How to Vacation Safely, Without Increasing Your Cybersecurity Risk
The combination of pandemic lockdowns and remote work has led to a stockpile of unspent PTO. With vaccination rates increasing and travel restrictions lifting, people are starting to use their vacation days in droves. But that doesn’t mean hackers—or their bots—are taking time off.
(Side note: Criminal cyber criminals really should take time off. They’ve been working overtime lately!)
It has been a while since workplaces have prepared for the vacation season. Just as social skills have gotten rusty over the past year, many folks have forgotten security practices they should follow when leaving work behind.
Your security team may be getting questions from people who’ve forgotten (or never knew) how to prepare for time off. We’ve put together a handy guide to help. Feel free to steal and share the Q&A below with your organization.
Question 1: How do I separate work and play?
My work and personal lives have been intertwined for more than a year. I use the same laptop and passwords for everything. I can’t wrap my head around the idea of taking time off. I know I have a problem. Where should I start?
All Work, No Life
Answer 1: Establish boundaries
Dear All Work,
Work belongs at work, even if that’s no longer associated with a physical location. Think about the harm your boundaryless life may be inflicting on your organization: using the same password for a mix of personal and professional tasks means you could be one errant click away from infecting your company with malware.
Make sure you don’t mix passwords for work and personal activities. If you can do without your device, don’t take it on vacation (I’m not!). Never take work-related information on vacation, especially sensitive or personal data.
Question 2: What should I do before vacation?
Do you have a list of IT tasks I need to do before leaving work?
Organized and Template-Driven
Answer 2: Top 8 IT tasks before vacation
Forethought and planning take the stress out of vacation.
- Make a list of things people need to know or work on while you’re away. Separate the list into Time-Sensitive and Non-Time Sensitive items. Leave a plan and pause the non-urgent items whenever possible.
- Inform your coworkers and provide any training they need. Tell clients and partners who they should work with while you’re off.
- Be clear about your availability—if any—while on vacation.
- Set up an out-of-office email for coworkers, clients, and partners. (see question 7 for more detail)
- Update your voicemail message.
- Install software updates. Make sure all devices are running the latest versions of software, so known vulnerabilities are patched.
- Log out of all devices, as well as websites and applications. Should anyone gain access to your devices, they won’t have a free pass to any sensitive information.
- Turn off and unplug every device you won’t be using. Remove batteries and sim cards from mobile devices you don’t need.
Question 3: How can I remember my passwords?
I’m planning to completely disconnect while on vacation and I’m worried I’ll forget my passwords. Should I just write them down and stick a note on my computer?
Answer 3: Store your passwords securely
Never write down your passwords. Instead, use a password manager to store them. Privileged Access Management (PAM) solutions include the functionality to store your passwords in an encrypted vault. They make sure passwords are complex and are rotated often, working behind the scenes so you never have to remember—or even see—your passwords.
Question 4: How do I share passwords with people who are covering for me?
While I’m away, my colleagues will need access to the systems I use. Is it better to email them my passwords, put them in a shared document, or print out a page with passwords?
Answer 4: Don’t share passwords!
So many things wrong with your note, where should I start?
DO NOT SHARE ANY PASSWORDS.
You should not, could not, in an email.
You could not, should not leave a trail.
Not in a doc. Not in Slack.
Don’t make IT take your access back.
Instead, work with your IT team to set up a separate account for the person covering for you with temporary privileged access. This may require approval from management. Don’t leave these permissions in place permanently; assign an expiration date. If possible, the account should automatically expire on the date you return.
If you absolutely must share a password, share it securely via a Privileged Access Management (PAM) solution. That way, all user activity can be monitored and audited centrally.
Question 5: How do I give contractors access?
We’ll be short-staffed when folks are taking PTO and bringing on contractors. Is it ok for them to just log into our accounts?
Asking for a friend.
Answer 5: Temporary, JIT privileged access
Once again: DON’T SHARE PASSWORDS!
Instead, work with your IT team to set up temporary credentials for third parties. They should have temporary access only and it should be monitored so there is a complete audit trail of all third-party activity.
Question 6: What if I need to connect while on vacation?
What’s the harm in checking email or Slack? What if something comes up that only I can deal with?
Answer 6: Secure remote access
First off, relax! You need time to disconnect.
Give co-workers a way to contact you in the case of an absolute, hair-on-fire emergency.
If you’re bringing your devices, make sure they’re password-protected in case they’re stolen. If you have both a privileged account and a standard user account, only log in with the standard account when you’re on vacation.
If you absolutely, positively must connect to critical work systems while you’re away, never use public, unsecured WiFi. In most countries, you have no expectation of privacy in internet cafes, hotels, offices, or public places. Cybercriminals can insert malicious software into your device through any connection they control.
Question 7: What about out-of-office emails?
Any tips for how to securely write an out-of-office email?
Answer 7: Don’t give too much away
Cybercriminals can use information in out-of-office emails to understand when you’ll be away from the office (when your accounts may be unmonitored and more vulnerable). They could leverage contact information for people who are covering for you in a phishing attack.
Therefore, only send email reminders to people who are on your contact list or part of your organization. Don’t send automated responses to unknown senders, email lists, or emails on which you were bcc’d.
Your email should only serve as a reminder that you’re away and that you’ll respond when you return.
Question 8: Social media FTW?
It’s been so long since I’ve been able to post about my adventures … isn’t that what vacations are for?
FOMO YOLO Selfie Promo
Answer 8: TMI
I hope you have some amazing adventures! However, sharing your agenda or location on social media allows criminals to keep track of where you are. Wait until you get back, then regale everyone with your stories and photos.
Question 9: I’m back home. What now?
I finally took a vacation. Any advice on what I should do first when I return to work?
A Traveling Wilbury
Answer 9: Rotate, revoke, and reset!
Rotate any passwords for accounts you used while traveling. Revoke access for coworkers or contractors who were covering for you.
Now that you’re recharged, it’s time for a reset. You can head back to work with a clear head and a safe IT environment.
I hope you had a great time!