It’s standard practice to switch your ‘Out of Office’ status on when you’re off work. It’s courteous, manages expectations, and tells co-workers and clients that you won’t read their emails for a while.
But could your ‘OoO’ message reveal too much about you? Is it really necessary to broadcast the dates of your summer holiday? And is this seemingly innocuous routine exposing your organisation to a greater risk of a cyberattack?
Data from the UK Government’s latest Cyber Security Breaches Survey reveals that 74% of large businesses and 66% of high-income charities experienced some form of cyber breach in the previous 12 months. And, of all the different types of cyber threats, phishing attacks were by far the most common, with 84% of businesses and 83% of charities being hit.
Given this huge rise in phishing scams, cybersecurity experts, ramsac, is offering helpful advice on managing your ‘Out of Office’ status safely and securely so that you don’t provide cybercriminals with the ammo they need to launch more convincing and targeted attacks.
The Risk
The biggest risk associated with ‘OoO’ messages is phishing – a criminal activity where attackers trick people into revealing sensitive information by posing as a trustworthy source. The more details about you the attacker can access, the more effective and successful the attack.
For instance, including specific return dates in your OoO status enables cybercriminals to time their attacks for maximum impact. This could see bad actors target your colleagues by pretending to be you or someone else, knowing there would be no form of immediate verification because you’re sunbathing on the beach.
Similarly, cybercriminals armed with your return date may craft convincing emails exploiting temporary security gaps that arise when you’re unavailable. As is the case with most cyber breaches, phishing scams are more effective when the attacker has access to these specific details,
Here’s how you can strike the perfect balance between business courtesy and robust security to prevent your organisation from falling victim to a cyber attack.
The Solution
If the traditional ‘all-inclusive’ Out of Office message is part of your business practice, here’s how to be extra vigilant and ensure your workplace absence doesn’t become a window of opportunity for cybercriminals.
Don’t Reveal Specific Dates
By setting specific dates for your absence in your OoO status you’re giving away vital information that could be used to target colleagues via a phishing attack. Instead of revealing your precise date of return, use general language without telling people exactly when you’re back. An easy way of doing this is with a simple message, such as ‘Thank you for your email I am currently out of the office and will respond to your email when I return.” It’s polite and informative without revealing key details about your period of absence.
Avoid Places and Locations
You may be jetting off to The Bahamas, but you don’t need to tell the world by adding it to your Out of Office message. Not only should you avoid places and locations, but sharing your whereabouts and length of absence poses a significant physical security risk, especially for high-profile people whose homes may also be threatened. By withholding geographical references in your OoO status, you’ll enhance both your personal and digital safety and prevent criminals from accessing key information.
Be Vague About Reasons for Your Absence
Your colleagues will be thrilled that you’re holidaying on some far-flung tropical island. But there’s simply zero requirement to mention the specific reason for your workplace absence. Whether you’re on a business trip, attending a conference, or taking a family holiday, never expose these personal details in your OoO message as attackers may use them to fuel a phishing attack. Simply stating that you’re ‘out of the office’ or merely ‘away from my desk’ is sufficient. Remember to keep it vague and don’t provide cybercriminals with details that reveal more about that your absence than is necessary.
Provide Alternative Contacts
While you should give only minimal information away with your OoO messaging, providing details of an emergency contact could ensure business operations run smoothly when you’re away from your desk. That way, any high-priority queries can be handled promptly by a chosen colleague, without compromising security. However, contact names should be withheld and only a phone number provided so that you avoid giving details out that could assist cyber criminals in their research.
Strengthen Your Human Firewall
One of the most effective ways to improve cybersecurity across an organisation is to strengthen your human firewall. Educating your teams on ways to spot a phishing attack or data breach is essential for cyber health, and it includes creating secure OoO messages when you’re away. Therefore, regular employee training about phishing attempts and other social engineering tactics should become a major focus of your company’s cybersecurity strategy.
Always Update Your Cybersecurity Knowledge
Cybercriminals are always looking at new ways to exploit human vulnerabilities and weak points in cyber defences. Cyber risks are evolving all the time, so it’s important to make a habit of regularly reviewing your OoO messages and other automated replies you may set up. Any errors should be rectified immediately and always ensure your OoO always follows robust security practices.
So, while Out of Office replies may seem rather insignificant to a company’s wider cybersecurity health, they can be a weak link when not handled properly. By being extra vigilant over the information you share, you can protect yourself and your organisation from phishing attacks and other potential cyber threats.
