How your exposure surface changes when you go on holiday

July 7, 2026

When we go on holiday, our habits change: we connect from new networks, use different devices, carry out more online transactions and share more information. These changes do not create new threats, but they do alter our exposure to Cybersecurity risks and require us to adapt our protection measures to this new context.

From a Cybersecurity perspective, all these changes share a common characteristic: they expand the number of points of interaction with the digital environment and, with it, the opportunities that a cybercriminal may try to exploit.

The threats that exist during holidays are already well known: phishing, credential theft, the interception of communications and the loss of devices are risks that are present all year round. What changes is the context in which we use technology and the way we interact with it.

On holiday, it is not so much the threats that change as the way we become exposed to them.

That is why it is useful to understand how risks evolve when we change our routines. Understanding how our exposure changes is the first step towards adapting protection measures and enjoying a more secure connected holiday experience.

What do we mean by exposure surface?

In Cybersecurity, the concept of attack surface refers to the set of entry points that a cybercriminal could exploit to try to access a company’s systems, devices, applications or data. The larger this surface, the more opportunities cybercriminals have to exploit a vulnerability.

This concept is useful for explaining how personal risks change when we use technology outside our usual routine and environment.

Applied to individuals, we can think of this as a 'personal exposure surface', helping us understand how changes in our habits temporarily increase the number of interactions that need to be protected.

More connectivity also means more points to protect.

Under normal circumstances, the way we use technology tends to be relatively stable: we use familiar devices, access the same online services and connect from familiar environments. During the holidays, that changes. New usage scenarios, connections and interactions emerge, temporarily increasing the elements that need to be protected.

All these changes alter our personal attack surface: the set of devices, networks, applications, services and data we interact with and which can become an access route for a Cybersecurity incident if they are not properly protected.

New networks, new connection points

During the holidays, one of the most common changes is the way we connect to the internet. We leave behind home or corporate networks and start using those in hotels, airports, stations, cafés, coworking spaces and even mobile networks in other countries.

Every unfamiliar network adds a layer of uncertainty.

Every new connection means using an environment over which we have less control. In the case of public Wi-Fi networks, an attacker may try to intercept traffic, set up rogue access points that impersonate legitimate Wi-Fi networks or exploit insecure configurations to obtain information from connected users. Although many platforms now encrypt communications using HTTPS, not all connections or services offer the same level of protection, which means the risk remains, especially when accessing sensitive information.

This scenario becomes even more important when, during a trip, we carry out activities such as accessing online banking, making payments, accessing corporate email or connecting to business applications.

More interactions mean more opportunities for fraud

Travelling also means interacting with a greater number of unfamiliar online services. It is common to manage accommodation bookings, buy transport tickets, book activities, hire vehicles or make online payments more frequently than during the rest of the year. As a result, the volume of emails, messages and notifications we receive from hotels, airlines, booking platforms or transport companies increases.

This rise in legitimate communications creates a context that cybercriminals exploit to launch increasingly credible phishing campaigns. An email appearing to request confirmation of a booking, a supposed gate change, a pending payment or an issue with accommodation is more likely to go unnoticed when we are expecting to receive that same type of information.

Urgency is one of fraud’s greatest allies.

This is compounded by the sense of urgency that often accompanies these kinds of situations during a trip. A flight cancellation, a last-minute change or the need to resolve an issue quickly can encourage rushed decisions, such as clicking on a link without verifying its origin or entering credentials on a fraudulent website.

In addition, the use of AI tools allows cybercriminals to generate increasingly credible messages, web pages or fraudulent communications, adapted to the language, travel context or even the provider with which the user is interacting. This makes fraud attempts harder to identify solely by their wording or appearance.

More shared information, greater exposure

Holidays also tend to lead to greater social media activity. Photographs, videos, locations, recommendations and experiences are part of the way we document and share our travels. However, each post can provide information that, analysed in isolation or combined with other public data, can help build a more detailed profile of our habits and movements.

Geolocation, references to specific dates, itineraries or even images posted in real time can reveal information about where we are or confirm that we are not at home. Although this data is usually shared for personal reasons, it can also be used to prepare more personalised social engineering campaigns or facilitate other types of fraud.

What we publish on the internet and social media can also reveal patterns.

In the professional sphere, the risk goes one step further. A photograph taken from a coworking space, an airport or a meeting can unintentionally show company information visible on a screen, an ID badge, work documentation or even details about projects and clients.

Devices in an unfamiliar environment

Smartphones, laptops, tablets and corporate devices are increasingly likely to accompany us during the holidays. Unlike in the usual work or home environment, these devices are used in airports, stations, hotels, transport or shared spaces, where the risk of loss, theft or unauthorised access increases.

When a device leaves its usual environment, it is not only its physical location that changes: the circumstances of use also change. It is more likely to be left momentarily unattended, connected to unknown networks or used to access both personal and professional services interchangeably. As a result, the device itself becomes one of the main points of exposure in the event of a Cybersecurity incident.

Our devices also leave the safety of familiar environments.

This risk is especially relevant when the device stores sensitive information or provides direct access to business applications, Cloud services or authentication credentials. In these cases, a physical incident can have a greater impact than the loss of the device itself.

For this reason, it is advisable for devices to include protection measures such as storage encryption, password or biometric locking, multifactor authentication for the most sensitive accounts and remote location, lock and wipe capabilities. Likewise, making backups before a trip helps reduce the impact in the event of loss, theft or damage.

When holidays also involve remote working

Workplace flexibility has meant that, for many professionals, holidays no longer involve a complete disconnection. For many employees and remote workers, replying to emails, joining a video call, accessing Cloud documents or managing a one-off issue from a holiday destination is now part of reality.

In these scenarios, exposure is both personal and corporate. The same device can become an access point to critical company information, which means any incident, whether an insecure connection, device theft or a phishing campaign, can have consequences that go beyond the individual sphere.

Working from somewhere else requires us to protect ourselves as much as, or even more than, when we are in the office.

For this reason, it is especially important to maintain separation between personal and professional environments. Whenever possible, it is advisable to use company-provided devices to access corporate resources, connect via a VPN when working from untrusted networks and avoid storing confidential information on personal devices or sharing files through services not authorised by the company.

It is also advisable to take extra precautions in public spaces. Working from a café, hotel or coworking space can expose sensitive information through conversations, video calls or screens visible to third parties. Simple measures, such as using privacy filters, avoiding discussing confidential information in busy places or ensuring that nobody can see the contents of the screen, help reduce these risks.

Conclusion

Holidays do not introduce completely new threats into the Cybersecurity landscape. Phishing, credential theft, device loss and access to insecure networks are risks that are present all year round. What changes is the context in which we use technology and, with it, the points from which we may be exposed to a threat.

Connecting from new locations, using different networks, carrying out more online transactions, sharing information on social media or accessing corporate resources outside the office expands the number of interactions with the online environment. Understanding how these scenarios evolve makes it possible to identify the highest-risk points and apply appropriate protection measures to each situation.

As we have seen, the concept of attack surface, usually associated with protecting companies and systems, offers a useful way to understand how everyday risks evolve. When we travel, work remotely from another location or change our habits, the points of interaction with technology change. As a result, protection measures must also change.

Just as we plan a trip by taking into account documentation, luggage or the means of transport, including Cybersecurity in that planning helps reduce risks without sacrificing connectivity.

Ultimately, enjoying a connected holiday is not about using less technology, but about understanding how our exposure changes and adapting protection measures to each situation.

Adapting Cybersecurity to the context is also part of the journey.

Out of Office: How to communicate your vacation while protecting your privacy and Cyber Security