Working from home has increased the IT risk factor, but that has always been true when traveling, especially abroad. At trade shows, on customer sites, in Europe or further afield, hardware and software vulnerabilities are multiplying: what can you do to prevent the risks and reduce the consequences of possible data leaks?
Mobile work, working from home, trade shows and conventions: the risks
When traveling, especially abroad, there’s no escaping the increased risk.
Risk no.1: loss or theft of hardware and its hosted data
In a car or cab, at an airport or train station, on the plane or in the train, in a hotel… It’s harder to keep an eye on your hardware and its contents when you’re traveling. Hardware theft or loss often means leaked data if the hardware isn’t sufficiently protected. Beyond the replacement costs, and the inconvenience caused when trying to work on site, the malicious misuse of data is a real danger.
Risk no.2: data siphoning
This has become a common practice, which is sometimes even legal, when passing through customs. Some countries, such as the United States (under the Patriot act “) or China, even require that all portable equipment be checked by their services and request your access codes. Their argument is that your hardware will be better “inspected” (in an isolated room, without you being present). In fact: the contents are saved. Recording media, CDs or thumb drives are looked at in the same way. If you object, you stay in the customs area and are sent back to your country of origin.
Risk no.3: Physical aggression
In some countries, the risk of being physically attacked is higher. It goes hand in hand with the theft of thumb drives, cell phones and laptops. Here again, even if the dishonest motives of the thieves are the most likely, a financial loss, an inconvenience for the continuation of the trip or the risk of data leaks are not negligible.
Industrial espionage: ever present
States – with the United States, Israel and China in the lead – are taking advantage of certain security measures at airports to engage in industrial espionage. These States resort to massive industrial espionage: they have enacted national laws containing rules that authorize capturing commercial data – especially at borders – and even the creation of public departments of which the sole purpose is to use this type of data for the benefit of their own industries.
The 2019 Verizon Data Breach Investigations Report (VDBIR) reports a sharp increase in State-sponsored attacks, rising in just one year from 12 % to 23 % of all analyzed incidents.
Many manufacturers who went prospecting to be able to manufacture in China have seen their products copied – and sometimes even released on Baidu at rock bottom prices – even before being delivered from their European production. An example? MBT, the Swiss ergonomic shoe manufacturer was forced to stop its production after outsourcing it to China, because the competition from Chinese copied products sold online became impossible to manage.
Moreover, what used to be called technology watch, which was highly organized in large companies, is sometimes transformed into more dubious practices – which are borderline illegal.
Competitors no longer hesitate to install surveillance of companies and their representatives. And from time to time, they try to corrupt or entrap them.
When visiting abroad, when relaxing or to unwind from work with some peace of mind, you also need to think about protecting yourself and anticipating the risk of the base motivations of chance meetings and social encounters. If someone you just met asks you to turn on your PC to send an email, beware, … It takes an average of four seconds to download a Trojan horse that will then discreetly copy all your data.
When visiting a company or administration, a connection to their “guest” WiFi network (or even to the hard wired network on an RJ45 socket) often makes it possible to see or to copy the contents of your phone or your computer from the room next door.
The check-list: 10 good practices to protect your data when traveling
Simple precautions can be taken to protect your data confidentiality ty and security. The French ANSSI guide for travelers is full of good advice: :
1. Use hardware (laptop, smartphone, thumb drives) reserved for use when traveling. And leave your professional hardware at the office. Customize it to find it easily and discourage malicious swaps (stickers, color,…).
2. On this hardware, only save the operating systems, the required applications without their access codes and a few worthless or already publicly available documents (company brochure, guided tour of the destination, …).
3. After clearing customs, download the documents that are necessary and sufficient for your mission from your server (in-house or secure cloud). Use a corporate VPN that prevents other accesses, or use secure messaging.
4. Before returning home, transfer documents that were updated on site in the same way, then delete them using a true delete – don’t just send them to trash, which doesn’t erase the content, but “untags” its access. Example: The Ccleaner erase function or even the formatting of the disk or partition containing the data if it was created at the start. The same applies to your browsing history, location data, saved passwords, cookies, etc.
5. Always keep your hardware on or with you because even if you leave for just three minutes, you’re running a risk. Keep an eye on it!
6. Be discreet when you’re on the phone: in some countries, tapping is systematic. Don’t phone on trains or in planes..
7. Invest in a protective filter for your screen which can prevent a spy from reading what’s on it.
8. Don’t use hardware offered on site: it can be compromised and unobtrusively loaded with intrusion software. A “clean” empty thumb drive can be used for your exchanges and then destroyed when you go home. Even public charging stations can be a source of infection: use your charger and/or a special thumb drive socket that only allows power to pass and not data.
9. If your hardware is seized by the local authorities, don’t resist: give up your passwords and encryption keys. But then immediately notify your Information security manager so that as much information as possible is deleted from distance after having been copied by your company. You may have planned a discreet and banal coded message to send to your company in a text message for example, which means that your access and data have been compromised.
10. On your return, give your hardware to the IT department for an in-depth analysis to find any hidden spyware, or even for a re-installation after formatting to prepare it for the next trip.
Before, during and after your trip, only use encrypted data using a high-performance and certified system: encryption doesn’t prevent data theft, but it does prevent it from being used by third parties.
Encryption, the ultimate protection from state or competitor espionage
Encryption makes data unusable, even if it’s stolen or copied: no one else can understand it. It’s the ultimate protection that underlies all other precautions. It doesn’t prevent theft or loss; it prevents the use of the data: your data may be disclosed, but it will never be understood, and therefore never be usable.
Your encryption must be end-to-end (i.e. from the moment the message or document is sent, including transfer) and managed by your company, not by a cloud, even a “trusted” one. It must be provided by a provider that is certified for the quality and strength of its products.
Protecting yourself from the risk of data leaks or espionage during travel and trips isn’t really complicated after all. You just have to anticipate the risks beforehand and prepare your hardware and the necessary and sufficient data with all the players involved in your company.