Ever since devices became the mainstay of road warriors, business travel has always been a minefield when it comes to IT security, with new threats constantly arising.
The rise of "bring your own device"--now the popular acronym "BYOD"--starting in 2009 meant an exponential increase in every organization's attack surface as enterprises inherited the device vulnerabilities of individual employees. In 2014, we all got a wake-up call from DarkHotel, reminding us just how dangerous public Wi-Fi networks can be. And in 2018, we have a set of complex new challenges to deal with, driven by the ever-expanding specter of searches, surveillance, and censorship.
While government intervention still remains a concern primarily for those jetting to and from nations like China and Russia, even Western nations are demonstrating that crossing their borders can also present a threat to device and data security. New policies in the United States, for example, require travelers to "present electronic devices and the information contained therein in a condition that allows inspection of the device and its contents," and then-Secretary of Homeland Security John Kelly even suggested that visitors could be asked to hand over their social-media passwords and browsing histories.
This trend isn't going unnoticed by business travelers, concerned about protecting both their corporate and personal data. Over 40 percent of travel managers have reported seeing an increase in requests for or provision of information on immigration or border crossing in the last six months, according to an October 2017 Association of Corporate Travel Executives report.
So, short of asking their colleagues to go device-free, what can IT professionals and travel managers do to protect the devices and data of business travelers?
1. Minimize the amount of sensitive information on devices, especially at border crossings
Travelers should only have the files and emails they need for the business they are conducting while abroad on their devices. Basecamp's employee handbook even suggests that staff "wipe company data from your phone before crossing the border [and] restore it afterward." To make things easier, some services like 1Password even have a "travel mode" that removes data from traveling devices with a single click.
2. Equip travelers with VPNs
That's right, VPNs. Plural. Countries like the UAE and China are getting more sophisticated in identifying and blocking VPNs, so make sure you build in some redundancy. "Travelers might be surprised to arrive at their destination and find they can't access their favorite sites and services due to some countries blocking Gmail, YouTube and Spotify, among other other services," said Harold Li, vice president of ExpressVPN. "Fortunately, a VPN clears the way, ensuring censorship-free access to the internet." Li also adds that travelers should have their VPNs up and running on every device from the moment they connect in a foreign country to the moment they leave. A bevy of enterprise-oriented VPNs have cropped up from Perimeter 81, Vypr and Hotspot Shield.
3. Ensure two-factor authentication is turned on for all accounts
While two-factor authentication should already be on by default, it's worth underlining for travelers, who are at higher risk of having their credentials compromised. Remember, 2FA with an app like Google Authenticator or a hardware device like a Yubikey is more secure than SMS, particularly given that operators and governments may be able to read your text messages.
4. Use burners or double down on back up alternatives
If your company and its executives are high-value targets in their destinations, you may wish to take drastic measures and provide them with "burners"—devices that are wiped clean or even disposed of after the trip. While it may seem like a drastic measure, it's not unheard of. Skift CEO Rafat Ali explained that he buys burners when traveling to avoid being searched upon returning to the U.S., and Box security officer Joel de la Garza said at the State of Security Summit that "whenever an executive goes to a hostile foreign nation we send them with a Chromebook and then we donate it to a charity in east Palo Alto."
For those that cannot burn devices due to internal policies, government reporting restrictions or budgets a robust backup approach provides one alternative. A topic we discussed extensively at CIO last year, and in an update from enterprise backup storage leader Acronis at RSA Conference 2018 company executives showed the geometric growth of successful ransomware attacks.
The dollar volume of successful attacks--now in the $2 billion range--could more than double to $5 billion in the next two years. It turns out that while the technology that enterprise chooses can evolve, increasingly sophisticated ransomware approaches have evolved, too. Outside of burning all hardware after it enters a risky period where updates and vulnerability patches lack sufficient support, solutions that use an artificial intelligence approach to track new ransomware "mutations aren't just one approach but potentially the only one--going forward.