News & resources

Special Report - Staying Cyber-Safe Whilst Travelling

Back to blog

THE INCREASING CHALLENGE OF CYBER SECURITY AMIDST A GROWTH IN THE INTERNATIONAL BUSINESS TRAVELLER SECTOR

Traveller on mobile device

  • Global business travel in 2019 presents unique cyber security challenges when crossing international borders

  • Whilst modern data encryption measures afford a high level of cyber protection, attempting to enter a country with an encrypted device can bring about unique security challenges in itself

  • Governments are increasingly concerned over the potential threat to their national security due to encrypted devices being carried by terrorists

  • The very nature of modern day international business travel requires the use electronic devices to conduct business in situations where data may be at risk of being compromised unless secured

  • Many companies and their global travellers are unaware that all countries can reserve the right to inspect your data as you enter the country, encrypted or not

Situation

International business travel is a critical necessity of many corporations worldwide, with continued growth in this sector expected to reach $1.7 trillion by 2022 according to the Global Business Travel Association (GBTA). This growth bucks the trend of previous year’s, pre-2016 when the digital communication era exploded onto the scene bringing reliable video conferencing, fast secure data exchanges and cheaper international payment facilities. Many companies operating globally saw an opportunity to streamline costs and risk by negating the need to send their employees across the other side of the world to conduct business meetings which could be held digitally within the boardroom, without ever leaving the office, at a fraction of the cost. 

However, despite increasingly sophisticated technology which enhances the capability of conducting international business remotely, the fact still remains many global corporations understand that the need for face-to-face business meetings far outweighs the cost, risk and time involved in sending employees overseas to develop and grow commercial relationships. 

For companies based in countries where traditional cultures and values carry’s significant importance, such as in Asia and the Middle East, it is simply not possible to conduct business other than in person, where it takes time to invest in building trust and respect. This is further supported by evidence from Oxford Economics, who have identified that the rate of converting prospects to actual customers virtually doubles when a face-to-face meeting is added. 

As a result, travelling internationally is a necessity for company employees which cannot be avoided, and despite the significant risks to information stored on or accessible through computers, tablets and smartphones; mitigation protection measures can be deployed. Whilst some of the risk is associated with increased opportunities for the malicious theft of data, or the device itself, the mere distraction of international travel can in itself create risk and leave unwitting travellers exposed to data vulnerabilities.

Analysis

International travellers are increasingly reliant on fast, reliable access to a wealth of digital information, even while travelling. They demand instant access to their virtual office regardless of location or time of day and this is almost always done remotely via the use of portable electronic devices which can offer the traveller both communications services and secure access to business critical data. 

Most companies have been using secure internal information technology infrastructures for several years and modern counter cyber-attack security measures can mitigate against even the most persistent of attack actors. However, there is a weak link in the chain in terms of the end user. 

Devices such as personal digital assistants (PDAs), cellular and smart phones, laptops and tablets can all be secured, but the person operating them, and indeed accessing data remotely, must be made aware of the associated risks they face whilst travelling on international business. 

As part of educating travellers regarding what measures they can take to limit the potential for threats to expose vulnerabilities and create risk, they also need to understand that the very measures designed to protect them, can also bring about unforeseen challenges when crossing international borders. 

For example, such is the risk of compromise in some high cyber risk countries that an expectation exists whereby any devices taken into the country will be accessed remotely and unencrypted data copied as a norm. This makes it essential that international travellers are fully briefed regarding ICT entry requirements into each country, particularly those assessed as high ICT risk (including Bahrain, China and Russia) and that they are provided with the necessary training to understand what mitigation measures should be implemented before travel. 

However, there are occasions when the risk of data compromise is taken out of the travellers hands, and this doesn’t always relate to the more obvious high cyber security risk countries such as Russia and China. There are instances where the measures deployed by border security agents in western countries have also placed sensitive corporate data at risk, and this is something which the traveller cannot control or mitigate against. 

One such high profile case relates to a NASA employee called Sidd Bikkannavar, a US citizen who worked as an engineer within the agency’s Jet Propulsion Laboratory. In January 2017, Mr Bikkannavar flew into Houston airport after a recreational trip to Chile where he had spent some down time supporting a solar powered race team, something he enjoyed in his spare time. 

