It was the end of my first day of vacation, a spectacular day spent riding the cable cars and hiking in the mountains near Chamonix, France.I\u2019ll admit it: I felt the urge to share some vacation pics via Facebook. After all, I\u2019d spent most of the summer following my friends as they posted their vacation pictures, and I was eager to share in that feeling of community by sharing my own.But then I flashed back to a presentation I gave to a group of executives two months earlier. Here, I had reminded them that because of their privileged access to financial systems and employee and customer data, they were prime targets for dedicated cybercriminals.\u201cAs executives,\u201d I told them, \u201cyour credentials are the keys to a kingdom of data, and your influence over your employees makes information about you especially precious.\u201dAlong with some other coaching I provided about cybersecurity best practices, I offered this tip: when you go on vacation, don\u2019t post it on social media. After all, I explained, cybercriminals have long known the value of monitoring the social media accounts of those high in a company.Job title, likes and dislikes, business partner relationships \u2026 all this information is freely available on LinkedIn and other sites and can be used to craft spear phishing emails. Combine that with the knowledge that an exec is away, and you\u2019ve got a recipe for the kind of phishing scams you read about in the headlines.If you\u2019re a person with privileged access in a company\u2014executives, yes, but IT and finance and more\u2014a criminal who has been watching your company and watching you personally could easily gather enough clues about you and your company to craft a compelling email or a text message when they learn you\u2019re off on vacation.Imagine how those stuck back at work might respond to a note from you that says: \u201cHey, it\u2019s Tom, writing from my personal account. I\u2019m locked out of the finance Share folder\u2014can you send me those acquisition files? I need them ASAP.\u201d Most people would resist such a message, but most is not enough. If even one employee responds to a phishing attempt like this, the damage could be extreme.When it comes to my own vacation photos, I kept them to myself until I was safely back at home. Only then did I share them with my friends (using the privacy controls in the social media apps, of course). I\u2019ll admit, waiting this long was a bit of a struggle. Even as a relative social media novice, there\u2019s an allure to the instant gratification of collecting likes and comments on a photo as soon as you capture it.But this meager and short-lived thrill is not worth the risk. Once home, I got to enjoy the likes and comments of my friends just the same as if I\u2019d shared the pictures right away, all with the potential for harm kept to a minimum.Compared to the difficulty of transitioning to a password manager or taking the time to call IT when I discovered something that I thought was amiss, postponing the sharing of my vacation pictures was pretty easy. Once, of course, I got past the initial urge to post.But the dynamic in all these \u201csecure acts\u201d was the same: it took a conscious act of will to bypass the easy or desirable thing and do the secure thing. It\u2019s that little expression of willpower and commitment to security that we\u2019re trying to instill in ourselves and our employees every single day that we run an awareness program. It\u2019s what we\u2019ve got to get all our employees to do, every single day, when we ask them to avoid phishing attempts (especially those REALLY tempting ones), report suspected incidents, use strong passwords, and classify data appropriately.So by all means, take a vacation\u2014just not from cybersecurity best practices.