth taking note of before setting off. Everybody, from junior executives to C-suite and board members, should consider leaving corporate devices at home and limiting connection to any corporate networks.
It can be tempting to be available round the clock. However, it’s sometimes better to disconnect and enjoy the holiday you’ve paid good money to be on. Should any corporate devices go missing in a foreign country, the information stored on that device – as well as the corporate network that device has access to – is no longer safe and the potential for insider threat attacks increases enormously.
Also of interest: Embarrassment and fear tactics used by scammers: why shy away from them?
Social media and staying secure - less is more
When it comes to social media, the same rules apply. Putting too much information on social media should be avoided where possible. Obviously, it isn’t a holiday without posting a few ‘hotdogs or legs?’ snaps on social media. Despite this, it’s important to turn off geotagging when uploading photos. In addition, you should ensure that any social media profiles are private and only open to friends and trusted colleagues.
Consider posting the photos after returning home from the holiday. Remember, the more information that is shared publicly, the more information hackers have to use against you. If attackers have all the details of your location, they can use this to contact colleagues in the office. They may try to get them to give up corporate data, grant access requests or even approve money transfer requests.
Also of interest: How to deal with spear phishing effectively
Being wary of WiFi hotspots
Bringing corporate devices on holiday is a must for many. However, it is important to be cautious about the Wi-Fi networks available in hotels and other public places. Hackers can easily set up malicious hotspots that appear to be legitimate, which actually intercept and record people’s personal data.
Connecting to an insecure Wi-Fi network or hotspot can allow attackers to gain access to an organisation’s private and sensitive data. Where possible, always connect to a trusted private network as opposed to a public one.
Additionally, using a Virtual Private Network (VPN), which creates a secure connection tunnel between your device and the websites, is a tried and tested method of keeping safe online.
Also of interest: Gone phishing… how to spot the scam
That OOO message
We all know the satisfying feeling of setting an ‘out of office’ reply before going on holiday. However, it’s important not to reveal too much information in these emails. There is a tendency to overshare in out of office emails, adding information like destinations and dates. This acts as useful information for attackers who may try to impersonate staff members.
If messages include a colleague’s name, email or phone number, attackers can also use these details in a spear phishing attack. If possible, avoid providing specific details of colleagues and use a generic company email address instead. This simple measure limits the information that attackers have, making it more difficult to initiate an attack in the first place.
Also of interest: Is password security really that important?
CEOs and fake news
For those staying behind in the office during the summer, be aware of fake emails from C-suite executives. There has been a significant increase in this type of attack. Employees are receiving emails from CEOs saying they are on holiday, have lost access to their phone and require money to be transferred to them immediately. A few years ago, this would have been unheard of.
However, as spoofing technology becomes more sophisticated, this type of attack is becoming more and more common. While it is a rare form of attack on the whole, it is something that everyone should be aware is possible and actively happening. Be vigilant and use other forms of communication to verify the legitimacy of requests, big or small.
Also of interest: Know your hacks: 8 of the biggest hacks in history!
Caution is the best policy
It’s sometimes surprising the lengths attackers will go to in order to attack on an organisation. Always err on the side of caution. Unfortunately, you can never be too careful. Most attackers will attack indiscriminately.
When it comes to safety over the summer, training is key. Attackers are always looking for new ways by which they can trick users into clicking links or downloading malware.
It's increasingly important that training is given to users in all organisations. Then, they can best identify common tactics and avoid them. For instance, not clicking on links that may be suspicious or giving away too much information to third parties in emails.