How to keep yourself secure over the summer holidays
14 August 2019
Taking time out of the office this summer? Hackers are becoming smarter, utilising new methods to take advantage of people during these times. Javvad Malik, security awareness advocate at KnowBe4, has written some handy tips for keeping yourself secure over the holidays.
Everyone looks forward to the summer, the weather is more pleasant, the days are longer and, if you’re lucky, you get a week or two away from the office.
Companies embrace the warmer months by implementing luxuries like a relaxed dress code, there tends to be more pub lunches and people begin to use their work devices for things that might not strictly be classed as work - like searching for weekend breaks.
Though the hot weather and sunshine can be distracting, it’s important that security practices don’t fall by the wayside as a result, an increasingly concerning problem for organisations large and small. There are a number of ways in which attackers take advantage of the irregular activities that arise around the summer months; and knowing what to look out for is key.
Also of interest: What do you do after a data breach?
Phishing emails are the bane of any IT security professional’s existence and are especially rife during the summer. With cheap holiday offers used to target bargain hunters, the enticement of last-minute holiday deals tends to garner more clicks than regular phishing emails, and, unsurprisingly, causes a lot of problems for organisations.
According to the Travel association ABTA, Fraudsters stole more than £7m from holidaymakers in 2018, with the average financial loss of £1,380 per person. This doesn’t even take into account the potential losses should malicious links be clicked on a corporate device.
Once someone falls for a phishing attack, it becomes a game of trying to minimise losses and, while a cheap summer holiday might look good at first glance, the cost of a cyber attack to an organisation far outweighs the benefits of clicking potentially dangerous links.
For the lucky ones who manage to bag a legitimate last-minute deal, there are some precautions that are worth taking note of before setting off. Everybody, from junior executives to C-suite and board members, should consider leaving corporate devices at home and limiting connection to any corporate networks.
It can often be tempting to be available round the clock, but it’s sometimes better to disconnect and enjoy the holiday you’ve paid good money to be on. Should any corporate devices go missing in a foreign country, the information stored on that device – as well as the corporate network that device has access to – is no longer safe and the potential for insider threat attacks increases enormously.
Also of interest: Embarrassment and fear tactics used by scammers: why shy away from them?
Social media - less is more
When it comes to social media, the same rules apply. Putting too much information on social media should be avoided where possible. Obviously, it isn’t a holiday without a few ‘hotdogs or legs?’ snaps showing up on Facebook, but it’s important to make sure to turn off geotagging when uploading photos, in addition to ensuring that any social media profiles are private and only viewable by friends and trusted colleagues.
Consider posting the photos after returning home from the holiday. Remember, the more information that is shared publicly, the more information hackers have at their disposal to impersonate you. So, if attackers have all the details of your location etc, they can use this to contact colleagues in the office in attempt to get them to give up corporate data, grant access requests or even approve money transfer requests.
Also of interest: How to deal with spear phishing effectively
If bringing corporate devices on holiday is a must, as it is sure to be for some, be cautious about the Wi-Fi networks available in hotels and other public places. Hackers can easily set up malicious hotspots that appear to be legitimate but which intercept and record people’s personal data.
Connecting to an insecure Wi-Fi network or malicious hotspot opens the door for attackers looking to gain access to an organisation’s private and sensitive data. Where possible, always connect to a trusted private network as opposed to a public one.
Additionally, using a Virtual Private Network (VPN), which creates a secure connection tunnel between your device and the websites, is a tried and tested method of keeping safe online.
Also of interest: Gone phishing… how to spot the scam
That OOO message
We all know the satisfying feeling of setting an ‘out of office’ reply before going on holiday; however, it’s important not to reveal too much information in these emails. There is a tendency to overshare in out of office emails, adding information like destinations and dates, which only acts as useful information for attackers who may try to impersonate staff members.
If messages include a colleague’s name, email or phone number, attackers can also use these details in a spear phishing attack. If possible, avoid providing specific details of colleagues and use a generic company email address instead. This simple measure limits the information that attackers have, making it more difficult to initiate an attack in the first place.
Also of interest: Is password security really that important?
CEOs and fake news
For those staying behind in the office during the summer, be wary of fake emails from C-suite executives. As farfetched as it might sound, there has been a significant increase in this type of attack, whereby employees are receiving emails from CEOs saying they are on holiday, have lost access to their phone and require money to be transferred to them immediately. A few years ago, this would have been unheard of.
However, as spoofing technology becomes more sophisticated, this type of attack is becoming more and more common. While it is a rare form of attack on the whole, it is something that everyone should be aware is possible and actively happening. Be vigilant and use other forms of communication to verify the legitimacy of requests, big or small.
Also of interest: Know your hacks: 8 of the biggest hacks in history!
Caution is the best policy
It’s sometimes surprising the lengths attackers will go to in order to manifest an attack on an organisation. Always err on the side of caution. Unfortunately, you can never be too careful, and most attackers will attack indiscriminately.
When it comes to safety over the summer, training is key. Attackers are always looking for new ways by which they can trick users into clicking links or downloading malware.
As such, it’s increasingly important that adequate training is given to users in all organisations so that they can best identify common tactics and avoid them, including not clicking on links that may be suspicious or giving away too much information to third parties in emails.