I read recently that high-profile corporate executives traveling overseas have become an increasingly attractive...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
target for malicious hackers. Can you give some recommendations on how to protect sensitive data when execs travel, especially without inconveniencing them?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Unfortunately, there is little an enterprise can do to protect data without inconveniencing traveling executives. This Internet Crime Complaint Center advisory specifically indicates insecure software update mechanisms being used to exploit travelers abroad, but there are many other ways for attackers to steal data from international users. Anyone traveling with sensitive data should be concerned about the valid threat of theft, so enterprises and users should do some prior planning to reduce the risk.
Enterprises can put into place security controls that protect data while users are traveling. The specific controls depend on the type of data being accessed, the travel destination and the resources available for security. The easiest way to protect data is to deploy a new secure laptop and to reformat and revalidate the hardware upon the executive's return. This process, used by Kenneth G. Lieberthal when he travels to China and documented in a New York Times article, addresses significant security requirements but is likely not reasonable for most organizations.
So how can companies reasonably protect sensitive data? Travelers should probably wait until they return from a trip before installing updates or making significant changes to their systems, but they may still need to access sensitive data while doing business internationally. Users can travel with just a tablet that doesn't store any sensitive data.
Enterprises should definitely have users inspect their hardware for planted recording devices or hardware keyloggers before use and change their password before leaving and upon return (or use two-factor authentication). Changing a password on a known secure device is important in case someone captured the password by shoulder surfing or other means.
Enterprises could also reasonably instruct travelers to use secure connections to access the minimum data necessary. Unless personal devices are as secure as the corporate devices, travelers should be wary of their privacy and the potential access their personal devices might give to corporate data. Any data stored on a device going abroad should be encrypted, but be aware that some countries might require travelers to hand over the data or allow them to search a computer. Human rights organizations should take additional steps to ensure the security of their data.
Dig Deeper on Data Loss Prevention
Related Q&A from Nick Lewis
IP devices like multifunction printers and faxes may be an attack vector. Expert Nick Lewis explains the vulnerabilities, and how to secure them ...continue reading
AceDeceiver is a Trojan that can install itself on iOS devices without any certificates. Expert Nick Lewis explains how it works, and how enterprises...continue reading
USB Thief, a new type of stealth malware, leaves no trace on air-gapped targets. Expert Nick Lewis explains how the malware works and how enterprises...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.