Everyone needs a break from work and when you do take a break from work, it is common to set up an Out of Office Notification to allows clients, contacts and colleagues know that you are away, who to contact and when you return. These emails are automatically used as a reply to anyone who emails you whilst you are away. 

Unfortunately, providing details that you are away is a security risk to the business. Anyone external to the business can use this information to determine a window of opportunity to attack, especially if the person on holiday is a key employee, such as System Administrator, or Managing Director.  A call to IT "I'm on holiday with a new phone and forgot my password to check emails. Can you re-set it for me" and the attacker has access to an account. 

Everyone knows a post on social media showing off that you are currently on holiday can act as an advertisement that your home is empty. The same applies to Out of Office Notification.

Steps to take to minimise this risk:

1. Don't state you are on leave or holiday - " I am currently out of the office" gives enough information to most people.

2. Don't give time to return - "I will respond on my return"

3. Don't show you are not able to monitor or use your accounts - "I will be unavailable"

4. Use different Out of Office Notification for internal and external contacts

The standard Out of Office Notification I see is:

"Hello,

Thank you for your email, I am on holiday until the 23rd June with no access to phone or emails. 

For anything really urgent, please forward your email to other.person@domain.com or call the office on 0XXXXXXXXXX." 

Some simple tweaks give us:

"Hello,

I am currently out of the office but will respond on my return.

For anything really urgent, please forward your email to other.person@domain.com or call the office on 0XXXXXXXXXX."

This has the additional advantage that it does not have to be re-authored every time you need to configure an Out of Office Notification, plus can give you a chance to leave it active for a day on your return to catch up.  

You can still provide more detailed information with an internal OOM to colleagues who need to know your return date or communicate it via other, internal means where necessary.