Now that the travelling season is very much upon us, executives and key personnel at all levels will be deciding whether to pack a tablet or a slim laptop or just rely on their smartphone.
In today’s precarious jobs market, very few professionals feel confident enough of their position to be completely cut off from their colleagues for weeks on end, even when travelling on holiday. Irrespective of any potential psychological harm that today’s remorseless ‘always-on’ culture causes, there are seasonal dangers of which every Ciso and CIO should be acutely aware.
Travelling executives and techies are always a nightmare for security departments. Laptops stolen from unlocked cars or rooms, smartphones misplaced on a night out and other physically compromising events are only the tip of the cybersecurity iceberg. For example, an executive checking their emails in a hotel lobby on the hotel Wi-Fi is open to an old-fashioned “Pineapple” attack, where someone also the lobby has a portable device in their bag that effectively takes over the local Wi-Fi allowing criminal full access to whatever online activity the others in the room are engaged in. Anyone compromised in this fashion is likely to remain unaware of it until it is too late.
Cybersecurity problems acerbated in July and August
But these problems are exacerbated during the holiday-season months of July and August. For example, someone relaxing on the beach is more likely to have a panicked reaction to an urgent-sounding message from their workplace. Squinting at the screen in bright sunlight, they may not remember to stop and check the URL from where the message was sent before clicking on a link. If the fake message sounds sufficiently convincing and appears to come from a trusted colleague and contains personal references, a travelling executive can easily be duped into opening a link and inadvertently downloading a malicious payload or supplying confidential access codes.
According to a report published last year by the US Cybersecurity and Infrastructure Security Agency: “Cyber actors have conducted increasingly impactful attacks against US entities on or around holiday weekends over the last several months…In some cases, this tactic provides a head start for malicious actors conducting network exploitation and follow-on propagation of ransomware, as network defenders and IT support of victim organizations are at limited capacity for an extended time.”
The report added that, in 2021, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) both observed an increase across the United States in highly impactful ransomware attacks occurring on holidays and weekends, when offices are normally closed, as recently as the Fourth of July holiday of that year.
Beware weaponized QR codes in cafes and bars
But, this year there are even more opportunities for determined cybercriminals. Most cafes, restaurants and bars, even in fairly undeveloped regions, now have free wi-fi with poor or almost non-existent cybersecurity for the use of customers. Many also have a QR code printed on the table rather than a regular menu to be scanned with the customer’s smartphone. Unfortunately, QR codes can be designed to operate in in a similar way to an innocent-looking weaponized link in a phishing email. The diner can still see only the menu on their smartphones and are unaware of the poisoned payload they have accidentally downloaded that will expose any confidential data held on the diner’s smartphone. A weaponized QR code is impossible to spot without highly sophisticated software.
The only real solution is for staff to leave any devices carrying sensitive data or passwords at home and use a purely private device for things like scanning QR codes or hopping onto the bar’s Wi-Fi network to make a WhatsApp call.
The same thing applies to other mobile devices such as tablets and laptops. All these devices are proving irresistible to cybercriminals anxious to make a killing during the travel season. According to a survey from Forbes Advisor conducted at the start of this year, 43% of respondents had their online security compromised while using public Wi-Fi. Forbes Advisor recommends ensuring that any Wi-Fi network accessed is secured with encryption technology and that you use a strong password on your device. It also suggests using a virtual private network (VPN) when connecting to public Wi-Fi.
The widespread adoption of artificial intelligence (AI) by cybercriminals at all levels means that this summer is likely to be particularly dangerous for travelling executives and key staff. Professionally executed, spear phishing, the process of targeting a specific executive or key member of staff involved what was previously a tedious process called ‘social engineering’, which meant trawling social networking sites, conference announcements, corporate websites, industry journals and other sources to build a detailed profile of the targeted individual and their travel plans. What might have taken a relatively inexperienced hacker days or even weeks can be achieved in minutes using publicly-available AI platforms such as Microsoft-backed ChatGPT.
It is essential that cybersecurity teams immediately educate all staff on the dangers of accessing online services while travelling. They should also take pains to ensure that there is restricted access to confidential data while staff are on leave. Those key members of staff who potentially may need access to the corporate network while travelling or at a holiday location should be taught to use a VPN and to carry their own wifi hotspot, a common feature on many smartphones, and use that to log in rather than joining an open network at an airport, hotel or café.
