It’s summer holiday time in the northern hemisphere, which means that most organisations (including the head offices of a lot of multinationals) are preparing for a time of relaxation and leisure. But these seasonal breaks also present significant cyber security risks.
As employees take time off, the reduction in workforce and potential lapses in vigilance can make companies more vulnerable to cyber-attacks. Whether you’re hitting the beach or the piste, here’s what you should pay attention to before switching on your out-of-office replies – and what you can do to ensure that being out of office doesn’t mean being in a world of trouble.
Pre-holiday reading list: What to prepare for
Increased vulnerabilities during times of reduced staffing
During holiday seasons, many organisations operate with reduced staffing levels or rely on temporary hires, which can lead to delayed responses to cyber incidents. Staff hired to provide short-term cover don’t necessarily get the cyber security training they need to alert them to sophisticated attempts, nor have the organisational awareness needed to confidently flag or escalate concerns.
A reduction in team capacity could also lead to reduced levels of attention paid to the activities that manage and reduce risk.
Threat actors can exploit these gaps in security that result from fewer people being around to monitor systems, detect anomalies, and respond to threats.
A study by the Ponemon Institute found that organisations take an average of 191 days to identify a data breach and 66 days to contain it. This response time can be even longer during holiday periods, when staffing levels are lower.
Phishing attacks and social engineering
Cyber criminals often take advantage of the fact that employees are out of the office by increasing phishing and social engineering attacks. With out-of-office replies indicating who is unavailable, and often what their job titles are, attackers can craft convincing emails that appear to be from colleagues or senior executives, tricking recipients into disclosing sensitive information or clicking on malicious links. AI-generated imitations of real people have already managed to dupe people over remote calls, so don’t underestimate this risk.
According to the 2021 Verizon Data Breach Investigations Report, phishing remains one of the most common tactics used in breaches, accounting for 36% of incidents.
Remote access and BYOD risks
HR departments have more than one reason to ensure that people really do ‘switch off’ while they’re on leave. Employees on holiday might access corporate resources using personal devices or unsecured networks, increasing the risk of a security breach.
The use of public Wi-Fi in hotels, airports, and cafes can expose sensitive data to interception. Additionally, personal devices may lack the necessary security measures, such as updated antivirus software or strong passwords, making them easier targets for cyber criminals.
A report by HP found that 70% of office workers use their personal devices to access corporate data, so the risk is real and very likely present in your organisation.
Conditional access rules associated with country-related login attempts (geoblocking) can be relaxed for people traveling overseas and who still need access to company data. Although easily circumvented, this control operates as an initial hurdle for potential login attempts by less-skilled attackers.
Insider threats
While external threats are a major concern, insider threats can also escalate during holiday periods. Reduced oversight and blurring of boundaries can occur when people take on additional responsibilities to cover the annual leave of their colleagues. Disgruntled employees or those with malicious intent might take advantage of the decreased oversight to steal data or sabotage systems.
The Ponemon Institute found that insider threats have increased by 47% over the past two years, with the average incident costing US$11.45m.
Avoiding the post-holiday blues: How to mitigate cyber risks
1. Implement robust security policies
Make sure everyone in your organisation is aware of, and adheres to, cyber security policies, including when working remotely or when they’re on leave. This includes using strong, unique passwords, enabling multi-factor authentication, and avoiding public Wi-Fi for accessing sensitive information.
2. Policy exceptions and accountability
Organisational needs may warrant exceptions to policies, but mechanisms for assessing and articulating the risk associated with deviations from policies should be developed.
Sign off should be documented and escalated to the appropriate senior people. These mechanisms and clearly established processes not only protect the organisation, but also more junior members of the team who may get requests for information or remote systems access from holidaying executives (see also point 4 below).
3. Increase monitoring and incident response
Enhance monitoring capabilities during holiday periods to quickly detect and respond to potential threats. Consider using automated security tools and services that can operate around the clock. A cyber security retainer is a great way to guarantee access to help when you need it.
Monitor for unusual behaviour or access patterns that could indicate an insider threat. Implement strict access controls and ensure that sensitive data is only accessible to those who need it.
4. Conduct phishing awareness training
Regularly train people to recognise phishing attempts and social engineering tactics. Simulated phishing exercises can help reinforce this training and keep teams vigilant, especially as threat actors are continually refining and improving their techniques.
5. Secure remote access
Provide your people with secure remote access solutions, such as virtual private networks (VPNs), and ensure that all devices accessing corporate resources have up-to-date security patches and Endpoint Detection and Response (EDR) software to enable remote response if needed.
6. Prepare, prepare, prepare
If yours is a large organisation or subject to regulation, you will need to go above and beyond even the most stringent preparations made by smaller operations. The chances are you are a particularly attractive target for threat actors who are just waiting for a moment’s lapse in your defences.
Consider putting your organisation through its paces with penetration testing and tabletop exercises. Ensure tests include variations that represent holiday realities, including restricting the impact and/or input of key individuals to ensure a high level of resilience is met.
As always, we are ready to help with all aspects of your cyber security, so that you can lie on the beach without being caught napping. Talk to me and the team about how we can ensure your happy holidays.
Cyber Risk
We bring the best of our collective experience, energy and creative power to fiercely safeguard our clients and fortify their communities.
Thomas Murray cyber alerts
Subscribe to stay up to date with developing threats in the cyber landscape
Insights
An overview of the TIBER-EU methodology
The TIBER-EU methodology is a comprehensive framework designed to enhance the cyber resilience of financial institutions.
Five minutes with the PE cyber experts
Ed Starkie and Ben Hawkins gave us five minutes of their time to run through the current state of cyber security for private equity.
Understanding supply chain and concentration risks in cloud services
The major incident on Friday, 19 July highlighted the high levels of concentration risk emerging from our technology landscape.
Where to start with cyber security for private equity
Cyber security for private equity (PE) firms is a central concern given the sensitive nature of the data they handle.