A harsh reality for any employee who participates in frequent international business travel is that computing activities on your phones, laptops, tablets, and, even your Bluetooth devices, is just not safe. For those of you who are unfamiliar with these cybersecurity risks, the simple recommendation—which should be cemented within any business’s travel policy and IT security awareness training—is to only connect to “trusted” networks in foreign businesses and hotels. And, even then, there are still substantial risks from man-in-the-middle (MITM) attacks all the way through compromised networks that are leaking data. Foreign networks that you think you can “trust”, like your favorite hotel chain, are really “untrusted” and must always be connected to with caution.
The question for frequent business travelers is—"what precautions should I take to protect both personal and corporate assets when travelling?”
The risks are not equal across all geolocations. Some regions warrant extremely cautious security measures, such as using burner phones and nearly disposable laptops. Certain countries pose acute risks and it should be a forgone conclusion that, if you connect your device to Internet in these countries, you will be monitored and your device potentially “owned” with surveillance malware. Corporate employees visiting such regions should be aware of the risks, and, hopefully, your information technology department and security teams are prepared with burner equipment every time you visit these nations.
The reality of international business travel is that connected computing is not safe. Certain behaviors that we take for granted while operating in our home countries pose more substantial risks when traveling abroad. Consider the following:
1. Certain domestic airlines (like Southwest Airlines) are not available via the Internet when traveling abroad in many Asian countries. The only way to access these websites is:
a. through a virtual private network (VPN) that routes all traffic through the corporate environment so you appear to be in the correct region, or
b. through an authorized travel service like Expedia.
While this not necessarily a risk, not all Internet traffic is considered equal from all regions of the world. Visiting your favorite websites when traveling may be monitored, restricted, or even illegal.
Tip 1: Consider how and where you web surf when traveling and be mindful of any shopping you do as well. Items like CBD oil, firearms, and even personal adult items purchased abroad from your favorite websites and shipped to your home, may be illegal for purchase in a foreign country.
2. As international business travelers, we tend to carry a few Bluetooth accessories. When paired with our phones or tablets, they are not a high risk. However, if they automatically enter pairing mode when turned on and no device or previous connection is available, they are a risk. A threat actor could connect to them without your knowledge and leverage the device until it is powered off or falls out of range. Many of these devices act like an always-listening microphone, and ,if your favorite Bluetooth speakers are left powered on in your hotel room, they could be used to eavesdrop on your conversations. This is not farfetched. If you have any doubts about this, randomly open your Bluetooth connection utility from time to time and see what is openly available to connect to—even without a pin. You might be very surprised!
Tip 2: Turn Bluetooth off whenever you do not need it. Most importantly, do not connect your phone via any Bluetooth device you do not plan to utilize in the short term. By turning off connectivity to all devices not actively being used, you prevent possible surveillance and hijacking attacks. This even concerns rental cars, cabs, and other shared resources. And, if a message appears on your phone, tablet, or laptop to pair a new device or receive files (like using iPhone AirDrop), cancel the request immediately and disable the service until needed.
3. Consider the risks of WiFi. When traveling internationally for business, we still need to maintain connectivity to email, applications, and other internal and cloud resources. Many applications and basic services are now readily available in the cloud. However, just because we have WiFi does not mean we should use it to directly access these cloud resources. They may be hosted in another country and that communication, including its authentication, could be monitored or compromised.
Tip 3: We need the appropriate security layers to protect our credentials from being stolen and from applications leaking data. Organizations should enforce multi-factor or two factor authentication on all sensitive resources, including email, to prevent account hijacking. In addition, any applications and resources should be restricted using access control lists (ACLs) and context-aware security from all foreign geolocations unless the traffic originates from your home offices or is routed through a VPN. This will ensure all traffic is encrypted, difficult to sniff or monitor, and that potentially highjacked devices cannot perform inappropriate monitoring.
4. When traveling internationally, there is always a higher risk of “shoulder surfing” based on the amount of time someone can see your laptop or tablet screen. If you are not familiar with the concept, shoulder surfing is the simple act of someone looking over your shoulder—they could even be in an airline seat beside you—and be able to potentially view sensitive information on your device screen. The longer they can view your screen, the better perspective they may have on your work and private material.
Tip 4: Anyone who travels for long periods of time, especially internationally, should use a privacy filter to restrict viewing of their screen. A privacy filter is a polarized protective layer placed over your screen that blurs visibility of your content across a range of obtuse angles. This prevents unwanted eyes from snooping inappropriately, ensuring you must be right in front of the screen to legibly view the onscreen content. In addition, the larger the laptop or tablet screen, the easier it is for a threat actor to view screen contents from even multiple rows behind you. This, in itself, warrants obscuring your screen contents.
Final words on safe computing while traveling
International travel exposes workers to a high risk of electronic data exposure. Experienced travelers should understand the risks, but newer teams and younger generations may need to consider all the threats, including posting on social media about their personal lives and work when they travel abroad. Hopefully, these recommendations will help some people tune the finer points of cybersecurity when conducting business travel.
Additional Reading
The Perils of VPNs, & How to Minimize Remote Access Threats with PAM (blog)
Manage these 3 IT Security Risks to Keep Your Remote Workforce Secure and Productive (blog)
Top 10 Expert Tips for Securing Vendor & Remote Employee Access (on-demand webinar)
Secure remote access (solutions page)
Morey J. Haber, Chief Technology Officer and Chief Information Security Officer at BeyondTrust
Morey J. Haber is Chief Technology Officer and Chief Information Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored four Apress books: Privileged Attack Vectors (2 Editions), Asset Attack Vectors, and Identity Attack Vectors. In 2018, Bomgar acquired BeyondTrust and retained the BeyondTrust name. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. Morey currently oversees BeyondTrust strategy for privileged access management and remote access solutions. In 2004, he joined eEye as Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.