In the first place, intruders using ‘social engineering’ techniques will find that simple “Out of office” messages can give them an excellent foothold for breaching security. These messages often give information like where you are, how long you’ll be away for, who will be taking care of things in your absence... and all of this information can in turn be used to trick unsuspecting or untrained switchboard staff into giving away even more information.
To deal with this kind of problem, the best thing is to simply avoid leaving an automatic message (depending on your own company’s policy, of course) and if you do, make it as brief as possible. Just say that you’re not in the office and that’s all. Most people won’t be interested in exactly where you are or when you’re getting back, and if they really are, they can easily contact someone else in the office to sort things out while you are away.
Very often people leave someone to keep an eye on their inbox to deal with anything important that comes in. But delegating this task implies a breach of security polices which should not even be considered if the information in any way sensitive. Even in order to let someone check your mail, you’ll have to give them your passwords for connecting to the network and mail server.
So obviously you can only leave someone that you can trust with this data, as at any time in the future they would be able to enter the network pretending to be you and with your privileges.
The best solution is to temporarily change the access details (passwords etc.). If you normally use certain details throughout the year, you can create new ones when you are going to leave someone in charge of your email. In this way, when you return you can simply restore the usual passwords and continue working normally. Also, make sure these temporary passwords can’t give away any clues as to how to work out your usual passwords. If, for example your usual password is a combination of your initials and those of the person next to you, make sure you use a different system to create your temporary password.
Finally, another widely used method for staying up-to-date with what’s going on at work is to redirect mail to another address so that you can check your email even if you can’t connect to your company’s server. So from your laptop you can work as if you were in the office. The problem comes when you access from a computer that isn’t yours, such as in a business centre or cyber-cafe. Many people use these computers everyday and just as they leave information there, they can also read the information you leave: from simple, apparently unimportant emails to details of your company’s bid for the latest projects… your competitors could be very grateful. Even if the information is not sensitive, you are still leaving your email address where it could later be used for malicious purposes.
Nowadays, for very little money, anyone can get hold of flash memory devices that connect to USB ports. Even medium-sized memories like this can support a small email client and so with one of these, by-passing the security measures that may be in place is a piece of cake.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.