Cybersecurity On the Road

Employees who travel, especially internationally, are subject to unique cybersecurity and privacy risks – and risk of legal trouble if they carry the wrong kinds of data.  Employers ought to develop comprehensive travel policies to protect their data.

The following is a checklist, with some explanations, of what such a policy ought to contain.

Consider the use of travel-only devices.  

• Rather than risk that data unrelated to the trip is stored on a smartphone or laptop (and being unable to say for sure what data is compromised if such a device is lost or hacked), use a “clean” laptop and cell phone.
• Establish a needed-data-only travel policy – remove all unnecessary information from travel laptops including corporate connectivity if it is not needed.
• Ensure that any device used in travel has its contents catalogued so that the extent of the loss can be known immediately.
• Require immediate reporting of devices that are lost, misplaced or confiscated (even temporarily).

Mobile devices are at risk of attack and theft. 

• Turn off Wi-Fi, Bluetooth, NFC and any GPS functions
• Use device-level encryption
• Ensure all software, operating systems, anti-viruses and other protections software is up to date and fully patched
• Use settings that will wipe the device after a certain number of login failures.
• Do not store devices anywhere, including in hotel room safes. If you don’t want to carry it full-time, don’t bring it.  That said, a clean device can mitigate risk here.
• Use two—factor authentication for device access and especially if corporate network access is permitted.

Maintain connectivity hygiene

• Do not use any public or hotel Wi-Fi. At the very least, such systems are not necessarily as security as you would like them to be.  It is also very easy for a malicious actor to pretend to be benign (say, setting up a network called “HotelGuestNetwork” of “ConferenceFreeWifi” and waiting for folks to log in).
• Do not connect thumb drives or other USB devices to your device – including (especially) those given to you at a trade show. They can be used to introduce malware.
• Do not use hotel, airport or conference-facility USB chargers. These devices can be easily hacked (“Juice-Jacking”) to upload your data (see also here on the risk that hotel lamps USB chargers pose).
• Clear your Internet browser after each use: delete history files, caches, cookies, and temporary internet files.
• Do not use non-company computers to log into your company’s network or to perform sensitive work.
• Consider auditing system access by devices that are on-the-road – and comparing them to the experience of the traveller.
• The upshot is that hotels are excellent vectors for random data theft; conferences are perfect for corporate espionage efforts.

International travel                                                                                                       

• Assume that foreign security services and economic competitors are seeking your data. As the FBI notes “[i]f information might be valuable to another government, company or group, you should assume that it will be intercepted and retained.”  Assume that they will use all means at their disposal to retrieve that data.
• Ensure that you are not travelling with data that, while legal in the country you are visiting, may not cross its borders legally.
• Ensure that you are in compliance with import/export restrictions on data and cryptography software. Be prepared to provide cryptography keys to officials, especially at the borders.
• Understand local data laws; carrying prohibited data (including items stored in caches) may place you at risk of arrest or detention.
• Be extra sensitive to phishing.
• Be prepared for your device to be seized and imaged at national borders as well as under the authority of local law.
• Be prepared for inspection of electronic devices upon entry to the United States. While Courts are sorting this out, the federal  government “has taken the position that the detention, seizure, imaging, and forensic search of the Devices should be viewed as a routine border search, so that no suspicion was required and the search clearly was permissible under any facts.”  See e.g., United States v. Saboonchi, 990 F. Supp. 2d 536, 540 (D. Md. 2014).
• Avoid taking any sensitive data at all, and use a VPN (or a specially set up secured mailbox where all data will be deleted after retrieval) to retrieve the data securely (credit: stack exchange ). This, of course, applies to all travel.
• When preparing for return travel, ensure that you have properly scrubbed your devices.
• Be prepared to hand over all means (such as a two-factor authentication token) to allow the authorities to access your device.
• Have a policy requiring employees to report all border crossings with devices (or, at least, any loss of control of the device at any border) and to ensure that they are thoroughly checked (or scrubbed) before being allowed to return to “normal” service. Frankly, given the possibility of firmware-based malware (and the near impossibility of detection of its presence), in some instances, devices ought to be disposed of after use.

Other Resources

• https://www.fbi.gov/about-us/investigate/counterintelligence/business-travel-brochure
• http://travel.gc.ca/travelling/health-safety/cyber-safe/recommendations
• http://www.afcea.org/content/?q=5-tips-cyber-safety-road