Many people have safeguards against burglars when they go on vacation—a friend comes to pick up the mail, or a neighbor parks in the driveway. They know not to post on social media that they are going away since it screams to burglars: “Please come rob me!”.
Just like burglars look for signs of who might be an easy victim to rob, cybercriminals are constantly looking for the best time to target victims—which often means when they are on vacation.
What about vacation makes cyber criminals decide to target organizations during this time? And what can your organization and its employees do to defend against cyber attacks this season?
Attacking When Your Guard Is Down
Vacation is prime time for attackers, who know that your cybersecurity team and management may be starting to relax any standard policies it has in place. That means there’s more smartphone and social media use and a perceived sense of freedom from whatever data protection policies are in place at work. Whether you’re using the hotel’s unsecured wifi or public wifi in a busy airport, the chances of stumbling upon a scam or getting hacked increase.
Hopefully, you’re unplugged enough that you aren’t checking email or monitoring accounts as much as during a regular workday. Attackers target these vacation periods because they know that’s when you’re not as vigilant.
With everyone on vacation, you’ve also probably reduced staff on your Security Operations Center (SOC), making a successful attack more likely. Since 49% of SOCs state that staff shortages pose a challenge to incident response during the regular calendar year, this lack of personnel is even more acute during vacation periods.
All Work & No Play Is No Fun for Cyber Teams
With global spending on cybersecurity expected to hit $219 billion this year and set to increase to $300 billion by 2026, it may seem surprising that organizations are short-staffed for cybersecurity practitioners. Yet according to reports, 62% of cybersecurity teams aren’t able to fill positions, and of those who do, 60% cannot retain those hires. Although many cybersecurity practitioners leave for better opportunities at another company, almost half (45%) report leaving their position due to stress.
The result is that many positions are unfilled simply because cybersecurity practitioners know the job would be hard, and they hesitate to take it.
Why is the job so difficult compared to any other job in hi-tech?
First, cybersecurity criminals never go on vacation, so attacks occur 24/7/365. There’s never any end in sight.
Secondly, it’s a thankless job. Think about it for a minute: When was the last time an employee in your organization thanked the security team for patching vulnerabilities or ensuring your network and systems were safe? When did a C-level executive thank your CISO for another week without an attack?
According to Maslow, humans need appreciation and a feeling of accomplishment. If they take a job where they aren’t being appreciated but have an excessive workload, they’ll more easily succumb to burnout.
Pulling You In—Hook, Line, and Sinker
The constant pressure is also because cybercriminals are always looking to up their game, while security teams are doing their best to beat them at it.
For example, although phishing attempts are a common type of attack year-round, cybercriminals have found a way to make these BEC campaigns more believable by impersonating the HR team and telling employees they must click on a link to request vacation for their upcoming holiday. Known as CEO fraud, this spear phishing scheme is one of several widespread travel-themed cyber attacks. Other versions target employees with phony discounted tickets or hotel bookings—sure to lead to a disappointing vacation experience.
Of course, the most recent attack cybercriminals are executing is linked to AI and machine learning. Cybercriminals can leverage AI to scan social media profiles at scale, then generate phishing emails with open rates as high as 60%. They can also use bots to scan emails and social media to know when business owners and security teams are on vacation.
Chillax and Unwind with Cyber Safety in Mind
Fortunately, even with understaffed security teams and sophisticated attackers, there are simple steps your employees can take to defend themselves during vacation.
First, avoid public wifi at all costs, as it’s a golden opportunity for malware and man-in-the-middle (MITM) attacks, among others. If you have to use public wifi, you should use a Virtual Private Network (VPN).
Enable 2FA, or two-factor authentication, on your devices, and update your apps, browsers, and devices to the latest software version.
Creating a workplace culture of cybersecurity awareness also plays a role since cybercriminals take advantage of department silos in organizations to target their victims.
By employing these steps, security teams can fully enjoy their vacation while defending their organization from attacks—making the world a better place this summer.
