“All electronic devices bigger than a cell phone must be taken out of your bags and placed in a bin.”
If you are like me, every time I go through airport security…I get nervous that my laptop won’t be there when I get to the other side. When traveling, going through security should be the ONLY time you are letting that device out of your hands. It is also important to stay with your bin and collect it immediately following x-ray screening.
Traveling can pose a significant risk to information stored on or accessible through laptops, tablets, and smartphones. Here are some best practices to help you protect devices and mitigate risks to sensitive information before and during travel.
Before you go:
- Know the country you are traveling to and review any possible security restrictions, including encryption and export-controlled data.
- Bring ONLY the devices you need and always limit the amount of sensitive information you are taking with you to reduce the risk of exposure.
- Check with your IT department before traveling. Some organizations will issue loaner devices and set up temporary access accounts for use if employees are traveling to high-risk destinations.
Device Security:
- Verify your operating systems, applications, and anti-virus software are up to date. Remember to complete updates before you leave and not while you are traveling.
- Install and configure encryption software so that in the unfortunate scenario your device is lost or stolen, only you and people authorized can access and read the encrypted data.
- Log out of browsers and apps and remove any saved login credentials.
- Implement biometric locks on devices and ensure PINs or passphrases are complex and difficult to guess.
- Enable “Find my Device” tracking and/or remote wiping capabilities in case of loss or theft.
- Back up data on devices (again do this before you leave!).
While Traveling:
- Never leave a device unattended. Traveling brings an increased risk of loss or theft of devices. Keep your devices secured at the airport, on the plane, in ride shares, at conferences, and in the hotel room. Don’t put devices in checked baggage, and don’t accidentally leave your phone sitting on the seat in your Uber!
- Be aware of your surroundings and your conversations, and don’t inadvertently share sensitive information where others could overhear you.
- If you have paper files or sensitive documents, don’t leave files out in the open, even in your locked hotel room.
- If a device or information is lost or stolen, contact your organization’s IT department immediately.
Connectivity:
- Bring your own charger, and do not use public charging kiosks. Cybercriminals can load malware or monitoring software onto a device while plugged into public USB charging stations (this is commonly referred to as “juice jacking”). Use an AC power outlet with your own charger. If you ever see the prompt to “share data” or “charge only,” select charge only. Similarly, avoid using hotel USB ports.
- Only connect to legitimate, password-protected Wi-Fi (and connect using your organization’s VPN when possible). You can also consider using your phone as a personal hotspot if possible. Don’t transmit sensitive information or make purchases on public Wi-Fi networks.
- Don’t use public devices or business center computers. If you have to, don’t access sensitive sites or login to websites with personal information, and do not connect or transfer data via a thumb drive or USB. The security of public workstations can’t be trusted, and anything typed into the system – login IDs, passwords, data, etc. – may be captured.
- Disable remote connectivity and Bluetooth. Some devices will automatically connect to available wireless networks or applications in rental cars, etc.
- Make sure your devices aren’t checking in and displaying your location. Disable geolocation or tagging features within mobile applications.
Information and Email Security:
- Login to devices using a non-privileged account to provide additional protection against malware.
- Be careful about what information and/or photos you share or post on social media. Don’t share details prior to or during your trip. After all, you don’t want criminals to know your house is empty!
- While you don’t want to share vacation plans with your social media followers, it is okay to let your bank or credit card company know when and where you are traveling.
- Review emails related to your upcoming trip carefully. Scammers may learn about your trip and use that knowledge to send phishing messages with fake itineraries, travel warnings, restaurant information, fake hotel bills, etc. Criminals can also take advantage of your out-of-office time to spear phish other employees with emails that appear as if they are coming from you.
Return to the Office:
- Change any passwords you may have used during your travels.
- Scan for viruses and malware and update your security software.
- Review your recent account login activity to verify all activity was indeed you.
- Monitor devices and accounts for any suspicious activity.
- Report any suspicious activity immediately to your organization’s IT security department.
Laptops and mobile devices help employees stay connected and productive while traveling, however taking devices and information out of the office also increases the risk of data compromise. Make sure all staff understand these best practices to protect organizational devices and information on the road.