We live in a world connected by big jetliners and work for companies that expect us to be on site with clients across the globe. In order to service those client accounts, we need our tools: smartphone, laptop, USB drive, security token, and, yes, even paper documents sometimes.
The information these tools contain is the currency of our modern world. It is as important and valuable as any commodity of the past and, like anything of value, there will always be someone who wants to take it from you. Unlike the past, where you would eventually notice missing cash, products or supplies, today your information can be stolen with no obvious signs alerting you to the theft.
While there isn’t a magic bullet to guarantee the security of your information, there are several steps you can take while traveling to make you less likely to be an easy target.
Maintain Physical Control
The first step, and maybe the most obvious precaution, is to always maintain physical control of your devices. Do not include your devices in your checked baggage at the airport; carry them on the plane with you. If your data is sensitive and your flight long enough where you are likely to be asleep, consider using the under-seat storage to prevent someone from accessing your bag in the overhead bin.
Do not leave your devices in terminal lockers or hotels rooms (or safes). Especially do not leave them with the concierge service. If your work requires traveling with more equipment than you can keep on your person at all times, consider removing the storage media and keeping that on you. I have traveled around many cities with a small backpack full of hard drives and a hotel room full of transport cases. Once it becomes a habit, it is no longer a hassle.
For a few of you, physical tampering may still be a concern. For you, either order room service or bring a friend to stay with the gear.
Act Right in Public
Next, you want to maintain your personal security (a.k.a., act right in public). Anyone with a government or military background will have received multiple briefs in their career about Personal Security (PERSEC), Operational Security (OPSEC), and Situational Awareness (SA). Where PERSEC is protecting information about you, OPSEC is protecting information about your work activities and mission. SA is merely not living with your head in the sand or, maybe more applicable to this conversation, your head in your screen. Basically, don’t talk about who you are, what you do, who your client is, where you are going or why you are going there. If you’re not the sales team, then just don’t. If you ARE the sales team, focus any conversation on “them” and what you can do for “them” while avoiding any conversation about why you are actually there at that moment. Failing to act right in public is usually the first step to becoming a target.
Don’t Make Yourself a Target
A continuation of acting right in public is avoiding looking out of place or of significant value. Regardless of who you are or what you do, don’t look like you’re a CEO, wealthy entrepreneur, highly trained government employee, assistant to an ambassador or anything other than a basic, clean-cut professional stuck in yet another airport. Be gray and maintain your SA so that you are aware of your surroundings and can avoid dangers to your data and, more importantly, yourself.
Limit Device Use in Public Spaces
Now that you have your devices with you and are looking and acting right, you’ll want to limit the use of the devices in public spaces. While we will address encryption in a moment, even if your data-at-rest game is on point, it is all for naught once you settle into a seat with a pricey airport snack or beverage, connect to the unsecured Internet to check your email, put in your earbuds and start editing that confidential document with your back to the world.
The airport and the plane’s cabin are not only some of the least efficient work environments, but also environments that can present some very high threats to your security. There’s shoulder surfing, unsecure networks, densely packed areas full of untrusted people and more unknown and untrusted devices than you can count.
It might be time to start a movement to retain these places for a brief moment of disconnectedness and thought clearing… in addition to enjoying the pricey snacks and beverages. If selling this to your organization is difficult under the banner of security, maybe taking a mental health angle with HR would get you some traction. Road warriors unite for peace and security while traveling!
Avoid Solicitation Attempts
Once you’ve taken all of the previous steps, avoiding solicitation attempts should be easy. Without anything to tip people off to what you do for work, folks are more likely to talk about last night’s game or the most recent escapades of their favorite celebrity. Keeping interactions limited and away from sensitive topics is about all you can do to modify your behavior to avoid discussing your work.
The only way to maybe take it up a notch is to travel in a group when possible. I always prefer to travel in a group from a security standpoint, but it is rare that I am afforded this luxury. Not only is there power in numbers, but travelling in a group also lets you leave mission-essential equipment with trusted colleagues while stepping away from your seat.
Separate Work and Personal Data and Devices
It’s also important to look at the data and devices with which you travel. First, you should try to compartmentalize your data. Avoid keeping personal data on work devices or work data on personal devices. Also, consider not transporting client data that isn’t needed for your trip or for clients unrelated to your trip if possible. A step further is to hold different clients’ data in separate, encrypted containers secured by different passwords. Seek the guidance of your legal counsel to learn more about how compartmentalization might provide legal protections, should a criminal or civil situation arise.
