The out-of-office message is set up, the suitcase is packed, and anticipation for the trip is high. There’s one essential travel companion that very few vacationers leave behind: the smartphone. For employees, however, taking time off during the holidays doesn’t always mean going completely offline these days. While on vacation, many employees check their work email from time to time, reply to an important message, or review appointments in their calendar. As a result, business applications, sensitive data, and corporate accounts often come along on the trip. The results of the latest representative vacation survey by G DATA CyberDefense show why this can become an underestimated security risk. For this brief online survey, OmniQuest surveyed 1.000 Internet users in Germany in June 2026.
Company cell phones and personal devices are part of the company’s IT infrastructure
The line between work and personal life is becoming increasingly blurred. Especially with smartphones and tablets, the distinction between personal and professional use is often not clearly defined. Some employees use a company-issued device even in their free time, while others access corporate applications via their personal cell phones – regardless of whether this is explicitly permitted under Bring-Your-Own-Device (BYOD) policies or simply arises in the course of daily work. For companies, this means that smartphones and tablets have evolved from mere communication tools into nearly full-fledged work devices. Business emails, cloud applications, collaboration software, and company data are now available at all times – regardless of whether employees are in the office, working from home, or on vacation. The G DATA survey highlights just how commonplace the use of mobile devices has become, even while traveling. Ninety percent of respondents take their smartphone or tablet with them on vacation and go online regularly. In plain language, this means that mobile devices remain potential access points to corporate data and internal systems even during the vacation season.
Many people want to consciously disconnect while on vacation, but at the same time remain digitally accessible. That is precisely where the challenge lies for companies. Today, business applications, corporate accounts, and sensitive data travel everywhere with us. That’s why organizations should secure mobile devices just as thoroughly as they do desktop computers in the office.
QR Codes and Bluetooth: Risks to Corporate Data
Additional risks arise, especially outside the usual work environment. According to survey results, one in two people has already scanned a QR code while on vacation – for example, to view digital menus, book tickets, or get information about tourist attractions. Many services that vacationers used to receive on paper are now available exclusively via QR code. Virtually no one thinks about cyber risks in this context. However, what is convenient for travelers poses dangers for both individuals and businesses. Manipulated QR codes – a practice known as “quishing” – can lead to phishing sites or fake login portals. If a device used for business purposes is involved, there is a risk that attackers could gain access to credentials for corporate applications or cloud services. But QR codes aren’t the only risk. Another underestimated risk is Bluetooth. About one-third of respondents leave the wireless connection permanently enabled while on vacation, even when it’s not currently needed. This further increases the attack surface of mobile devices. Security vulnerabilities in Bluetooth components or unwanted connections can provide attackers with additional entry points.
Bluetooth is often underestimated as a security risk. Unnecessarily active wireless connections can theoretically also create a vulnerability. Anyone who doesn’t need Bluetooth should therefore disable the feature.
Security Measures: Mobile Devices Are Insufficiently Protected
The situation becomes particularly critical when mobile devices are used intensively but are not adequately protected. The G DATA survey also reveals that nearly two-thirds of respondents do not take any security measures – such as backups, security updates, or additional protection features – for their mobile devices before traveling. This significantly increases the risk for businesses. If a smartphone is lost, stolen, or otherwise compromised, the impact extends far beyond personal data such as photos or messages. Typically, many devices also contain business emails, corporate applications, stored login credentials, or authentication methods. A lost smartphone is therefore not just a loss of hardware; it can quickly play into the hands of attackers.
Mobile security remains important even when traveling
Companies should therefore treat smartphones and tablets as full-fledged endpoints of their IT infrastructure. This includes
- up-to-date operating systems,
- security software,
- multi-factor authentication,
- Mobile Device Management (MDM)
- and security awareness training.
Both technical security measures and raising employee awareness through security awareness training on mobile threats – such as phishing, unsecured networks, or unnecessarily active wireless connections – contribute to better IT security.
Small and medium-sized businesses, in particular, lack the resources to continuously manage mobile devices. Added to this is a “lax” Bring-Your-Own-Device (BYOD) policy. IT service providers and Managed Service Providers (MSPs) can help implement security policies and centrally manage mobile devices.
Conclusion
Smartphones and tablets are now an integral part of everyday travel. While workplace computers in companies are protected by security solutions, policies, and regular updates, mobile phones and tablets often fall through the cracks. Companies should therefore not only secure their networks, servers, and on-site work environments, but also the devices that their employees take with them when traveling. MDM enables companies to manage and secure smartphones and tablets.
For companies, the peak summer vacation season is a good opportunity to review existing security strategies and consistently implement protection for mobile devices. This ensures that the vacation season does not become peak season for mobile cyber risks.
Sentinel — Human
This text functions as a well-structured security brief that synthesizes existing concepts into actionable advice, exhibiting strong human journalistic flow while relying on verifiable external data.
