Between summer vacations, seasonal homes, and a continued rise of business travel post-COVID, it’s a busy time for travel and remote work. The ability to work from practically anywhere brings great opportunities, but also can increase cybersecurity risk. It doesn’t need to. There are simple, practical steps to give you peace of mind that you are not putting yourself or your company at risk when you are away from home or the office.
The most trustworthy Internet connections are the ones you control. Mobile phone tethering and hotspots give you greater control over your Internet connections and greater assurances that the components of your Internet access are trustworthy.
Untrusted Wi-Fi connections are prone to security risks including:
• Man in the middle attacks
• Weak encryption
• Spoofing and eavesdropping
This applies to obviously risky networks such as unsecured or public networks, as well as hotel Wi-Fi and internet access in short term rentals such as Airbnb. Attacking or impersonating hotel networks is a common tactic for cyber criminals, and the Internet at short-term rentals may be manipulated by the owner or attacked by criminals.
USB charging stations are another potential source of compromise. Malicious individuals can compromise your device through USB cords, so it is best to charge using your own power adapter connected to a power outlet.
Many of us think of VPNs only as something we need to use to remotely access corporate resources, but they can also play a critical role in securing web browsing and other internet activities.
Steps to Take:
• Those with corporate VPNs should configure them as “full tunnel” VPNs. This means that all traffic (including accessing the public Internet) is routed through the corporate network over an encrypted tunnel.
• Travelers without a corporate “full tunnel” VPN can use commercial VPN products that are designed to encrypt internet traffic without connecting back to a corporate network.
Shared computers, such as those in hotel business centers, libraries, or Internet cafes, are an even greater risk than unsecured networks. These computers are frequently infected with malware including keyloggers. Keyloggers are spyware that record what a person types on a device, including passwords
and other potentially sensitive information. Because this information is captured locally on the computer, common countermeasures such as encryption are ineffective against keyloggers. Using shared computers is one of the riskiest activities possible and should be avoided in all situations.
• Keep your mobile devices and laptop computers with you when possible
• Carry them on flights and do not put them in checked luggage
• Secure in public places such as airports and restaurants
• Use hotel safes to secure them when you are leaving them in hotel rooms
However, you should also prepare for the worst. Before going on a trip, assume that your devices will be lost or stolen and prepare accordingly, including:
• Encrypt all hard drives
• Secure devices with strong passwords
• Enroll devices with your IT department’s remote management software
• Enable location tracking
• Limit sensitive data stored locally
• Ensure that all critical data is backed up
• Remember that remote wipe is a great feature but far from bulletproof – savvy criminals know not to reconnect stolen devices to the Internet
While you are doing your trip preparation and thinking through the ramifications of potentially losing a device, it’s a good time to think about cyber hygiene more broadly.
• Enable multifactor authentication
• Use strong passwords on all of your accounts
• Update operating systems and applications
• Confirm that antivirus software is up-to-date
Preparing for travel is a good reminder to revisit these critical items.
Turn off automatic Wi-Fi and Bluetooth connection features while on the road. Change your laptop and mobile devices to require manual connections each time you wish to connect to the Internet and disable Bluetooth as often as possible.
Cybercriminals love when people post updates on social media. These let them know that you are away from home and away from the office, and often contain more detailed information about where you are, who you are with, your interests, etc. This is invaluable to criminals crafting detailed social engineering campaigns, including information about where you might want to request money to be transferred, for what purpose, and when you will be unreachable to confirm the instructions.
Before you go, discuss your communication plans with colleagues and remind them of security protocols. For example, you won’t make any sensitive requests such as money transfers or purchases over email or text without also confirming it in a voice conversation, even if you are going to be hard to reach or distracted with a family event. This is particularly important if you are in a position of authority.
Not all travel situations are created equal. A domestic visit to a relative’s house has a far different security profile than an overseas backpacking adventure trip or a trip to a foreign country known to engage in extensive cyber surveillance of U.S. nationals. For high-risk destinations, consider additional measures such as avoiding or minimizing access to sensitive resources and using temporary “burner” laptops or mobile devices without sensitive information.
Even if you haven’t been to a high-risk country that justifies extreme measures such as a complete wipe of your mobile device or laptop, it’s still a good idea to do some basic maintenance when you get home.
• Make sure antivirus software is updated and run a full scan.
• Keep an eye out for unusual behavior on your system or your accounts.
• Securely dispose of electronic keycards and scannable boarding passes and luggage tags as these may contain private information about you.
• If you connect to any other systems, such as connecting your phone to a rental car, be sure to securely remove the device and delete any data that may have been synched, such as contact information, text or call history.
Technology gives us the freedom to work from nearly anywhere at any time, but that flexibility comes with risks. The above steps will allow you an additional sense of security that your activities are not putting yourself or your organization at risk.