Even better than logically compartmentalizing data is physically compartmentalizing it between your work devices for daily operations at home versus traveling. Having a laptop just for travel that only has the data on it for that specific trip and access to essential networks and systems is an excellent way to decrease your attack surface. Why travel with the keys to the kingdom when all you need is a client folder, an office suite, email and perhaps access to a limited VPN that does not access the whole corporate network? This is smart for domestic travel and travel to low-threat areas, but it is a must if your work takes you to foreign countries where intellectual property theft is basically part of their gross domestic product.
After visiting high-threat locations, it may be advisable to isolate all devices that went to that location to make sure that they do not interact with the corporate environment at all. Simply pull the critical data that changed during the trip, scan it seven ways till Sunday, move a copy of the scanned data over to your normal device(s) and wipe the travel device clean for the next trip. Ask yourself which costs less: an $800 laptop for your trip that can be reused after wiping or an $80,000 activation of your organization’s incident response plan?
Back Up Data Before and After Travelling
Unfortunately, very few organizations properly back up or retain data. Adequate backup policies and procedures are also few and far between. Regardless of your organization’s backup policy and procedure, you should be addressing a proper backup of the data you will be traveling with prior to leaving. This goes beyond security because things do get damaged in transit or lost no matter how vigilant you are. Not only should you back up data before leaving home, but you should back up the data with an increased frequency while on your trip, then again before returning home, and then a final time when you arrive home. While this offers protection against lost work efforts, it also provides key benchmarks should an investigation into a suspected incident become necessary. God forbid the worst happens and you suspect that your device was the target of an attack, the ability to compare datasets will significantly increase the likelihood of locating malicious code, identifying an attack and mitigating any damage.
With the variety, ease of use and minimal expense of encryption solutions available today, there is no excuse for not encrypting important data on laptops, portable media and other devices. Enable every stock encryption and security option that your mobile device will allow you to enable. This includes encrypting the removable storage where applicable. Use a reputable whole-drive encryption solution on your laptop. If that’s not possible, enable home directory encryption and other directory-level encryption options. Encrypt all external media. Encrypt personal devices and media as well to protect your personal information from loss or theft.
Leave Unnecessary Data Behind
At many points of entry while travelling, you may be directed to boot your electronic systems and log in to allow for device and data inspection. You may also be directed to decrypt encrypted systems and media. Be aware of data you may be carrying that you would prefer not to share in this situation, be it sensitive client data protected by a nondisclosure agreement or information related to your personal hobbies or interests that could raise suspicion at your destination country. If possible, avoid carrying this type of data with you. Instead, perhaps have your data available to you from a cloud service or over your work VPN when you reach your destination.
Use Safe Network Connections Only
Whenever possible, avoid unsecured network connections. Always opt for connecting to a trusted device, such as hardwire tethering to your issued mobile device over the airport, hotel or coffee shop Wi-Fi. In all cases, use encrypted connections such as a VPN. Where your device will allow it, configure the device to drop and not reconnect if the VPN is lost so that you don’t wind up on an unsecured network. Disable Wi-Fi via either a hardware switch or settings option when you can.
Make certain all sensitive applications and remote access systems you log in to require multi-factor authentication. Multi-factor authentication options include things you know (passwords), things you have (smartphones or hardware keys) and things you are (biometrics). Multi-factor authentication significantly enhances security posture, but it comes with a risk that is especially relevant while travelling. You should have a backup plan in case one of your factors breaks or is unavailable. What are your options if you lose a hardware key or break your phone? Listing out all possible combinations of options and their mitigating factors is beyond the scope of this article, but should be considered as part of your implementation.
On the subject of passwords, use unique and complex passwords for all accounts. This is likely only possible through the use of a proper password manager. Even then, when traveling, don’t bring your master password database. Have only the credentials with you that are absolutely necessary. For accounts and services you will be accessing while traveling, consider changing the password before leaving and again once you return.
Like any other element of cybersecurity, at the end of the day, defense-in-depth is the name of the game. The depth you need will be dependent upon the value of your information and the threat profile of your environment. A doughnut shop owner traveling to Cleveland would likely be in a different situation than a defense contractor traveling to China. Regardless, hopefully taking these steps helps keep you and your data safe during your travels.