Enterprise security hardships await wherever we travel — especially during summer vacation. Connecting to an organization’s software while on vacation is different from doing so on a business trip. Employees’ mindsets are different; they’re not supposed to be working, but they’re bound to check their email or access that document that just needs a little more attention. In this increasingly digital world, it’s getting tougher for us to disconnect no matter where we are or what we’re doing. This predicament represents a huge security risk for the enterprise.
Guarding Enterprise Data
With the abundance of hacking tactics available to threat actors, it’s easier than ever to launch an attack, especially on public Wi-Fi. For example, pen testing tools like Cain and Abel and WiFi Pineapple can be used nefariously to steal passwords and enable theft of the data protected by them. If employees learn just one thing before enabling the good old out of office message, let it be this: Steer clear of public Wi-Fi unless they’re using a VPN.
Although Wi-Fi vulnerabilities tend to garner more attention, it’s also important to remember how easy it is to wreak havoc with Bluetooth. When the average Bluetooth device has a range of 100 meters (over 300 feet), a hacker gets plenty of room to be stealthy. The BlueBorne tool, for example, can attack your phone without touching it. What makes Bluetooth so vulnerable, according to Jerry Irvine, CIO and partner of Prescient Solutions and member of the National Cyber Security Task Force, is the inherent insecurity of the technology.
“For many devices, the passwords are either 0000 or 11,” he said, “so people can get to your device [through Bluetooth] and connect as a keyboard or a mouse or an entry device.” Once connected, threat actors can intercept or download information from your device. Irvine recommends turning off any services you’re not using on your phone until you need them.
Wireless concerns aside, there are many other security pitfalls to consider while on vacation, and employees should exert caution before invoking their extended out of office rule. For instance, at this time of year, there are a lot of travel-related emails and social media links that look legitimate but are anything but. Getting a message offering a chance to save 50 percent off airfare or one free night in a hotel is enticing. But according to Irvine, seven out of 10 of those are phishing scams that could take you to a malicious site that may install ransomware.
“Users need to be very cautious while clicking on the embedded links or attachments,” he said. Instead, he suggested, they should take the extra step to go directly to the airline, hotel or travel site. Even clicking on a link from a search engine results page may lead to an infected website.
And what about when employees are at the coffee shop and nature calls? It’s only going to take two minutes, right? Those two minutes are more than enough time for a well-dressed thief to sit down at the table as if he or she belongs there, pack up a laptop and exit stage left. It’s far too easy, and Irvine hears about it all too often. “It’s simple: Don’t leave your devices alone,” he advised.
A Robust Fail-Safe for Security Risks
One critical security measure for the enterprise is to ensure your employees have — or are correctly using — a mobile device management (MDM) solution. MDM allows companies to manage and enforce security policies as well as detect when a device has been compromised. Security teams can remotely initiate a wipe of the device, ensure employees don’t launch specific apps without a secure connection or disable or remove unapproved applications.
These quick tips only begin to secure the shallows of this deep ocean of potential pratfalls plaguing the enterprise with a lax-minded workforce this summer. Vacation brain is a powerful force, and in this state, security doesn’t receive the mindfulness it requires for success. Humans are and always will be the weakest link in the security chain, and summertime only reinforces the credo. The enterprise must do all it can to take security into its own hands and accept that most employees aren’t putting security first.
Sure, some of the onus is on the employees, but it’s best to err on the side of caution.