Cyber Criminals Never Take Vacation: Why Security Awareness Training is so Important During Summertime

Summer is in full swing in many countries. While the COVID-19 pandemic may be altering vacation plans for some people, many more will still seek an escape from the daily grind of work at some point this summer.

Cyber crime, however, doesn’t go on holiday. To the contrary, many bad actors step up their devious efforts, capitalizing on typically vigilant employees who let their security guard down as they race to leave the office for some fun in the sun.

The reality is that cyber criminals and digital threats are always there, and they can become even more dangerous when employees are not in the office and not using their devices, regularly checking their email or closely monitoring their online presence.

The impact can be devastating. According to the 2020 Cost of a Data Breach Report conducted by The Ponemon Institute on behalf of IBM, the global average total cost of a data breach in 2020 has risen to $3.86 million.

The good news is that businesses can use security awareness training, assessment and best practices to ensure their organization’s cyber security posture is strong year-round – whether employees are at their desks, at home, or on the beach.

4 Steps Everyone Should Take Before Shutting Down for Vacation

Good security protection starts with a few key steps that everyone in the business should take prior to leaving for vacation.

  1. Change your passwords and store them in a secure location, such as a password manager application. Do not write them down on paper.
  2. Store electronic documents on a secure company file sharing server where they can be protected instead of leaving them on your workstation or laptop. doing the latter can make it easier for someone to compromise or steal your data. Also, refrain from emailing work documents to your personal email you access on your own device, as the security protocols and settings are likely less stringent than your employer’s.
  3. Shred sensitive paper documents or return them to the office instead of storing them at your vacant home.
  4. Enable out-of-office notifications only for internal senders. If you need to notify external senders, limit notifications to only to those in your contacts. The fewer people who know that you are out of the office, the less likely it is that you will be attacked – whether that is a digital break-in or a physical break-in.

Beware of Idle Devices

Endpoint computing devices (PCs, laptops, tablets and cell phones) that are left running and idle while their user is on vacation can be problematic.

While an idle device is less susceptible to a phishing attack that requires the user to be reading an email, the good news stops there. That’s because idle devices are still at risk of being compromised due to zero-day exploits or unpatched vulnerabilities.

Worse still, it may be days, weeks or even longer before the user returns to work and realizes a cyber attack took place.

For those reasons, employers should require employees to simply turn off their devices before leaving for vacation. When they return, employees should make sure their system has all the latest patches and security updates installed before accessing email or browsing the Internet.

How Employers Can Build a Summertime Security Awareness Culture

Managers play a key role in making sure their business and employees stay safe from digital threats. They can:

  • Inform employees that the four best-practice steps outlined earlier are not just suggestions, rather, they are mandatory.
  • Establish a mechanism to ensure the steps become rules that can be applied consistently across the organization.
  • Ask employees to store devices with sensitive information in the office in a secured location.
  • Implement a way to apply security patches to idle devices that are connected to the corporate network but turned off.

Finally, managers can encourage their employees to truly disconnect while they are out of the office and make the most of an uninterrupted break. The less pressured employees feel to take work on vacation, the fewer times they will feel compelled to connect to the company network using an unmanaged device over what could be an unsecure Wi-Fi.

That said, when working from home or on the road is unavoidable, your employees can leverage the Working From Home Cyber Safely Kit that provides an interactive course and resources for security awareness at home.

Getting Cyber Security Buy-in from Smaller Teams

Regardless of the season, some smaller organizations may be challenged in getting staff to take cyber security seriously.

It starts with support from executive management. Have the organization’s leaders make it clear that cyber security is critically important to the entire company, and that every group – large or small – has a role to play. It all starts at the top.

It is also important for staff to have at least a broad understanding of IT security, including the basics of the computing infrastructure, the systems and applications being used, the network that connects them and the key security procedures that are in place.

Part of that understanding should include formal education and training, whether it be self-study or instructor led, online or in-person. Good security awareness training, managed and implemented by a specialist, can play a key role in this effort.

Phishing Simulation: Your Cyber Security Exam Before Summer Break

Organizations should also consider phishing simulations to better understand their risk exposure to this increasingly dangerous form of cyber crime. Real-time phishing simulations can help security leaders determine which employees or users are at highest risk to a phishing attack and better train them to recognize phishing emails, texts or phone calls and report the tentative fraud.

Businesses should also carefully asses their exposure to other risks such as:

  • Data leakage – Determine if your organization is at greater risk for unauthorized data access due to information being stored on unmanaged devices or cloud services.
  • Data loss – Determine if your organization is at greater risk of losing data because it is not stored in a secure location, such as a server that is behind the network firewall and backed up on a regular basis.
  • Unmanaged devices – Determine if your organization is at risk of virus infections due to the use of devices that are not managed by company’s IT staff. These include personal devices that employees connect to the corporate Wi-Fi (BYOD) or USB devices such as thumb drives.
  • Unauthorized software – Determine what applications employees have access to and if they are using software for business activities that could lead to data loss or leakage.

Ultimately, nobody wants to have a great summer vacation ruined by a cyber attack. By implementing cyber security awareness training, using simulations to assess the organization’s cyber security risk and following a few best practices, businesses can help keep their employees and systems safe no matter what season it is.