The increased volume of potentially valuable data coupled with the multiple entry points offered by the increased number of carried devices makes a business traveler increasingly attractive, not only to cyber criminals, but, in this age of global activity and access, to hostile foreign governments.
War stories abound in this new age of data warfare:
- Gregg Smith, CEO of Koolspan, a security company in Bethesda, MD, has seen cases of executives who have been personally targeted and one CEO who was compromised twice while traveling overseas.
- Kenneth G. Lieberthal, a China expert at the Brookings Institution, follows a seemingly paranoid procedure, choosing to leave his technology at home and only bring temporary loaner devices. He erases these devices before he leaves the United States and again when he returns. He turns off his phone and takes out the battery during meetings, in case his microphone is turned on remotely.
- Dave Anderson, a senior director at Voltage Security in Cupertino, CA, states that within an hour of landing in China, there will be malware on your mobile device.
There are several reasons why travel security is a concern.
The first is data leakage. In this massively and increasingly interconnected world of ours, we put tremendous quantities of data out on the Internet. Despite our best efforts to keep it secure, data leaks away from our control.
The most common ways data leaks happen include:
- Malware. Bad guys have myriad tricks to fool users into downloading a malicious program to their devices. Once installed, the malware can communicate with a controller and steal data from a device.
- Social engineering. Though the population at large has undoubtedly become more Internet savvy, bad guys still use fake websites and bogus e-mail to fool users into entering sensitive data into a form.
- Unsafe networks. Insisting on being connected all the time, we occasionally use network infrastructure that is unsafe.
- Outright theft. Even if users do nothing wrong, firms that capture personal and credit card information as part of commercial transactions may not secure it sufficiently to prevent its theft.
A second reason, deriving from the first, is black market traffic in personal data. In the early days, hacking was the sport of independent actors. But as e-commerce has become commonplace, data theft has become big business. Stolen credit card numbers are traded in bulk. An entire industry has sprung up to protect the unwary from identity theft.
Increasing interconnectedness has also brought theft of intellectual property—by no means a new pursuit—to the cyber realm. Businesses and countries routinely look for cyber vulnerabilities to steal secrets from competing firms. The difference today is that such secrets no longer reside only in an underground vault at headquarters, with a combination known only to three individuals.
If the secrets in question belong to governments rather than firms, we have a fourth reason for concern, geopolitical espionage. Hostile governments want to learn all they can about their enemies' military secrets, diplomatic strategies and tactics, and the like. But such espionage exists even between friendly nations, as evidenced by the recent Edward Snowden revelations.
Risks and Best Practices
The risks to travelers carrying and using technology abroad are diverse and significant, and it is no easy task to travel safely. Law firms have many years of experience securing laptops, but technology has expanded to include other equally capable devices, such as tablets and smartphones, that carry as much or more critical data and often are not well protected. Today's technology travelers have to be aware of their environment and take additional precautions. Below are some best practices for savvy travel.
Public computers are an obvious risk to avoid. When you use a workstation in a hotel business center or an Internet café, you have no idea what malware might be lurking there. Looking up sports scores, or consulting Google Maps won't expose any sensitive personal information. But check your bank balance or pay your credit card online, and a key logger can easily capture what you type and thus reveal your login credentials.
Even if you use your own laptop or smart device, most travelers still use public Wi-Fi hotspots to access the Internet. Public Wi-Fi is everywhere these days, offering the convenience of leaving your air card or MiFi at home. But public networks are inherently VERY unsecure. They cannot be password protected, and by their very nature, anyone can get on them and do mischief. What's more, bad guys routinely set up their own parallel wireless hotspots that impersonate the real ones to gather your critical information.
Cellular networks also can run the same risk of impersonation. Malicious actors can set up their own cell towers to intercept traffic from your smart phone. Cell phones are set to lock onto the closet cell tower. When roaming in a strange new land, how do you know that the service you're using is legitimate? It can be hard to tell. Typically, lower connection speed is the only indication that you have locked onto a faux tower. Worse, many carrier updates to your phone can be permitted by default, meaning that bad guys can easily load their malware onto your phone.
