Travel Tech

By on Apr 12, 2017 in Technology

For many international business travelers, crossing a border means more than just ashutterstock_97354238 stamp in their passport. It also means making sure cell phones and laptops stay secure. Whether it’s an intrusion from foreign hackers or the evermore-invasive surveillance of customs officials, protecting sensitive data – both personal and business – has never been more complicated. As a result, more and more jet-setting corporate employees are making sure to secure their devices before their trip and while on the move.

“Although mobile devices can facilitate connecting back to headquarters and maintaining workflow, the risk for exploitation of these devices and the information accessed can greatly increase on overseas travel,” warns the US Department of State Overseas Security Advisory Council (OSAC).

Before Departure

The OSAC’s best practices guide for traveling with mobile devices suggests several steps business travelers should take before stepping out the front door. As a matter of course, all nonessential devices should simply be left at home. Data can also be kept local through a backup on an external hard drive or a secure cloud-based service.

For travelling devices, it’s important to make sure all software and apps are up-to-date. That means upgrading passwords with stronger variables and initiating file encryption with tools provided by BitLocker, TrueCrypt or Apple Firevault. Bluetooth and GPS should also be disabled and available firewalls enacted.

During Travel

Once you’re on the road, there are plenty of ways for your device to be compromised. In addition to maintaining physical control whenever possible, the best way to protect your device in transit is to power down before entering customs. As an added step, Wired recommends disabling any biometric access – like Apple’s TouchID – and sticking to PIN accessibility.

It’s good practice to disable automatic Wi-Fi connections and use a VPN. Public Wi-Fi networks should be avoided, along with unfamiliar websites. File-sharing options and unknown apps and devices should also be shunned. Free apps in particular can often be loaded with malware programmed to collect information or allow third-party access to your data. Apps may ask for additional permissions, a common tactic used by cybercriminals to bypass native security. For example, the GPS and locational services not only track your whereabouts, they can also be used to launch location-based attacks.

It’s worth noting that device security involves more than just online interference. As the OCAS report points out, in worst case scenarios, this location information can be exploited for kidnapping and extortion purposes.

As a matter of course, travelers should avoid clicking on links included in text or email unless you specifically asked for the information, as email addresses and phone numbers can be spoofed by third parties hoping to gain access to your device. Finally, passwords should never default to “remember me” on any online accounts or apps like Facebook and Dropbox which provide easy access to criminals and government officials of detailed personal information.

“So many of the common functions that make mobile phones user-friendly are the same functions used by malicious actors to exploit them,” states the OCAS report.

“Better understanding of the risks to these every-day mobile features can help employees use their phones more safely and effectively while aboard.”

After the Trip

If you suspect your device has been compromised, the first step upon your return is to change all your passwords and scan your device for malware. Never plug your device into personal or business networks until you ensure your system has not been compromised. According to OCAS, some of the common signs that a device has been hacked include latency, a frequently drained battery, increased data usage, and appearing or disappearing apps. Though these issues may be typical to international service providers, if the issues continue once you’ve returned home, it’s time to consider the possibility you’ve been hacked.

If you suspect there has been an intrusion, a remote-swipe of the device is probably your best option. Intended to allow users to remotely erase sensitive data from lost or stolen devices, remote-swipe works like a “virtual kill switch.” If the phone is turned off (either on purpose or due to a dead battery), isn’t within range of a cell tower or has had its network connections disabled, a remote-swipe may not be possible. Nevertheless, this extreme solution can allow employees and businesses mitigate some of the damage if the device is compromised.

What Companies Can Do

While employees provide the first line of defense against mobile-device hacking, OCAS identifies several best practices employers to secure sensitive business data. Providing loaner phones and laptops allows employers to silo important critical information. According to OCAS, only 31 percent of employers surveyed for the report currently provide loaner devices for overseas travel. Additionally, only 41 percent of employees use separate devices for work and personal use. With IP theft costing the US private sector upwards of $250 billion annually, a $300 smart phone or $1000 laptop seems like a bargain.

With loaner devices, the lack of long-term storage limits access to only the specific needed for the trip, instead of opening to the door to the company’s archives to prying eyes. Additionally, loaner devices make remote wiping and resets easy and efficient without the risk of deleting an employee’s personal information.

For employees, loaner devices work best if no personal data is included – that means making sure to avoid linking personal social media accounts or even enabling iTunes or iCloud. Even using a Kindle reader app could make your Amazon accounts vulnerable to third-party infiltration.

Another option does away with local data storage altogether. Using SaaS allows employees to access sensitive data through an app rather than store it on their device. While accessing files through a browser comes with its own set of security concerns, the SAAS model guarantees important files won’t go missing along with that stolen laptop or hacked cell phone.

Ultimately, the strongest protection requires a partnership between companies and their employees. As Evan Tomlin, Vice President of Mobile Strategy at Tangoe, explains, “Security is one of the highest priorities in life, business, and government, but a common perception is that responsibility lies elsewhere.”

“Security should be a shared effort in the business environment,” he concludes, “but all too often companies design and build solutions in response to security “theater,” rather than addressing practical use cases with realistic solutions.”

“Security is a balance among pragmatism, usability, and business requirements. If you don’t achieve balance, your policy is in jeopardy.”