Take a vacation—just not from cybersecurity best practices!

It was the end of my first day of vacation, a spectacular day spent riding the cable cars and hiking in the mountains near Chamonix, France.

I’ll admit it: I felt the urge to share some vacation pics via Facebook. After all, I’d spent most of the summer following my friends as they posted their vacation pictures, and I was eager to share in that feeling of community by sharing my own.

But then I flashed back to a presentation I gave to a group of executives two months earlier. Here, I had reminded them that because of their privileged access to financial systems and employee and customer data, they were prime targets for dedicated cybercriminals.

“As executives,” I told them, “your credentials are the keys to a kingdom of data, and your influence over your employees makes information about you especially precious.”

Along with some other coaching I provided about cybersecurity best practices, I offered this tip: when you go on vacation, don’t post it on social media. After all, I explained, cybercriminals have long known the value of monitoring the social media accounts of those high in a company.

Job title, likes and dislikes, business partner relationships … all this information is freely available on LinkedIn and other sites and can be used to craft spear phishing emails. Combine that with the knowledge that an exec is away, and you’ve got a recipe for the kind of phishing scams you read about in the headlines.

If you’re a person with privileged access in a company—executives, yes, but IT and finance and more—a criminal who has been watching your company and watching you personally could easily gather enough clues about you and your company to craft a compelling email or a text message when they learn you’re off on vacation.

Imagine how those stuck back at work might respond to a note from you that says: “Hey, it’s Tom, writing from my personal account. I’m locked out of the finance Share folder—can you send me those acquisition files? I need them ASAP.” Most people would resist such a message, but most is not enough. If even one employee responds to a phishing attempt like this, the damage could be extreme.

When it comes to my own vacation photos, I kept them to myself until I was safely back at home. Only then did I share them with my friends (using the privacy controls in the social media apps, of course). I’ll admit, waiting this long was a bit of a struggle. Even as a relative social media novice, there’s an allure to the instant gratification of collecting likes and comments on a photo as soon as you capture it.

But this meager and short-lived thrill is not worth the risk. Once home, I got to enjoy the likes and comments of my friends just the same as if I’d shared the pictures right away, all with the potential for harm kept to a minimum.

Compared to the difficulty of transitioning to a password manager or taking the time to call IT when I discovered something that I thought was amiss, postponing the sharing of my vacation pictures was pretty easy. Once, of course, I got past the initial urge to post.

But the dynamic in all these “secure acts” was the same: it took a conscious act of will to bypass the easy or desirable thing and do the secure thing. It’s that little expression of willpower and commitment to security that we’re trying to instill in ourselves and our employees every single day that we run an awareness program. It’s what we’ve got to get all our employees to do, every single day, when we ask them to avoid phishing attempts (especially those REALLY tempting ones), report suspected incidents, use strong passwords, and classify data appropriately.

So by all means, take a vacation—just not from cybersecurity best practices.