Summer is here, and with it come vacation auto-replies, standby schedules, and consultants half-logged in from summer houses and hotel rooms. But while you're trying to wind down, attackers are not. Holiday periods are a favourite time for threat actors because we tend to lower our guard.
Holiday periods are when threat actors thrive. Less staff. More distraction. A perfect storm.
Threats Don't Take Time Off
Many people still work during the summer. Some are official, and others are "just in case." Remote logins, company laptops on the road, and admin roles kept active even during leave. All of this increases the attack surface.
Working from a summer house on a personal network is not secure by default. Taking corporate devices abroad can introduce risks, especially in countries with aggressive surveillance or border inspection policies. Conditional Access might block you from logging in if you're on the wrong device or in the wrong country. And if your IT or security team is reduced during the holidays, any incident will take longer to detect and handle.
Security Risks Go Up When Routines Go Down
Remote work during vacation adds risk. Some common scenarios:
- Working from personal networks or mobile hotspots that aren't secured or segmented.
- Taking company devices abroad, potentially exposing them to border inspection or surveillance risks.
- Unplanned Conditional Access lockouts due to geolocation, device posture, or lack of compliance.
- Reduced monitoring capacity in IT or security teams, meaning slower response to incidents.
All of this increases the chance of something going wrong, and it happens fast when defences are relaxed.
First Things First: Clarify Expectations
Before packing your bags, employees - especially consultants - should have a clear agreement with their employer:
"Am I expected to work or be on standby while I'm on holiday?"
If the answer is anything other than a clear "no," you are not on a true holiday. Even a single call, login, or task breaks the legal definition of a continuous holiday period, which can affect both compliance and well-being. This matters from both HR and legal perspectives; and from a security one, too.
If you're expected to work or be available on standby:
- Confirm how and from where you're allowed to access systems.
- Check that your access rights won't be blocked by Conditional Access or geo-restrictions.
- Ensure you have a secure and approved setup, especially if you'll be outside the country.
Essentials for a Secure Summer
- MFA is not optional.
And not just any MFA. Phishing-resistant methods like FIDO2 security keys or hardware-bound passkeys should be standard. If you're still relying on push notifications or SMS, it's time to catch up. - Limit your access.
If you're off, you shouldn't be carrying admin roles. Use just-in-time access when needed. No one should be walking around with standing privileges on vacation. - Don't trust the network.
Hotel Wi-Fi, cafés, airports: treat all of them as hostile environments. If you have no other choice, use a secure VPN. Just remember: VPNs are not privacy tools. They help secure your connection, nothing more. - Don't mix personal and professional.
Don't save corporate passwords in your private browser. Don't work from your family's tablet. Don't open client data on your vacation phone. Keep environments separated. - Test your setup.
Check Conditional Access rules. Make sure your device is compliant. Confirm access before you leave, not when you're in a rush and locked out.
Don't Overshare Your Holiday
Be mindful of what you post on social media. Broadcasting that you're on vacation, especially with details about where you are and how long you'll be gone, can invite both physical and digital threats. Wait until you're back home before sharing those beach photos or location tags.
Attackers use public information to time social engineering attacks, phishing attempts, and even physical theft. What looks like a harmless update to friends can also be intelligence for someone with bad intentions.
Take Your Holiday Seriously For Security's Sake
Your vacation is not a grey area. It's either off or it isn't. And if you're working, you need secure access, the right setup, and clarity on what you are expected to do.
Cybersecurity doesn't take time off. Let's not give attackers an open door while we're trying to disconnect.