April 2024 - Best Cybersecurity Practices for Traveling Securely

The weather is getting better and summer is right around the corner, which means the travel season will soon be in full swing.

Vacations are meant to be a time to relax, but for some high ranking executives and other employees, there still may be a time where they need to fire up one of their devices to address an issue at work. Or perhaps they simply just want to check in to see what the situation is at their business while they are away.

Of course, some people aren’t traveling for vacation, but rather specifically for work, which means it’s inevitable that they will be plugging away on a laptop or their smartphone.

For chief information security offices and other security professionals, this could cause a bit of a headache. They will not be able to see what their executives and employees are doing when they are away. This could become a problem, especially in instances where a work device may be stolen, or a person connects a work device to an unsecured network.

This blog post will lay out the security risks executives and employees face when they work while traveling, and measures CISOs can recommend and implement to ensure their organization is guarded by risk.

Working While Traveling Can Be Risky

Even though travel can be a relaxing time for those on the trip, that doesn’t mean they should let their guard down, especially if the person in question plans to work while they are out and about.

CISOs and other security professionals should inform everyone within their organization about these risks when people are traveling, whether it’s for pleasure or for business:

• Connecting to Public Wi-Fi Networks: Should an executive or an employee need to work while they are away, there’s a high likelihood that they will connect to a public Wi-Fi network to do so. While public Wi-Fi networks are convenient, they usually have minimal security measures in place, if any at all. Cybercriminals know this, and will monitor internet activity on these public Wi-Fi networks in hopes of seeing someone log in to an account and access sensitive information, which they could then steal outright, or capture their login credentials in order to steal the data at a later date.
• Device Theft Risks: Malicious actors may take a different approach to stealing valuable assets. Rather than monitor internet activity, they may try to outright steal the physical device altogether. This isn’t just limited to laptops and smartphones, but could also include flash drives and other devices that hold sensitive information.
• Suspicious Accessories Found in Public Spaces: Say for example you are working at an airport and you need to charge your smartphone. You head over to a charging kiosk and find a USB charger already plugged into one of the slots. You think it may have been left there innocently, but what you won’t know is that a malicious actor left it there on purpose. They want people to use their charger because once they do, the device will be infected with malware, and all of their valuable information will then be at risk.
  *** Phishing and Other Social Engineering Attacks**: In the event cybercriminals learn a high ranking executive is going on vacation, they may try and send them phishing emails that are allegedly tied to the trip. These malicious actors will impersonate legitimate institutions and send messages claiming there is perhaps something wrong with their upcoming trip. The hope is to have the executive respond to the email or click a malicious link, where they will be asked to turn over login credentials and sensitive information to remedy a “problem” that doesn’t exist.

Keep Your Executives and Employees Safe During Travel

CISOs and security professionals may not be going on these trips, but it’s highly recommended that they take the steps needed to ensure all employees are minimizing their cyber risk radius while they are away.

Here are some best practices security professionals can implement and recommend:

• Use a VPN: Security professionals should tell their employees to use a VPN when they are working in a public space. A VPN will mask the employee’s internet activity, preventing malicious actors from seeing what they are doing when they are online.
• Keep Physical Devices Secure: Whenever a physical device is not in use, employees should keep them secure in a location where only they can access them when needed. This can be done by storing them in a safe, but be sure no one else can access them when they aren’t around.
• Only Use Company Approved Devices and Accessories: Be sure all employees only use devices and accessories provided by the company. This way you can be sure all the equipment an employee uses has not been tampered with by a malicious actor.
• Set Up Device Policies: Security professionals should enforce strict device policies, which include remote wipe capabilities and that all devices are protected by encryption.
• Educate Employees on Cyber Scams: Keep your workforce up-to-date on the latest cyber scams. By educating employees on these scams, they will be able to pick up on the red flags normally associated with these attacks and will be less inclined to respond to a phishing email or click on a phony link.
• Set Up Multifactor Authentication: Set up multifactor authentication for all accounts employees will use. This will protect employees and their accounts if they were to lose their device or have a password compromised. Implementing MFA will make it that much harder for cybercriminals to breach accounts and steal data.
• Implement Lost Device/Security Incident Protocols: Security professionals should set up procedures for employees to report lost or stolen devices and guidelines for reporting security incidents while they are traveling. By building these out, security professionals can respond quickly and help limit damage.

Travel is meant to be relaxing for those on the trip, but that doesn’t mean cyber hygiene should be ignored, especially if an employee plans to work while they are gone.

However, that doesn’t mean everyone needs to be stressed out. By taking the measures highlighted above, CISOs, security professionals, executives and employees can both enjoy their time away while also protecting their organization and its valuable digital assets.