I read recently that high-profile corporate executives traveling overseas have become an increasingly attractive...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
target for malicious hackers. Can you give some recommendations on how to protect sensitive data when execs travel, especially without inconveniencing them?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Unfortunately, there is little an enterprise can do to protect data without inconveniencing traveling executives. This Internet Crime Complaint Center advisory specifically indicates insecure software update mechanisms being used to exploit travelers abroad, but there are many other ways for attackers to steal data from international users. Anyone traveling with sensitive data should be concerned about the valid threat of theft, so enterprises and users should do some prior planning to reduce the risk.
Enterprises can put into place security controls that protect data while users are traveling. The specific controls depend on the type of data being accessed, the travel destination and the resources available for security. The easiest way to protect data is to deploy a new secure laptop and to reformat and revalidate the hardware upon the executive's return. This process, used by Kenneth G. Lieberthal when he travels to China and documented in a New York Times article, addresses significant security requirements but is likely not reasonable for most organizations.
So how can companies reasonably protect sensitive data? Travelers should probably wait until they return from a trip before installing updates or making significant changes to their systems, but they may still need to access sensitive data while doing business internationally. Users can travel with just a tablet that doesn't store any sensitive data.
Enterprises should definitely have users inspect their hardware for planted recording devices or hardware keyloggers before use and change their password before leaving and upon return (or use two-factor authentication). Changing a password on a known secure device is important in case someone captured the password by shoulder surfing or other means.
Enterprises could also reasonably instruct travelers to use secure connections to access the minimum data necessary. Unless personal devices are as secure as the corporate devices, travelers should be wary of their privacy and the potential access their personal devices might give to corporate data. Any data stored on a device going abroad should be encrypted, but be aware that some countries might require travelers to hand over the data or allow them to search a computer. Human rights organizations should take additional steps to ensure the security of their data.
Dig Deeper on Data Loss Prevention
Related Q&A from Nick Lewis
An HTTPS session with a reused nonce is vulnerable to the Forbidden attack. Expert Nick Lewis explains how the attack works, and how to properly ...continue reading
The Irongate malware has been discovered to have similar functionality to Stuxnet. Expert Nick Lewis explains how enterprises can protect their ICS ...continue reading
APT groups have been continuously exploiting a flaw in Microsoft Office, despite it having been patched. Expert Nick Lewis explains how these attacks...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.