Pin It

Why checking work emails on vacation puts your company at risk – and what to do about it

By Monu Kalsi


The weather is getting warmer and people are starting to look forward to their well-earned summer vacations. While we all know taking time off is critical for our wellbeing, the reality is many employees don’t disconnect completely while away.

Thirty per cent of Canadians say they work during their vacations, according to a recent survey. For those in human resources, working while on vacation is troubling because it not only puts our employees’ health at risk, but also our company’s information security. Before the summer holidays hit, HR teams should help employees learn how to keep their data secure while enjoying the sun.

Employee behaviour can be a company’s greatest weakness when it comes to data security. A single employee could unwittingly undermine the most sophisticated data security system by simply opening a malicious email attachment or accidently tossing a sensitive document into an unsecured recycling bin. It happens more often than you may think: a third of data breaches in Canada in 2017 involved negligent employees and cost businesses $241 per capita in damages, according to the Ponemon Institute.

Whether or not your employees work during vacation, it’s likely they stay connected to your company in some way, perhaps by simply using the phone on which they have access to work emails (after all, two-thirds of Canadians say their mobile phone is their number one travel accessory). Considering that employees are less likely to be diligent with data security when they’re off the clock, it’s critical for HR professionals to prioritize information security training for travelling employees.

To help keep your employees and company secure, consider adding a component to your employee training that covers information security while on vacation and addresses these five common risk areas:


1. Public Wi-Fi

Any time your employee connects to public Wi-Fi while on vacation, they run the risk of exposing their – or your company’s – device to a hacker tapping into the open network. The biggest concern for HR professionals is that most employees don’t understand the risks of connecting to open networks. More than half (53 per cent) of Canadians don’t know how to identify an unsecured Wi-Fi connection, and at least 88 per cent have potentially put themselves at risk by logging into sensitive sites on open networks, according to a 2017 risk report by Norton.

HR teams can play an important role in equipping employees with the knowledge to reduce the risk of a data breach occurring over a public Wi-Fi network. If your company has a Virtual Private Network (VPN), regularly remind employees to use the VPN to stay secure when surfing the web, even when they’re away. If your company doesn’t have a VPN, encourage your employees to do data security preparations such as completing all banking or important work correspondence at home or the office where the networks are secure before departing on their vacation.


2. Paper documents

While more and more companies are striving to have “paperless” offices, there’s no denying that paper is still widely used by employees. Shred-it’s 2017 Security Tracker survey found that over half (58 per cent) of Canadian C-suites expect the volume of paper used in their organization to increase or stay the same over the next five years. All kinds of printed documents – presentation decks, business plans, client strategy documents – could compromise your company if they fall into the wrong hands.

Your HR team should help employees recognize the risks of carrying around sensitive documents and discourage employees from taking documents outside the office, especially on vacation. Consider running an internal campaign that encourages employees to have a plan for when and where they will securely destroy printed documents and to use alternatives to printed documents whenever possible.

Travellers should also be cautious as to what documents they leave unattended in hotel rooms. Documents such as travel itineraries, presentation slides, credit card slips and boarding passes contain an enormous amount of confidential information that if compromised put employees at a heightened risk for identify fraud. It is a best practice to see if the hotel has a document destruction service that can be used to safely destroy confidential documents no longer needed.


3. Smart devices

The introduction of new smart devices, wearable tech and the Internet of things (IoT) means technology is expanding – and with it the number of access points that exist for a data breach. When it comes to employee travel, personal devices such as smart watches or connected cars could pose a risk if they’re connected to your company’s network. Data security for smart devices is something all employers will have to address in the near future as it’s predicted that more than 25 per cent of cyber-attacks will involve IoT by 2020, according to technology research firm Gartner.

Even if your company has security measures in place for Internet-connected devices, such as password requirements or separate networks to pass sensitive data, it’s critical that your employees know which devices could pose a security risk and how to use them. Consider incorporating a section on smart devices into your regular information security training.


4. Travel documents

Boarding passes contain personal information that can compromise your employees on their travels. According to cybersecurity experts, a boarding pass can give a fraudster access to a traveller’s seat number, frequent flyer details, fare paid and last four digits of the credit card number used to purchase the ticket.

While a breach of information from a boarding pass may not put your company at risk directly, as an HR professional you want to help your employees protect themselves from identity theft whenever possible. As part of your training for vacation data security, encourage employees to use electronic boarding passes or hold on to their paper copies until they are able to shred them securely at a hotel or at home.


5. Emails

It’s important for your HR team to help employees build up the skills to easily identify a potential email threat, wherever and whenever they happen to check their emails. Try introducing an interactive exercise to your employee training sessions that simulates real phishing emails and reviews the common signs that indicate an email is fraudulent.

As an HR professional, you have the responsibility to develop company practices that keep employees healthy and safe, inside and outside the office. This is the perfect time to give your employees a valuable refresher on information security best practices to keep themselves safe and secure over the summer.

Monu Kalsi is the vice president of Shred-it.



Pin It