Summer Security: Hackers Don’t Take Time Off

Employees are introducing more security risks while working during their summer vacation, one report says

If you’re sitting in the waiting area of any airport around the world with headphones on, listening to DJ Jazzy Jeff and the Fresh Prince’s “Summertime,” you’re one of many. Checking emails on your phone while waiting to take a break from the monotony? That’s just what attackers are expecting you to do. 

As passengers sit biding their time until they board their flight, bus or train, many likely are scrolling through their phones using a free public WiFi. With all the attention on what to pack, once people are in vacation mode many forget that using the free airport Wi-Fi to get ahead of work emails exposes not only the individual device but also the enterprise to a potential man-in-the-middle (MITM) attack. 

Yes, hackers monitor unsecured Wi-Fi to find their next victims, especially at these peak travel times when more travelers are taking advantage of free Wi-Fi connections not only at the airport but also at the corner coffee shop, bus station and even in their hotels. 

The Risk of Employees Working Everywhere

According to the new “Risks and Riptides Report” published by Lastline, there are myriad cyber-risks facing U.S. organizations during the summer months. Researchers surveyed 1,000 security professionals to understand better the behaviors that impact enterprise security during the summer. Nearly 1 in 5 respondents said that more than half of their employees work from outside the office at least five days—either remotely or while on vacation—throughout the summer. 

“Traditional perimeter and endpoint defenses are already becoming much less effective as more people regularly work remotely and use personal devices. This is exacerbated during the summer with increased travel that results in employees using public Wi-Fi and unmanaged devices,” said Lastline’s CEO, John DiLullo. “The risk rises further when understaffed security teams are left shorthanded or are further overworked, given the increased alerts.”

Organizations, therefore, need to assume their perimeter has been breached, DiLullo said, and use network detection and response technology to detect lateral movement on their network, including attempts to exfiltrate credentials and data.

Accessing corporate networks on public Wi-Fi is a major concern, but 48% of respondents said they also worry that employees will click on a malicious phishing link. Another 43% fear their employees will leave work devices unlocked and unattended in a public place or use applications that are not approved.

Can’t a VPN Fix That?

If travelers find themselves stuck with no option but to use unsecured Wi-Fi, they could simply disconnect and be on vacation. But, if completely disconnecting isn’t an option, there are things they can do to at least minimize risk.

“A virtual private network (VPN) works by encrypting your data, which means your information is translated into a code that only the VPN server can decipher,” said Francis Dinha, CEO of OpenVPN. “It also masks your IP address, or digital footprint, as it’s often called, which makes you unrecognizable to internet service providers (ISPs) and the rest of the internet in general.”

A VPN also allows employees to virtually access their private network safely from a remote location, rather than exposing themselves or the company to cyber threats.

However, it’s important to recognize that a VPN is not a panacea. A VPN can only minimize risk, not completely mitigate it. “Even while IT departments insist on using VPNs to access network resources, employees getting infected remotely still represent risk by simply walking back into the office and automatically being connected to the company’s Wi-Fi network,” according to the Lastline report. “The expanded attack surface is already a test for security teams, so it’s no surprise that expanding it even more during the summer, as a result of more employees working remotely, is a concern and a challenge.”

Summer Days Drifting Away, But Oh, Those Security Pros

Unfortunately, security professionals aren’t having such a blast on their summer nights. Unlike their colleagues, 36% of security staff said they don’t take time off because they fear that their absence would make their organizations more vulnerable.

Not all news is bad, though: “Perhaps due to being on heightened alert, over a third (36%) believe that their response time to a cyberattack would actually be faster compared to other times of the year,” according to the report.

Kacy Zurkus

Avatar photo

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus