Stefano Gazzella : 15 September 2025 07:31
When talking about information security, we must first take a breath and realize that we need to dive deeper than just computer systems and directly expressed information. It concerns all information and all information systems. So we must definitely take a deep breath, because otherwise it’s natural to find ourselves feeling a little dizzy, leading us to ignore what is communicated verbally, everything that can be deduced, for example.
And if we’re short of oxygen, those who are planning an attack against us—or rather, against a cluster in which we, unfortunately, are included, because we could rarely be special snowflakes for a cybercriminal, and it wouldn’t be a good thing anyway—have already thought about it. And when he collects information with certain OSINT techniques, he’s not applying something esoteric but, to put it simply, he’s taking what we’ve left lying around and using it against us.
In fact, our fundamental thought for always protecting ourselves and planning an effective defense system should be: What’s the worst use that can be made of this information? And let our thoughts wander toward those scenarios that combine the unwanted and the possible. Thus allowing us to adopt the necessary precautions.
NIS2: diventa pronto alle nuove regole europeeLa Direttiva NIS2 cambia le regole della cybersecurity in Europa: nuovi obblighi, scadenze serrate e sanzioni pesanti per chi non si adegua. Essere pronti non è più un’opzione, è una necessità per ogni azienda e infrastruttura critica. Scopri come garantire la compliance e proteggere la tua organizzazione con l’Anteprima Gratuita del Corso NIS2, condotto dall’Avv. Andrea Capelli. Guarda subito l'anteprima gratuita del corso su academy.redhotcyber.com Contattaci per ulteriori informazioni tramite WhatsApp al 375 593 1011 oppure scrivi a [email protected] 
Se ti piacciono le novità e gli articoli riportati su di Red Hot Cyber, iscriviti immediatamente alla newsletter settimanale per non perdere nessun articolo. La newsletter generalmente viene inviata ai nostri lettori ad inizio settimana, indicativamente di lunedì. |
We may consider this obvious, but it’s worth repeating: any information counts.
If not for us, then for those who might use it against us.
With this preamble, let’s see what it has to do with out-of-office, that is, that automatic response message that notifies you of a user’s temporary unavailability.
The information that must be conveyed with an out-of-office is that we are unavailable. Possibly, also provide an address to handle pending issues and send communications to.
So far, so good. But often, we need to say something more. From indicating the period of unavailability to the reason for our absence. And while the former may be, if not necessary, necessitated by the context, the reason for the absence can pose a security issue, but also a privacy issue.
The content of the out-of-office letter must therefore not exceed the purposes, so it’s best to indicate the period of absence and, if not extremely, the reason. Whatever the reason, from running out of gas, a flat tire, a house collapse, a flood, or locusts…well, communicating it goes beyond the scope of the out-of-office process.
From the GDPR perspective, it violates the principle of minimization and could also disclose certain employee information that shouldn’t be disclosed (e.g., health status). From the security perspective, see above about providing excessive information and an attacker’s ability to mix it into a lethal cocktail. Or dangerous.
I’d say not bad. In practice, a simple move like poorly implemented out-of-office work affects both the worker and the organization.
The guidelines of the Italian Data Protection Authority for email and internet in the workplace, dating back to 2007, indicate the inclusion of a specification regarding the following as part of the internal regulations:
the solutions envisaged to guarantee, with the cooperation of the worker, the continuity of work activity in the event of the employee’s absence (especially if planned), with particular reference to the activation of automatic reply systems to incoming emails;
This includes making the automatic reply function available to the employee, leaving the exception to intervention by the employer through a system administrator or another designated person (e.g., in the case of prolonged or unplanned absences).
This is a way to provide both transparent information to the employee and complete instructions to ensure the absence is managed securely. Clear and precise, of course. And not with games of mirrors and levers that we know very well how they end.
What if we’re not a company or an organization? It won’t be necessary to draw up internal regulations, but rather to act in a disciplined manner. That is, consider these risk factors and never abandon safe behaviors by reciting the “whatever could happen to me” maxim, which often challenges murphology.
Which, remember, includes a fundamental axiom: “If something can go wrong, it will.”
Fact: This also applies to poorly managed out-of-office operations.
Stefano Gazzella