Holidays are a necessity, that’s for sure. Everyone needs to relax, to spend quality time with family and friends, to disconnect. But, ironically, in order to disconnect, we end up connecting (our mobile, our laptop) to whatever network we have at hand.
And here comes the danger, because we could be opening the door (to our data, our identity, our bank account or, given the expansion of smart homes, the door to our home) to all those criminals who use cyberspace to find victims.
But that is not the only danger: holidays take us out of the (a priori) safe space of the office and home and, either out of necessity or due to the relaxation of our habits at this time of year, we lower our guard against threats.
That’s why we’ve compiled a series of tips to help you go on holiday, but not your cybersecurity.
1. Caution when posting on social media
Let’s start with the basics: information is power, right? Well, if you give away your personal information, you are giving away power over you to strangers. What could happen if you post on your social networks that you are going on holiday with dates and destination?
It could be that someone interested in stealing your data designed a super-convincing phishing scam posing as your hotel or your airline.
Or it could be that a thief with a bit of patience and basic internet skills could find out where you live: it’s not that hard either, who, when looking for a job, hasn’t uploaded their CV with all their personal details including postal address? If they know where your house is and that you are sunbathing on the beach, it will be much easier for them to find you.
2. Beware of the “out of office” message: this is how to set it up
However, not all the risks are in social networks: what about corporate email and automatic “out of office” replies? A priori it seems good practice to enable the automatic response so that the client who has written to you knows that you are not going to attend to them because you are on holiday, but these automatic responses do not discriminate and will send sensitive information about your company to anyone, including possible attackers who will use the information to try to gain access to corporate systems.
As the DirectDefense website explains: “Email phishing is a very common attack vector that relies heavily on a person in a company clicking on an incorrect link or unwittingly providing personal information to a malicious entity. To gain access to the network through phishing, attackers can also take advantage of employees who are not even using their email”.
Here’s a typical “out-of-office” email:
I am currently unable to attend to you due to my holiday period from 1 to 15 July, inclusive.
Please contact my supervisor Mr. So-and-so firstname.lastname@example.org in case you need urgent attention.
915555555, Digital Operations
The recipient of this information (who could be the sender of a spam campaign) will receive the employee’s full name, position within the organisation, address and telephone number, the name and email address of their supervisor (and will be able to deduce the pattern of corporate email creation) and the time window in which the employee could be impersonated.
Therefore, if you are not going to reply to emails and you want to have the courtesy to inform anyone who may write to you of this, it is advisable not to include contact information or personal details (including removing the usual signature) of yourself or colleagues.
So, a suggestion for a safe automatic reply email would be:
Thank you for getting in touch. I am not available at the moment. I will get back to you as soon as possible.
Another cybersecurity risk vector related to email and holidays is the potential for phishing. It is a time when we receive many emails from companies to confirm a hotel room reservation, a rental car payment or a plane ticket purchase.
As the OSI (Office of Internet Security) says: “If you are going to check your inbox, remember to take a few extra seconds to think before replying to an alarming email, downloading an attachment or clicking on a suspicious link”.
3. Say “no, never” to free wifi networks (and even more so to open wifi networks)
Let’s move on to another possible holiday scenario. You are travelling, for example, to Thailand and your flight has a stopover in China. Once at the airport you discover that the flight that was supposed to take you to Thailand has been cancelled and the airline offers you no help whatsoever. You’re trapped and you’re desperate to find another flight to get you out of there, so you wander around the airport looking for a wifi network to connect to with your mobile phone and buy the flight.
You try the paid networks, but they’re in Chinese and you can’t get through the login process, so you connect to a free wifi network, which is much simpler. OK, you log on to the website, buy the flight by entering your credit card and then log on to your email to see that you have received your boarding pass. Problem solved, then?
You may have found a way to continue your dream holiday, but in return you have left your credit card number and all the associated security codes, as well as your personal details, your email address and the password to access it, on an untrusted network.
Never connect to public networks because, you know, if a product is free, then the product is you
The chances of someone on the other side of the free WIFI charging your card are terrifyingly high. Therefore, and this advice applies all year round and not just on holidays, never connect to public networks: you know, if a product is free, then the product is you (or your information).
In the long run it is always cheaper to pay the extra data charge on your SIM card than to expose all your information, especially your bank details, on an unreliable public network. However, if you have no choice but to connect to a public network, avoid accessing personal accounts and entering sensitive data, especially bank details, as much as possible.
By the way, your company’s security managers will be very grateful if you do NOT connect to your corporate email, or any type of company application, from this type of untrusted network because the credentials you use could fall into the hands of an attacker and lead to extremely valuable losses for the company. You are on holiday, remember, you have to disconnect.
4. Don’t download PDF travel guides or install apps of suspicious origin
It’s also typical of a holiday when you’re too lazy to carry around a standard paper travel guide, with all the weight and space it takes up in your backpack, and you decide to download an app or PDF you’ve just found on the internet.
It’s possible that the writer of that guidebook put their best tips and knowledge of the city you’re going to, but it’s also possible that someone took that app or PDF and repackaged it with a virus before uploading it again.
So don’t download files of dubious origin and never install apps outside the official Android (Google Play) or iOS (Apple’s App Store) markets.
5. And one more thing
One last tip before you go on holiday: update your passwords and keep them in a safe place such as a password manager application, so that when you return to work you don’t add to your post-holiday depression the stress of finding that your passwords have expired and you are unable to resume your work duties.
To close on a good note, digitalisation has not only brought cybersecurity risks to the holiday environment. It also offers interesting possibilities such as programming your smart light bulbs to switch on and off at different times or raising and lowering your home automation blinds, making a potential burglar believe that you are inside your home.
Happy and safe holidays!