cybersecurity travel tips

Cyber security travel tips

November 16th, 2021 Posted in Information Security

The advent of many offices opening – and the ability to travel abroad – means that changes are afoot. A lot of us are used to working in the confines of our home offices or living rooms. Now, we can work from coffee shops, the office, on the train to work – even on the beach! Indeed, it looks like things are, slowly but surely, returning to normal. But, for many of us, it’s been a while since we’ve had to think about our digital security while on the go. So, if you want a reminder of how to keep your devices and data secure while commuting, working in public spaces, or travelling abroad, read on below for our cybersecurity travel tips.

Why workers on the go are a hot target for threat actors

First things first, let’s establish why cybersecurity while travelling is essential. Put simply, you’re more vulnerable to cyber attacks when you’re outside of the office. There are a few reasons for this:

When you’re in the office, you know the Wi-Fi network you connect to is secure. But, on the go, there’s no guarantee this will be the case. In fact, malicious actors are well known for creating phoney Wi-Fi networks explicitly designed to steal sensitive data or deploy malware onto the victim’s device. These attacks are known as Evil Twin attacks.

As well as this, it’s also much easier to lose your device or physical media (such as a USB stick) containing sensitive data when you’re out and about. One well-known example of this resulted in the Information Commissioner’s Office (“ICO”) fining Heathrow Airport back in 2018. There, an employee of Heathrow Airport left a USB stick, containing sensitive, unencrypted information, on an underground tube carriage in London. Luckily, the USB was handed to the authorities by a good-natured citizen. However, the ICO still fined Heathrow £120,000 for failing to meet its security obligations under the Data Protection Act 1998.

On the move

Not only is it easier to lose our devices while on the move, but – in the hustle and bustle – we may not spot a malicious actor. Shoulder surfing, for example, information, such as your personal data, simply by spying over your shoulder as you work on your laptop or mobile. On a busy train or in a café, you may not even be aware this is happening. Smartphone cameras make it relatively easy to take a sneaky photo of unprotected screens or documents as well.

Lastly, you may think that – if you log on to a hotel or public computer – then you’re exempt from any risk. Not quite. Any time you use a new device to log in to a corporate or personal email account, you potentially put your data at risk. Public computers cannot be trusted, as you don’t know who has accessed them before or what malware could be on them. It’s therefore paramount not to share, download or upload any sensitive information to public computers – not even through an application or website you are familiar with, such as your email.

Cybersecurity travel tips

The good news is that you can reduce the chances of your device and/or data being stolen while travelling with a few simple steps. Here are the most common threat scenarios and how to prevent them.

