A client has recently asked me for advice on how to protect themselves when travelling abroad on company business. So I have decided to republish this article as a reminder to all of our clients.
There are two common themes that come up. Both separate concerns in their own right, but connected. The first was personal safety and the second was that of security around their work devices and mobile phones.
In dealing with the first “personal safety”issue the advice is to simply carry on as normal, as you would when you perhaps travel to a new city or any new part of a city in the UK. This is best described with the use of a short scenario.
Let’s just say the you arrive at your hotel late in the evening and after unpacking, you decide to go for a short walk, to stretch your legs before dinner.
You come out of the hotel, turn right and wander up the street, browsing in the brightly lit shop windows along the main road.
You spend 5 or 10 minutes turning down some smaller side streets, before realising that those streets are slightly darker and less well lit than those before.
It also becomes apparent that the area is becoming more residential and less commercial. After a little while you notice that some of the streetlights are broken, that the cars are less new and more in need of some TLC than those high-value prestige models that you walked past earlier. You also start to notice that some of the windows have tatty curtains or even blankets in them and one or two of the doorways have been boarded up. There is also a slight smell of urine and the area has a decidedly “uncared for” feeling to it.
I would suggest that by now, or possibly some time before, you would be thinking that it’s high time to turn around and make your way back to the bright lights and the main roads? Or maybe your risk tolerance level is such that they are happy to continue, right up until the point that you now notice a couple of unsavoury individuals sitting on a wall or standing in a dimly lit doorway, looking at you (at least that’s what the hackles on the back of your neck are telling you).
Maybe that’s the point, that you decide that it’s time for dinner and time to wander back to the main street and your hotel ?
It’s about maintaining an awareness of your surroundings and knowing where you are. Not making ostentatious signs of wealth, (think about leaving the Rolex in the hotel safe, or at least make sure that it’s covered up with the sleeve of your jacket).
Be careful how you carry your camera, with it’s £1000 lens and maybe cover it up with an inexpensive bag of some kind, as opposed to a label that says “money”.
Just follow and apply the rules handed down to your own teenage sons and daughters, about keeping your handbag in front of you and not just on the shoulder. Make sure that your wallet isn’t just in the back pocket and make sure you don’t ride in unlicenced taxi’s!
It’s just about being careful. These rules are good for both the UK and abroad.
Make use of Foreign and Commonwealth Office (FCO) security and travel advice in all instances of foreign travel.
Moving on to security around your work and mobile devices.
The cyber risk posed by hotels is a significant one. There are plenty of reports of attacks on high-profile company executives and employees of government agencies. However, what goes unreported, perhaps because of a lack of an awareness, is of those less well known attacks, on the modern business traveller, with a veritable feast of files and personal information stored on their mobile devices and laptops.
After a long and sometimes fraught journey, these travellers and executives will (irrespective of how well-intentioned they are), let their guard down once inside the relative “safety” of their hotel rooms.
The biggest risk by far is the hotel or coffee shop Wi-Fi network. It is easy and free to download software that will “sniff”a Wi-Fi network and enable a criminal or foreign power, to spy on the communications traffic using that network (it is illegal to do this in the UK).
Users can also be misdirected through rogue (not set up by the hotel or coffee shop) Wi-Fi access points to fake sites or to inadvertently download malicious software to their or your devices.
An encrypted VPN connection is the only effective way to protect your data (or your web surfing) from snooping at the network level. Businesses and IT departments should make sure that employees who travel, have this connectivity. VPN software is easy, cheap and affordable enough that even those travelling for personal reasons, can use this technology to protect themselves.
It’s also good practice to plug in to a wired network port (in my experience, normally next to the kettle!) wherever possible, to reduce the risk of connecting to a rogue access point.
An alternative to using the hotel network is to take your own travel wireless router, although you should make sure that you’ve changed the default username and passwords and enabled encryption. It makes sense also, to avoid software updates whilst travelling also (unless you know what you are doing).
Depending on your data allowance you could also consider creating a personal hotspot or similar and using the Wi-Fi created by your mobile phone for access to emails or the web. Or you could use a Wi-Fi dongle for this access.
Beware of using USB charging stations as these can be used to inject malicious software into the devices travellers plug into them. Either use your own laptop USB ports or if you need to charge multiple devices then consider taking a portable USB charger.
RFID skimmers (imagine something similar to the devices used for touch and go payment cards) are now commonplace and can be used to read data from digital room keys and other access cards. Hidden cameras in bathrooms and hotel rooms have also hit the headlines recently and all but the most conscientious hotel staff would find it very difficult to detect these devices.
Avoid placing sensitive items near obvious places within the room (a wallet on the bed stand). And leave your access work cards and fobs at home. Hidden cameras are a little more difficult and putting the personal privacy issue aside, which is whole other area of risk. Consider placing a laptop slightly off angle on the invariably fixed hotel room desk and continue to use the “privacy shield” you might normally use when travelling on the train. Two factor authentication would also help in this instance, with password identification for any services you plan to use in your room.
Theft and physical intrusion in hotel rooms is a huge problem. Key cards are very easy to duplicate and clone with the skimmers mentioned previously. And hotel staff can come and go with frightening regularity. Portable devices, money, documents and laptops can easily be stolen unless secured in the room safe. If you plan to step outside of your hotel room, for any length of time without taking your digital devices, then lock them away in the safe. And if you can’t do this, make sure that they are protected with robust password protection and preferably, encryption.
Make sure that “full disk encryption” is enabled on your laptop and in addition make sure that you have a suitably short sleep/screen lock period set and that you have to unlock the laptop after this period with a password.
Without encryption, it is a straightforward process for someone to remove the hard drive from the laptop and copy it without leaving a trace (that you will notice). If you have a portable storage device, make sure that encryption is enabled on this also. In both cases, the passwords should be complicated and long. Encryption is seldom broken. Access is invariably made through a weak password!
Depending on the job you do and the data that you have access to and the country you’re visiting, it may also be advisable to travel with “clean”devices only. And when I say clean, this means a device not containing any personal or business related data that might be use to a competitor or foreign government. It means a blank phone or laptop!
For no nonsense practical advice or help with any of the points made in this post please contact ESID Consulting
on firstname.lastname@example.org or Telephone 0844 358 2362
Gary is CEO and Founder of ESID Consulting. An Insider Threat & Information Security consultancy.