On attempting to cross the US Border, Customs and Border Protection agents detained him, seized his NASA cell phone and forced him under duress to submit the password for the phone, following which it was digitally searched using forensic tools to capture and analyse the private information contained in the device, including emails, texts, and other private information. There are a number of other similar high profile cases including: 

  • Two news journalists and their assistant who were held by Turkish officials after encryption software was allegedly found on the assistant’s computer.
  • An American citizen who was denied entry into Israel after she refused access to her emails.
  • David Miranda, who was detained at London’s Heathrow Airport carrying documents from NSA whistle-blower Edward Snowden on encrypted thumb drives. 

Despite Sidd Bikkannavar seeking recourse through the US courts amid significant support from a number of civil liberties groups, experts warn that legally there is little travellers can do in the same situation if they wish to enter the country, irrespective of whether they are citizens or not.

 
Implications

The implications of having electronic devices stolen or sensitive data being compromised can be far reaching, extremely disruptive and increasingly costly. Not only is there an inherent risk to the company’s brand reputation and trademarks, the financial implications can be so crippling that in some cases companies cannot recover. The US National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their businesses over six months following a cyber related attack. For middle market companies, the average price of dealing with the aftermath of a cyber-attack is over $1 million. 

Measures to mitigate the risk exposure of international travellers operating in foreign environments are already highly developed and afford a high level of security; however they do require changes in how the end user goes about their business. And there is an increasingly greater emphasis placed on the traveller to understand why they face an increased risk when carrying out mundane tasks, such as accessing the internet or the way data is stored or exchanged across devices. 

However, companies must also take responsibility for establishing stringent data security protocols, policies, practices and procedures that form part of the core of the company’s business operations globally, and are instilled in the workforce through a continuous process of coaching, training and evaluating. 

Additionally, there is also a need for international travellers to be knowledgeable as to the measures afforded to them aimed at mitigating against cyber threats, given their use could impact on their civil liberty and result in data being compromised should they be forced to give up encryption passwords or provide access to electronic devices. 

Changing border policies under the guise of ‘national security’ are increasing globally, and this doesn’t just affect countries traditionally identified as posing a high cyber risk. The involuntary handing over of electronic devices for review by official governmental agencies is becomingly increasingly common, escalating the risk of data compromise. Whilst this differs from the threat posed by cyber criminals looking to exploit security vulnerabilities to steal data for financial gain, it still poses a serious risk to global corporations, particularly those involved in defence and the science, technology, engineering, and mathematics (STEM) industries.

Advice

    • Always take ‘clean’ equipment where possible. An increasing number of companies offer clean laptops for travel, loaded only with what the traveller needs for that business trip. Any sensitive information can then be accessed over the internet once they arrive at their destination and deleted before returning.

    • Have clear guidelines - it is important to have a corporate policy on encryption. Universities have been particularly stringent on this as students on research programmes can be subject to suspicion as they undertake their research abroad.

    • Ensure you are aware of the rules surrounding encryption, and the legality of entering a country with an encrypted device.
    • Password protect all devices using strong complex password layers and ensure that both company and personal devices are protected by a two stage authentication process.

    • Disable remote connectivity such as Bluetooth, Wi-Fi, and file sharing when not in use, and always decline to allow others to connect a USB or portable device to any of your equipment but especially your laptop or mobile phone.

    • Plan ahead – understand that there is a possibility you may be questioned by customs officials. Carrying a headed letter in the local language stating that your equipment uses commercial encryption software and that the information is normal business information in relation to your role, might prove to be useful if you do face questioning at a border.

    • Never use USB drives or software received as gifts or promotional items until they have been verified clean by your IT group.

    • Backup important data that will travel with you.

    • Assume all internet connections as insecure and use a VPN at all times.

    • Do not plug your device into USB charger kiosks.

    • Disable remote connectivity such as Bluetooth, Wi-Fi, and file sharing where possible.

    • Do not leave devices unattended. Even hotel safes should not be considered secure.