Employee productivity is heavily dependent on getting adequate rest. Burnout, poor concentration, mental blocks, and increasing errors are just some of the problems workers can fall into when they do not get a chance to rejuvenate. This is why organizations take vacation time seriously and compel staff who haven’t taken their leave days to do so as soon as they can. While going on vacation is good for both the organization and employee, there are cybersecurity risks that are introduced or elevated when a worker goes on leave.
Once an employee has left the premises, they would ordinarily keep off from all work-related communication and system access. If their login credentials were to fall into the wrong hands, someone with criminal intent could access the system without the needed permission for as long as the employee is away. The unauthorized person here could be an employee, a contractor, or a third party.
Since the employee is not around to keep tabs on the use of their account, the unauthorized activity wouldn’t raise eyebrows. It would pass for normal actions of an authorized user. By the time the worker returns, an extensive data breach could have occurred.
Employees in key roles may have to stay connected to their company’s network when on leave to respond to critical emails and tackle some game-changing decisions.
Sometimes, the only connection at their disposal is a public WiFi network. But public WiFi is not within their control. It’s possible for the confidential information they transmit through it to be intercepted. An attacker may even create a WiFi access point with a misleading name such as “Airport Café” or “Airport WiFi.” This would dupe an unsuspecting passerby to connect to it, thinking it’s the official WiFi for the area.
Use of public WiFi cannot always be avoided but if it has to happen, this should be done over a virtual private network (VPN). A VPN will create an encrypted channel between the employee’s device and their corporate network.
Email attachments received from clients, files downloaded from the company intranet, and applications signed onto personal devices are all hazards when an employee proceeds on leave. These are a danger even when the employee hasn’t gone on vacation. However, they’ll be spending much more time at home when they are on leave.
Also, there’s a chance they’ll travel with their personal laptop, tablet, smartphone, or USB drive to new locations. So, it won’t just be their usual circle of friends and family who could see confidential company information. Strangers they interact with wherever they go could eavesdrop or steal this data.
When a worker goes on leave, someone has to take charge of their role for the period they will be away. For this to happen effectively, a comprehensive handover is crucial. A poor handover, however, doesn’t just affect the operational aspects of the job. There could be cybersecurity hazards as well.
For example, if there’s any data that is only on the departing employee’s personal gadget but is not copied to the company’s file server or shared with their substitute, it could be lost forever if the worker’s device is stolen.
A poor handover can have disastrous cybersecurity consequences. But a poorly skilled stand-in is even worse. They could be the target of social engineering and other forms of cyberattack. If the person standing in for the employee going on leave isn’t conversant with social engineering techniques such as phishing, baiting, pretexting, and piggybacking, then there’s a real danger of an attacker exploiting their lack of knowledge.
They are especially vulnerable to an in-house adversary such as a fellow employee or a contractor since these people will be aware that there’s a new, inexperienced person in the role.
The tight schedules of the routine workday can make it difficult for a rogue employee to find time to conspire with third parties in the theft of company data. But when they proceed on leave, they have plenty of time on their hands to craft and execute an elaborate scheme.
They could do this by sharing the data directly with the third party or provide valid credentials the unauthorized party could use to gain access and extract the information themselves. They may even collaborate with an attacker to share knowledge on the organization’s security infrastructure, thus making it easier for hackers to breakthrough.
Phishing emails are an ever-present danger. But employees have the good fortune of being protected by the organization’s email spam filter and therefore hardly get to see them. When they go on leave, though, and spend a lot of time on their personal email accounts, they may not enjoy similarly robust protection.
While Internet email services like Gmail and Yahoo have their own spam and fishing filters, the diversity of emails they contend with means they cannot place an extremely high standard for a message to be deemed problematic. What does this mean for an employee on leave? Now, when they receive that email whose subject says “Accounts” or “IT Support” or ‘HR Inquiry,” it would appear more believable.
Clicking the link could lead them to a fake web page or introduce malware to their personal device that subsequently extracts any sensitive company information stored therein.
Once a worker walks out of the organization’s doors, there’s a sense of relief. There’s a sense that the processes, procedures, and policies they have to work hard to adhere to cease to apply. They are free. But are they? Not quite. As long as they are on the organization’s payroll, they are still bound by these rules.
Importantly for cybersecurity, going on leave is not a license for employees to slacken on their awareness of the cyber dangers lurking around them. This is the time when a random conversation with a person on a beach that’s thousands of miles from home could actually be a talk with a hacker or the employee of a business rival.
Every employee has to proceed on leave at some point. Organizations should think through beforehand the cybersecurity dangers that could emerge when any of their staff goes on vacation. They can thereafter develop policies, processes, and procedures that reduce the likelihood of these cybersecurity dangers from materializing.
Featured image: Shutterstock
Kubernetes disaster recovery is not an easy job because of the application’s sheer complexity. Here…
Sponsored by Stellar Data RecoveryHere are solutions to connect a disconnected Exchange 2013 Public Folder…
The major Exchange Server hack uncovered in March has admins scrambling to update their systems.…
Along with serverless architecture, the low-code approach is reducing costs and boosting productivity. Here are…
IT pros can now use the Microsoft 365 Office cloud policy service on devices that…