Additionally, there are what we might call location risks. It's one thing to visit a destination where ISPs try to act responsibly, quite another to travel to places where major cybercrime organizations are sanctioned, if not abetted, by government. The Russian Business Network operates with complete impunity and little fear of reprisal from Moscow. China's counterpart is formally part of the Beijing regime.
Inevitably your data-carrying technology will get lost or left behind. Make sure to enable any "find me" feature on your technology so you have a chance to recover any lost device. If it cannot be recovered, many devices now have a "remote wipe" feature that essentially removes your data. Other obvious precautions to implement on critical portable devices that will make unauthorized access more difficult include putting a PIN or passcode on the device and making sure the data is encrypted.
An easy security measure to take is to minimize. If you don't need it—don't bring it. Consider traveling with fewer devices, less capable technology, or even perhaps throw-away technology with no data storage capability. Also, minimize can mean disabling features—for instance Bluetooth is a very handy feature, but can be used to gain entry into phones and tablets. By shutting off unneeded features that path is blocked.
Most portable technology today has a microphone and even a camera. It sounds paranoid, but eavesdropping is a very real possibility. At a minimum, consider turning off your phone and removing the battery (if possible) in confidential meetings to prevent eavesdropping.
A new best practice is to sanitize your devices before and after a trip. Securely formatting and reinstalling ensures any technology is as secure as can be when starting a trip. Sanitizing devices after a trip ensures any security issues collected during the trip are gone.
Most firms today have users connect to the Internet only via virtual private networks (VPNs). This provides a safe, encrypted, channel to the firm's critical assets and data.
One last risk, less common but not unheard of, is coercion. In extreme cases, if a foreign government cannot probe or steal your valuable information stealthily, it might resort to brute force, threatening frightening consequences if you don't unlock your protected device and subject it to a cyber strip search. You may have no recourse but to comply. If you are carrying sensitive data, you should plan in advance what to do in such an event.
Where is this going?
Expect to see more clever and sophisticated ways to gain access to your traveling data. Traveling with technology and critical data will always have inherent risks. With all of these threats has travel become too dangerous for data? No. Just like walking down a dark street at night, it always pays to be smart, be prepared, stay alert, and anticipate problems. Good diligence, care and caution mean you can enjoy safe travel.
Devlin Barrett, "Americans' Cellphones Targeted in Secret U.S. Spy Program," The Wall Street Journal, November 13, 2014, http://online.wsj.com/news/article_email/americans-cellphones-targeted-in-secret-u-s-spy-program-1415917533-lMyQjAxMTI0NTEwMzAxMTMwWj.
Nicole Perlroth, "Traveling Light in a Time of Digital Thievery," The New York Times, February 10, 2012, http://www.nytimes.com/2012/02/11/technology/electronic-security-a-worry-in-an-age-of-digital-espionage.html?pagewanted=all&_r=0.
Robert McGarvey, "How to Keep Your Mobile Devices Secure," Travel + Leisure, March 2014, http://www.travelandleisure.com/articles/how-to-keep-your-mobile-devices-secure.
Matthew Goldstein, "Law Firms Are Pressed on Security for Data," The New York Times, March 26, 2014, http://dealbook.nytimes.com/2014/03/26/law-firms-scrutinized-as-hacking-increases/.
Judith Flournoy, "Law Firms Respond to Security Risks in Client Data," Law Technology News, July 7, 2014, http://www.lawtechnologynews.com/id=1202662139978/Law-Firms-Respond-to-Security-Risks-in-Client-Data?slreturn=20141015103745.
Bill Flynt, "Protecting the Crown Jewels: Information Security for the Business Traveler," Flynt Group White Paper, 2012, https://flynt.com/Flynt%20Group%20White%20Paper%20
Chris Baraniuk, "World Changing Ideas, "Surveillance: The hidden ways you're tracked," BBC, October 27, 2014, http://www.bbc.com/future/story/20141027-the-hidden-ways-youre-tracked?ocid=global_future_rss.
Harriet Edelson, "Keep Your Data Yours While Traveling," The New York Times, September 8, 2014, http://www.nytimes.com/2014/09/09/business/keep-your-data-yours-while-traveling.html.
Back to Contents