  1. Protect your device and yourself from the worst-case scenario
    According to research on security while travelling, one in six of us has lost or stolen a personal item during the work commute. Unfortunately, it’s impossible to completely eradicate the risk of this happening on public transport or while abroad. However, with a few precautions, you can lower the probability of your data on the device being compromised. First, you should set up your device with a complex PIN or password. If your device offers fingerprint or facial recognition locking, then we advise using this too. This will make it much harder for a threat actor to get into your device if they do steal it. Secondly, you should encrypt your devices using full disk encryption to help ensure that anyone who does steal cannot access its data through other means. Applying full disk encryption on your laptop (such as Windows Bitlocker) helps prevent threat actors from accessing your data by connecting your hard drive to another computer. Encryption also protects data on removable media such as USB sticks or external hard drives. Therefore, the winning combination is strong authentication (password, PIN and/or biometrics) and full disk encryption.Thirdly, you should also consider solutions that offer device tracking capabilities, remote locking capabilities and remote data erasure capabilities. If you are a corporate user, your employer may install a tool like this. If you are a personal user, various tools are available – a Google search will be your friend. These tools can help you to either recover your device or remove any sensitive data if it can’t be found. Lastly, we recommend you set up a password manager using a web-based application. These tools store all your passwords for different accounts in the cloud. That way, if you lose your device, you’ll still be able to continue working – as your passwords won’t be stuck on your lost mobile or laptop. Remember to set up the password manager using two-factor authentication to make your passwords even more secure.
  2. Watch out for shoulder surfing
    According to the Ponemon Institute research on the insider threat, 87% of workers have experienced someone looking at their laptop or mobile while on the morning commute. While this might be a fellow commuter’s idle stare much of the time, there is still the risk that the person viewing your screen could have bad intentions. The most basic way to defend against these attacks is to work with your back against a wall or barrier so that no one can look over your shoulder. Of course, when on the train or in a café, this isn’t always possible. In these cases, your next best bet is a privacy screen filter. These thin sheets of plastic are placed over your display interface. They manipulate optics so that only you, sitting directly in front of the screen, can see it. Anyone else, looking from an angle or from the right or left, will only be able to see a blank screen. For anyone who regularly works on the go, these protectors are a straightforward, inexpensive way to reduce the risk of data theft.Lastly, in the event that someone does snag your password by reading over your shoulder, we recommend you enable two-factor authentication for all your online accounts – particularly your banking ones. This provides an additional layer of security if your password is stolen, as another code is needed to verify a login request. Yes, they can seem a faff when you’re in a hurry and need to input a code but having your accounts hacked is a much bigger pain and not something you should risk.
  3. Use Wi-Fi with caution 
    Bluetooth and Wi-Fi sharing leave your device discoverable to the public – or to malicious actors. It’s, therefore, a good idea to disable both of these functions before you travel. Where possible, it’s also recommended to stick to using your mobile 4G network instead of connecting to an unknown Wi-Fi network. You can even tether your mobile device to your laptop, allowing it to link to the internet through your mobile provider. However, we also understand that mobile connections can be both expensive and unreliable while abroad or on a train. So, if you do plan to connect to a public Wi-Fi network, bear the below in mind:
    Make sure your connection is secure: Most websites use the HTTPS protocol, which you will see in the URL. If you can’t see HTTPS, but your browser shows a lock icon and the word secure, then this also means the website you are visiting is secure because the traffic between the site and your browser is encrypted. Most browsers, including Chrome and Firefox, will also automatically alert you if a website is not secure. If and when this happens, do not visit the page, and find an alternate website.
    Use a virtual private network (VPN): In theory, HTTPS should have your back, but not all sites have implemented it correctly and other types of web activity may not be encrypted. This is where a VPN helps provide an extra layer of security, high-standard VPNs are secure, encrypted network connections. A VPN create an encrypted tunnel between you and the VPN provider. This could be your employer’s organisation or a commercial VPN provider (be wary of free VPN services). Using a VPN helps prevent malicious actors from accessing your data on the public Wi-Fi network and, more generally, over the internet.Use public machines safely
    If you need to use a public computer while travelling, make sure to be very cautious about what details you share with the device. Never share, upload or download confidential information, as you should consider them as untrustworthy.

If you do need to log on to a personal or work account while on a public device, make sure you do not save any details on the machine and when you can log on to a trusted device, change your password for the account(s) immediately. Lastly, make sure you always log out of a public computer, never agree to save any passwords to the browser’s built-in password manager and consider using ‘private’ sessions to help prevent caching of information in the browser (browser leakage is still a risk but all the layers of security help provide what is known as ‘defence in depth’).

What if I lose my device?

In the event that your device is lost or stolen, or you feel like your data might have been breached, we advise you to be proactive. If you lose a corporate device or information, then we strongly recommend you report it. Your employer will likely have tools and procedures to mitigate the risk. A good security culture encourages the reporting of security incidents, no matter how embarrassing they are.

Data breaches are not something to bury one’s head in the sand about. In fact, the ICO tends to give smaller fines to those companies that report incidents quickly.

Need help?

We can help your organisation assess and improve its security posture. Whether you’re looking for initial guidance or managed security services, our friendly team are here to help.  Contact us today.

Matt Gerry

Written by Matt Gerry

Matt consults on information and cyber security, including incident response, security awareness and training, security gap analysis and certification advisory. Matt started his career working in large multinationals where he gained experience delivering large system implementations, leading projects, and handling key stakeholder relations. He holds an MSc in Information Security from Royal Holloway, University of London.