Many employees are requesting a "hybrid holiday" — where longer holidays are booked with the intention of spending time working remotely from the travel destination. In a Virgin Media O2 survey from earlier this year, 76% of workers polled said they were considering adding remote-work days around their annual leave to extend their time away.
Question: What are the risks of employees going on a hybrid holiday?
John Ayers, Interim CISO and Vice President of Product, Advanced Detection, & Response at Optiv: Threat actors are like any other criminals — they do reconnaissance, and social media has become the best recon tool in the trade craft. With employees now looking to combine work with holiday plans, this has only increased the security risks for users and their companies.
Let's take an example of going overseas to Rome. It's a nice place to visit, but you also need to work. First, Internet is not a "like for like," meaning the type of access you would have there is not like yours at home. Yes, we all have been led to believe coffee shop and hotel Wi-Fi is OK to use since COVID — but it is not.
Second, not all locations are friendly. Most companies should be deploying, or have already deployed, geo-blocking in order to prevent employees from connecting in countries or locations with high risk or out of the US. Geo-blocking is a great tool to prevent and deny all access from a region. Most CISOs today need to protect access to data, which means denying access from devices based on location. They are trying to prevent MitM (man-in-the-middle attack). Why is that important? MitM employs someone setting up an access point that might not be what you think it is.
Each time you fire up the laptop or mobile device and log into Amazon or your work email, you are practicing what we call "data in motion" using the rogue Wi-Fi connection, which is now collecting all that data.
The risks here are:
- Location. You now are advertising where you are.
- Browsing history.
- Purchasing. Yes, the credit card you used was just compromised. How do you avoid that? Tether your device and get an Internet plan with a secure option. I have used TEP Wireless because it grants me access wherever I go using an always-on VPN. Check with your company about traveling — especially out of the country.
So, the next time you try to take vacation and look to access your company's email and OneDrive, remember this: Using public Wi-Fi is like buying sushi at a gas station — you never know how sick you will get until you consume it.