You are looking through your network usage logs and notice logins from a variety of geographic locations that are far from where your employees usually log in.

Could this be a problem and why?

answer

No. Logins from strange geographical locations often happen from employees working remotely.


No. Logins from strange geographical locations happen when data is sent to distant servers.


Yes. Logins from strange geographical locations can show that a hacker is trying to gain access from a remote location.


Yes. Logins from strange geographical locations can show that your own employees are trying to hack you.

Correct answer: Yes. Logins from strange geographic locations can show that a hacker is trying to gain access from a remote location.

Why: unexpected locations often indicate compromised credentials or an attacker using remote infrastructure (VPNs, proxies, botnets, cloud VMs) to sign in. (They can also be false positives — employee travel, legitimate VPN/proxy use, or IP geolocation errors — so it’s important to investigate.)

What to do next (brief):
- Correlate with known employee travel or remote work and check for legitimate VPN connections.
- Look for “impossible travel” (two widely separated logins in a short time).
- Check device/user-agent, login times, and related activity for anomalies.
- Verify with the user and require reauthentication if suspicious.
- Force password reset and revoke active sessions for compromised accounts.
- Ensure multifactor authentication is enabled and review conditional access/geofencing controls.
- Perform a deeper log/forensic review if you suspect compromise.