It’s mid-July and your CEO, Mike, is taking his annual two-week vacation in Scotland, where he’s visiting his wife’s family. So far things have been unremarkable while he’s out, but today you receive a text from a number you don’t recognize:
Hi, it’s Mike. Lost my phone and had to borrow from someone. In a jam & need $25k sent to this account IMMEDIATELY. Will explain when I get back.
There’s a link, and it looks legit, so you wire the money as fast as you can. You text back to let Mike know you’ve taken care of it and he replies with a thumbs-up emoji. You sigh with relief that you’ve come through for your boss when he needed you most, and it isn’t for another two weeks when he returns that you realize you fell for a $25,000.00 phishing scam.
What the hell just happened?
Cyberattackers Don’t Go on Summer Vacation
Things get relaxed around the workplace in the summer. Dress is more casual, the office is quieter due to vacations, and the pace slows down a bit while coworkers or clients are out of town. But cyberattackers are hard at work, and they’ll take advantage of any opportunity you give them. That includes launching complex, coordinated attacks over national holidays like July 4th or Labor Day, since they know staffing will be at a minimum.
Work life may be more relaxed during the summer, but your cybersecurity practices had better be as vigilant as ever.
As personnel transition in and out of the office, your organization needs to make sure you’re staying on top of compliance and security best practices. You also need to ensure that your vacationing employees know how to protect the company while they travel.
Here’s what you need to do to help keep your organization safe from data breaches and cyberattacks this summer.
Protecting Your Company During Summer Vacations
As you’re entering into the summer months, make sure you have your disaster recovery and business continuity contact list up to date before people leave town. It wouldn’t do any good to have a bunch of phone numbers or email addresses that are no longer valid.
As personnel request time off for summer vacations, make sure you have the coverage you need — not just for day-to-day work, but for security and compliance roles as well. Your security program should be in an Operational Mode that maintains compliance by fulfilling security-related tasks on a regular basis.
That means that you need personnel filling the gaps throughout the summer as employees go on vacation.
Plan strategically and well ahead of time so that you can ensure that all your bases are covered:
- Who will be the backup for the people who are out of the office?
- How will you time your team’s vacations?
- What knowledge gaps need to be covered as people sub in and out?
Make sure that anything that needs to be transitioned to others gets taken care of before the employee leaves town.
If it’s been a year since your backup people filled in, they may need a refresher. Or, processes may have changed during that time, and your backup person may need to do things differently from last year. Don’t just drop their new responsibilities on their lap on your way out of town, but set aside time beforehand to go over your tasks and walk your backup person through any modifications and refresher training.
Also, backup personnel should keep a list of any important elements that may need to be transitioned back to the vacationer upon their return. In some cases, things will get sorted out on their own and there’s no follow-up needed. But keeping a list of any open items that the primary person will need to step into can be a tremendously helpful way to transition back. This helps the person returning to effectively know where to focus their time instead of attempting to glean these details while pouring through thousands of missed emails.
Basically, it comes down to this: plan before you leave and have a plan for your return.
Train Your Employees for Security on Vacation
Make sure your personnel on vacation have secure connections in case they need to jump in and do some remote work. They should have a secure hotspot or internet connection while they’re on the road, and they should never connect to public WiFi if they can help it.
Vacationers should follow best practices about personal devices and public WiFi:
- Only use a secure hotspot to connect to the internet.
- Always be cognizant of your surroundings — when you’re on the road, there’s an increased possibility that someone else can view your screen and see what you’re doing.
- Enable your VPN.
- Implement mobile device management on employees’ devices.
Educate your personnel about traveling to other countries. Make sure they have the capability for international calls. Especially if your employees travel to high-risk countries, they should be thoughtful about the devices they use and the way they access the internet. Consider establishing company policies about what hardware your employees can travel with, and where.
You might also consider issuing burner phones to employees while they travel. Some companies disallow network laptops and work phones to travel in certain regions, and they will provide burner phones to personnel so they can travel with a phone that has no email or other sensitive information on it.
If you choose this option, be sure to store the burner phone number in your employee contact list (and to remove it when the burner phone is no longer in use).
Strategize Your Compliance Engagements
Depending on the timing of your annual compliance engagements, summer could be a peak season for security and compliance activities. Think through summer vacations and their impact on your compliance engagements.
It’s one thing to have someone out for one week, but it’s another thing to be without them for two weeks or longer. In some cases, an employee will save up their vacation time throughout the year and spend it all at once on a long trip. In that case, the impacts of missing someone with compliance responsibilities are substantially higher.
There will be gaps on your team as people are in and out of the office throughout the summer. Chances are, you’ll have a specific individual who is responsible for specific evidence, and they’ll be out of town for a week or two. Develop a strategy for managing gaps that allows you to keep your engagement on schedule. It’s important to have a game plan, so you can meet your delivery timelines for your Assessor.
Watch Out for Summer Scams
Certain cyber scams are easier to fall for during the summer.
As people go on vacation, cyber attackers often pose as someone who is out of the office. If they’ve gained access to someone’s calendar or email account, they’ll know when that person is on vacation. They can plausibly pose as the vacationing employee and send messages to others at the office in order to steal money or gain more access into the system.
Next thing you know, you have an issue on your hands.
Hackers can spam thousands of accounts with junk emails, monitoring for out of office replies that bounce back. Those messages tell attackers that you’re on vacation, giving them an opportunity to pose as you.
It’s also common to see IRS scams around this time of year. Hackers pose as the IRS claiming that there’s a problem with your tax return and they need you to contact them using a fake link.
The takeaway: if you ever receive any unexpected message, always be suspicious. Verify the source before following any instructions. Go to the known, legitimate source to validate information presented in various forms of inbound communication.
Protect Your Company from Summer Cyberattacks
Workplace culture is more laid back and casual during the summer, and that’s a good thing — as long as you’re staying vigilant about your cybersecurity efforts. Never let your guard down when it comes to protecting your organization from bad actors and cyberattacks. There’s no vacation from creating and maintaining a culture of compliance for your business.
Get equipped with insider expertise
Subscribe to the TCT blog