From beach to breach: the risks of working on holiday

null

While holidays are supposed to be a time for relaxation, we’re all guilty of checking our emails when we should be thinking about the beach. Perhaps you’re waiting to hear back on a deal you’ve been nurturing for months, or you just want to see how your team is getting along with that tricky activity – sometimes, it’s just really difficult to completely let go. 

This urge, alongside the increasing ease of being able to access emails and business applications remotely, means more employees are logging in from far-flung places. Yet, while they may think that they’re actually helping the business through being productive on their days off, the truth is that a quick glance at the inbox or WIP document could actually result in cybercriminals gaining access to corporate networks and sensitive data. 

Making things personal is risky 

One risk is that employees revert to using personal devices which could potentially leave networks vulnerable. They might not be covered by the enterprise’s device use policy or security capabilities, meaning they become a weak spot which is difficult to proactively defend. If, for example, a personal device hasn’t been updated with the latest firewall or antivirus, advanced malware may be able to easily infect it. Most infections are designed to go unnoticed, so users will continue to access corporate accounts all the while providing hackers with freedom to do the same. 

Businesses set-up Virtual Private Networks (VPN) to give remote users a secure channel to access to corporate networks. While in theory this should go some way to mitigating many of the apparent threats, in reality, they can have a big impact on speed and performance. This challenge is compounded when employees are relying on weak public Wi-Fi hotspots, in airports and hotel lobbies, for instance. As a result, many simply bypass the VPN all together, negating the mitigating effect of the VPN. 

Improving performance but decreasing security

There are a couple of major risks with cutting out VPNs. The enterprise most likely has no visibility into what that employee is doing. This is an issue from both an insider threat point of view, as well as a compromised accounts one. For instance, an employee might visit a dodgy site, perhaps via a link within a phishing email. They download a file onto their device, it turns out to be malware which installs a keylogger – the user is unaware. When the employee then logs back onto the corporate network and enters their credentials for access to corporate applications – the attacker then has everything. Not using VPNs also gives cybercriminals the opportunity to launch man-in-the-middle attacks, where they can steal session IDs and intercept information by impersonating one party within the session. 

Another issue of public Wi-Fi is that their use is often reliant on employees registering to use them, and people can revert to using corporate credentials or ones they frequently use just because they are easy to remember. However, this then means that the username and password combination is stored on a database somewhere – where the enterprise has no knowledge of the security measures protecting it. Moreover, cybercriminals can also create their own seemingly genuine hotspots to dupe users into connecting to them. If employees do fall for this, and it’s very easy to, any information that is then accessed within the session is being recorded.  

Shared computers in hotels and businesses suites also pose a risk. Employees use them to quickly log into corporate email accounts to send items such as boarding passes across to personal ones, but shared computers are a common target for hackers. Whether through remote access hacking or malware / spyware, its relatively straightforward for cybercriminals to hoover up any credentials that are entered, thus giving them keys to sensitive and valuable datasets. There is also a far less technical risk in that employees may just forget to log out properly, leaving accounts wide open for the next user. 

Embrace cloud for security 

Encouraging employees to actually take time off and stay away from corporate networks while on holiday would seemingly be the most straightforward measure, but it’s difficult to enforce. As such, businesses need to be more proactive in how they defend their networks – both for when employees go on holiday, but also for increasing cloud use. 

The biggest alteration all firms have to make is embracing the cloud to support cybersecurity. Many are still reliant on ‘moat and castle’ or network-centric measures which are increasingly becoming redundant as more people break away from the traditional office working environment. 

The issue is that centralised data centre hubs and legacy hardware were never developed to cope with the demands of cloud use. Fluctuating traffic, having to backhaul data from user to data centre and then back again, the constant flow of sensitive data out of network-perimeters, and the sophistication of threats all combine to overwhelm legacy setups and appliances. Not only does this greatly impact performance, but unsuitable platforms can leave datasets vulnerable. 

For any firms too stuck in their ways, they will soon find themselves fighting – and losing – a never-ending battle with data loss happening on a regular basis. However, adopting cloud-based cybersecurity provides scalability on a global-scale that can support expanding user bases and more feature-rich applications. 

More granularly, companies need the ability to create and define custom access policies to vital functions and applications. When access is based on certain permissions, individuals will have to prove their identity via a number of authentication methods before being given access. This means that should devices become compromised or misplaced, the new ‘user’ won’t be given free reign within corporate networks. For data of high sensitivity, organisations may be wise to restrict access only to corporate-registered devices, mitigating the security issues that arise from using personal ones. 

Another key activity that businesses must undertake is providing cyber training. Regardless of the sophistication of cyberattacks, the biggest threat to a business will always be its employees – and that risk is greatly multiplied if workers aren’t educated enough around security. Employees are rarely acting maliciously, they are attempting to do their jobs better, but that login from the beach using the tiki bar’s Wi-Fi could do more harm than good. With regular training, employees are more aware of the risks they could pose and will think twice before acting. 

Chris Hodson, EMEA CISO of Zscaler 

Image Credit: AdrienBe / Pixabay