In 2019 cyber risks topped the Travelers Risk Index for the first time. And the data shows us these fears are valid.
Often in possession of both personal and business-related data, business travelers are uniquely vulnerable targets for cyberattacks. However, unlike personal exposure, the risk posed by business travel goes far beyond the cost of replacing compromised equipment. Traveling employees who fall victim to public WiFi scams or USB ploys potentially expose sensitive data or the installation of spyware – putting the entire organization at risk.
Although the scale of travel-related risk varies from country to country, this problem transcends national borders. With the right software, bad actors can covertly activate a camera, monitor emails, read stored files and steal users’ IDs and use that information to severely harm American businesses.
Let’s explore the risks US travelers face when abroad and steps you can take to protect your devices while traveling.
Business Travelers Are a Big Target
Everyone needs to practice good security hygiene, but some targets are much more attractive than others. For example, extra precautions should be taken for senior executives or employees with access to especially valuable intel. Of course, CEOs and other members of the C-suite are preferred targets for attacks. According to a recent research report, C-level executives were 12 times more likely to be targeted in 2018 than they were in 2017.
In recent years there have been several major attacks targeting senior executives who were traveling. One such attack, known as Darkhotel, compromised hotel WiFi networks for highly targeted attacks on VIP guests at hotels across Asia. Alarmingly, the attacks used social engineering tricks to get targets to download malware from fake WiFi login pages before they could engage a VPN.
While less sophisticated, simple tools like WiFi Pineapples are effective at intercepting signals from a target’s device as it searched for a known network. Once a cybercriminal knows the names of networks a target has connected to previously, they can set up a spoof network and gather intelligence on the target’s travel behavior, such as where an executive spends vacations or the names of networks where they work.
This kind of intelligence is valuable to attackers and it’s easy to find even more information on a target by searching for identities on the dark web or public-facing websites. Cybercriminals dump huge troves of stolen data on dark websites for anyone to find — everything from names and email addresses to passport numbers and even travel itineraries for upcoming trips.
With this information, an adversary can create spear phishing or social engineering attacks, such as communications claiming to come from a hotel or airline.
Security Begins With Education
No connection is safe for the at-risk business traveler, but teaching employees to spot risk can save a business from disaster. As usual for security measures, education is the first step to protecting your assets.
Common tactics used to gain access to travelers systems include fake WiFi spots in hotels, airports and cafes that can read and store critical password data. Travelers with valuable data should be cautious before using hotel business centers and hard-cable internet access in hotel rooms. Even Bluetooth technology makes laptops, smartphones and tablets susceptible to remote connections.
Device charging and storage ports also have related risks. Leaving a laptop in an empty hotel room can leave the traveler open to exploitation in countries that practice state-sponsored cyber-crime, while USB stations at airports may potentially be downloading stored data.
Changing border control policies have enhanced cyber-risk too. Electronic devices are now subject to far higher levels of scrutiny than ever before. Over the last 20 years, the number of international travel departures worldwide has doubled to 1.3 billion, prompting increased scrutiny of devices domestically and abroad.
Since 2008, U.S. Department of Homeland Security agents have been allowed to search through files on laptops, smartphones and other digital devices when you enter the country, even when there is no reasonable cause. They can keep data or the entire computer, copy what they want and share this data with other agencies and force you to give the password if the data is encrypted. Outside the U.S. rules concerning cross-border transportation of communication devices and data vary in degree and level of enforcement.
Aviation companies are no less dangerous. In efforts to create seamless customer experiences, airlines have created greater risks for travelers. In 2016 alone, there were 1,000 cyberattacks each month on aviation systems and in 2017, Latam Airlines and Ukraine’s Boryspil airport were both hit by ransomware. However, in 2018, Munich’s airport took steps to prevent further risks by bringing together their IT specialists with European aviation experts to develop strategies to defend against cyberattacks.
Tips for Travelers to Mitigate Cyber Risk
The steps required to secure your company and personal data while traveling are not all obvious but they are all vital. In addition to keeping a sharp lookout for possible risks, be sure to:
- Turn off or lock your phone or tablet at airport security.
- Turn off location monitoring services for mobile devices.
- Avoid accessing sensitive data and networks when traveling.
- Limit remote access to your device, disable text auto-correct, Bluetooth and WiFi.
- Create a WiFi hotspot via your smartphone and use a Virtual Private Network to encrypt your data, even if it makes your connection slower.
- Assume conference room microphones, telephones and video-conferencing equipment are compromised.
- Take as few devices with you when you travel as possible and never leave them un-attended.
- Charge devices by plugging a supplied power cord into a regular electrical outlet or using your own battery-powered mobile charging device. It doesn’t hurt to carry a backup battery or charging brick.
- If you must recharge via USB at a station, power off the device before plugging it in.
- Do not use any device offered to you by a third party and never allow anyone else to use your devices.
- Avoid downloading any software onto your devices during your visit and get your IT team to check your devices post-trip.
- Assume any device screened as part of border controls has been exploited.
The best weapon against cyberattacks is education. If your company is without security protocols for local or traveling employees, you can use this template for create a starter ruleset, but consulting a professional managed services security provider is recommended to develop a robust policy.
Before traveling, it’s useful to have security experts conduct penetration testing to improve preparedness to prevent and respond to data breaches.
To learn more about penetration testing and setting your employees up for safe travels, contact us today.