The security risks of checking emails on your holiday

Over the last few weeks you have probably noticed the office has been a bit quieter, with a few more empty desks than usual. It’s a problem organisations have every year as staff head off on their summer holidays.

Fortunately – or perhaps not – modern technology means employees can be thousands of miles from the office but only a few clicks from their inbox. Some of us will have the restraint to leave work commitments behind and focus on what’s truly important: finishing that bottle of sangria and getting a few dozen pictures for Instagram.

But for many, the fear of a neglected inbox is too much. If we ignore it, we know it’ll get revenge by reading “999+” upon our return to the office. So what harm can it do to steal away for 20 minutes to check if there are any urgent messages?

A lot, as it turns out.

Don’t overburden your security team

Imagine the stress you put on IT staff when they see login attempts pop up from across the globe. Jim from accounts logging in from St. Lucia; Allison in HR opening a spreadsheet in Rome. Are these genuine requests? And, even if they are, who’s to say that an illegitimate login hasn’t snuck through?

You can’t expect security personnel to stay on top of where everyone is going for their holidays and to double-check every time they log in – particularly when there’s a good chance they’ll be short-staffed themselves.

The most robust solution, at least for employees who don’t travel for work, might be to automatically lock an account when a login attempt occurs from an unusual location.

This effectively bans people from checking in on work while on holiday – something that might please the employee’s fellow travellers (and, perhaps deep down, the employee themselves), but it’s not always ideal, and it could backfire in the event of an emergency.

What about VPNs?

Many security experts have suggested that VPNs (virtual private networks) are the solution for the security risks associated with remote access.

VPNs take a private network (i.e. the one you use in the office) and extend it across a public network, like a Wi-Fi hotspot.

This allows users to send and receive data across a public network but without the risks, like compromised connections and man-in-the-middle attacks.

However, it’s essential that you remember the limitations of VPNs. Although they provide a secure channel between two endpoints, there’s still a residual risk that an employee’s device might be compromised and infect corporate resources.

Plus, like any application, a VPN can have security flaws that can be exploited. So, if you use one, you must ensure that it’s patched and updated regularly.

Educate employees on the risks

Many of the security concerns that come with remote access come down to a lack of awareness: employees simply don’t consider the repercussions that come with logging into their accounts from far-flung places.

After all, it’s not just the risk that staff won’t notice a compromised account. There’s also the threat of:

  • Public Wi-Fi being compromised, enabling cyber attacks;
  • Losing a work laptop, phone or removable device; and
  • Opportunistic criminals peering over an employee’s shoulder and seeing sensitive information.

To ensure these threats don’t affect your organisation, you must take the time to teach staff what they can do to prevent them.

Our Information Security and Cyber Security Staff Awareness E-Learning Course provides a quick, convenient way to teach these lessons. You don’t need to worry about getting everyone together at the same time or finding a trainer. Instead, you can give staff a link to our official, GCHQ-approved course, which they can take from the comfort of their desk at a time that suits them.