How to Vacation Safely, Without Increasing Your Cyber Security Risk

The combination of pandemic lockdowns and remote work has led to a stockpile of unspent PTO. With vaccination rates increasing and travel restrictions lifting, people are starting to use their vacation days in droves. But that doesn’t mean hackers — or their bots — are taking time off. 

(Side note: Criminal hackers really should take time off. They’ve been working overtime lately!) 

It has been a while since workplaces have prepared for vacation season. Just as social skills have gotten rusty over the past year, many folks have forgotten security practices they should follow when leaving work behind.  

Your security team may be getting questions from people who’ve forgotten (or never knew) how to prepare for time off. We’ve put together a handy guide to help. Feel free to steal and share the Q&A below with your organization. 

Question 1: How do I separate work and play?

Dear Barbara,

My work and personal lives have been intertwined for more than a year. I use the same laptop and passwords for everything. I can’t wrap my head around the idea of taking time off. I know I have a problem. Where should I start?

From,
All Work, No Life

Answer 1: Establish boundaries

Dear All Work,

Work belongs at work, even if that’s no longer associated with a physical location. Think about the harm your boundaryless life may be inflicting on your organization: using the same password for a mix of personal and professional tasks means you could be one errant click away from infecting your company with malware.

Make sure you don’t mix passwords for work and personal activities. If you can do without your device, don’t take it on vacation (I’m not!). Never take work-related information on vacation, especially sensitive or personal data.

Securely yours,
Barbara

Question 2: What should I do before vacation?

Dear Barbara,

Do you have a list of IT tasks I need to do before leaving work?

Signed,
Organized and Template-Driven

Answer 2: Top 8 IT tasks before vacation

Dear Organized,

Forethought and planning take the stress out of vacation.

1. Make a list of things people need to know or work on while you’re away. Separate the list into Time-Sensitive and Non-Time Sensitive items. Leave a plan and pause the non-urgent items whenever possible.
2. Inform your coworkers and provide any training they need. Tell clients and partners who they should work with while you’re off.
3. Be clear about your availability—if any—while on vacation.
4. Set up an out-of-office email for coworkers, clients, and partners. (see question 7 for more detail)
5. Update your voicemail message.
6. Install software updates. Make sure all devices are running the latest versions of software, so known vulnerabilities are patched.
7. Log out of all devices, as well as websites and applications. Should anyone gain access to your devices, they won’t have a free pass to any sensitive information.
8. Turn off and unplug every device you won’t be using. Remove batteries and sim cards from mobile devices you don’t need.

Securely yours,
Barbara

Question 3: How can I remember my passwords?

Dear Barbara,

I’m planning to completely disconnect while on vacation and I’m worried I’ll forget my passwords. Should I just write them down and stick a note on my computer?

Yours,
Memory Lapse

Answer 3: Store your passwords securely

Dear Memory,

Never write down your passwords. Instead, use a password manager to store them. Privileged access management (PAM) solutions store your passwords in an encrypted vault. They make sure passwords are complex and are rotated often, working behind the scenes so you never have to remember — or even see — your passwords.

Securely Yours,
Barbara

Question 4: How do I share passwords with people who are covering for me?

Dear Barbara,

While I’m away, my colleagues will need access to the systems I use. Is it better to email them my passwords, put them in a shared document, or print out a page with passwords?

Just wondering,
Passing Words

Answer 4: Don’t share passwords!

Dear Passing,

So many things wrong with your note, where should I start?

How about:

DO NOT SHARE ANY PASSWORDS.

You should not, could not, in an email.

You could not, should not, leave a trail.

Not in a doc. Not in Slack.

Don’t make IT take your access back.

Instead, work with your IT team to set up a separate account for the person covering for you with temporary privileged access. This may require approval from management. Don’t leave these permissions in place permanently; assign an expiration date. If possible, the account should automatically expire on the date you return.

If you absolutely must share a password, share it securely via a privileged access management (PAM) solution. That way, all user activity can be monitored and audited centrally.

Securely yours,
Barbara

Question 5: How do I give contractors access?

Dear Barbara,

We’ll be short-staffed when folks are taking PTO and bringing on contractors. Is it ok for them to just log into our accounts?

Asking for a friend.

Answer 5: Temporary, JIT privileged access

Dear Friend,

Once again: DON’T SHARE PASSWORDS!

Instead, work with your IT team to set up temporary credentials for third parties. They should have temporary access only and it should be monitored so there is a complete audit trail of all third-party activity.

Securely,
Barbs

Question 6: What if I need to connect while on vacation?

Dear Barbara,

What’s the harm in checking email or Slack? What if something comes up that only I can deal with?

With regrets,
Essential Worker

Answer 6: Secure remote access

Dear Essential,

First off, relax! You need time to disconnect.

Give co-workers a way to contact you in the case of an absolute, hair-on-fire emergency.

If you’re bringing your devices, make sure they’re password-protected in case they’re stolen. If you have both a privileged account and a standard user account, only log in with the standard account when you’re on vacation.

If you absolutely, positively must connect to critical work systems while you’re away, never use public, unsecured WiFi. In most countries, you have no expectation of privacy in internet cafes, hotels, offices, or public places. Cyber criminals can insert malicious software into your device through any connection they control.

Securely yours,
Barbara

Question 7: What about out-of-office emails?

Hi Barbara,

Any tips for how to securely write an out-of-office email?

Signed,
OOO

Answer 7: Don’t give too much away

Dear OOO,

Cyber criminals can use information in out-of-office emails to understand when you’ll be away from the office (when your accounts may be unmonitored and more vulnerable). They could leverage contact information for people who are covering for you in a phishing attack.

Therefore, only send email reminders to people who are in your contact list or part of your organization. Don’t send automated responses to unknown senders, email lists, or emails on which you were bcc’ed.

Your email should only serve as a reminder that you’re away and that you’ll respond when you return.

Securely yours,
Barbara

Question 8: Social media FTW?

Dear Barbara,

It’s been so long since I’ve been able to post about my adventures … isn’t that what vacations are for?

Signed,

FOMO YOLO Selfie Promo

Answer 8: TMI

Dear Froyo,

I hope you have some amazing adventures!  However, sharing your agenda or location on social media allows criminals to keep track of where you are. Wait until you get back, then regale everyone with your stories and photos.

Securely yours,
Barbara

Question 9: I’m back home. What now?

Dear Barbara,

I finally took a vacation. Any advice on what I should do first when I return to work?

Signed,
A Traveling Wilbury

Answer 9: Rotate, revoke, and reset!

Dear Will,

Rotate any passwords for accounts you used while traveling. Revoke access for coworkers or contractors who were covering for you.

Now that you’re recharged, it’s time for a reset. You can head back to work with a clear head and a safe IT environment.

I hope you had a great time!

Securely yours,
Barbara

Looking for more recommendations to set your mind at ease?

Listen to the webinar: Know Before You Go – PAM Tips and Best Practices for IT Admins.