I read recently that high-profile corporate executives traveling overseas have become an increasingly attractive target for malicious hackers. Can you give some recommendations on how to protect sensitive data when execs travel, especially without inconveniencing them?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Unfortunately, there is little an enterprise can do to protect data without inconveniencing traveling executives. This Internet Crime Complaint Center advisory specifically indicates insecure software update mechanisms being used to exploit travelers abroad, but there are many other ways for attackers to steal data from international users. Anyone traveling with sensitive data should be concerned about the valid threat of theft, so enterprises and users should do some prior planning to reduce the risk.
Enterprises can put into place security controls that protect data while users are traveling. The specific controls depend on the type of data being accessed, the travel destination and the resources available for security. The easiest way to protect data is to deploy a new secure laptop and to reformat and revalidate the hardware upon the executive's return. This process, used by Kenneth G. Lieberthal when he travels to China and documented in a New York Times article, addresses significant security requirements but is likely not reasonable for most organizations.
So how can companies reasonably protect sensitive data? Travelers should probably wait until they return from a trip before installing updates or making significant changes to their systems, but they may still need to access sensitive data while doing business internationally. Users can travel with just a tablet that doesn't store any sensitive data.
Enterprises should definitely have users inspect their hardware for planted recording devices or hardware keyloggers before use and change their password before leaving and upon return (or use two-factor authentication). Changing a password on a known secure device is important in case someone captured the password by shoulder surfing or other means.
Enterprises could also reasonably instruct travelers to use secure connections to access the minimum data necessary. Unless personal devices are as secure as the corporate devices, travelers should be wary of their privacy and the potential access their personal devices might give to corporate data. Any data stored on a device going abroad should be encrypted, but be aware that some countries might require travelers to hand over the data or allow them to search a computer. Human rights organizations should take additional steps to ensure the security of their data.
This was first published in November 2012