As we emerge from the pandemic, organizations will confront a new world of business travel and a new world of cybersecurity tips for travelers. What has changed? What hasn’t changed? 

The particular cybersecurity risks and threats that might face business travelers are, of course, always evolving. But during 2020 and 2021, most of our business travel was replaced by video calls and other alternatives. We stopped traveling. And yet, the landscape kept changing. Here’s what you need to know about what’s new in cybersecurity for travelers. 

Airport Smartphone Searches

The biggest change for U.S. business travelers is the legal status of smartphones. The U.S. Constitution’s Fourth Amendment says citizens have the right to be “secure in their persons, houses, papers and effects, against unreasonable searches and seizures”.

It’s still uncertain whether smartphones are covered under the “papers and effects” part of that clause. Specifically, can U.S. Customs and Border Protection agents search American citizens’ smartphones? 

The answer used to be no. Then the answer became ‘well, sort of’. But late last year, a U.S. appeals court ruled that Customs and Border Protection agents are allowed by law to search phones and laptops, including so-called “advanced searches”. They can legally do so without a warrant or even the burden of reasonable suspicion. Phone data is now fair game at the airport. 

The case stems from a lawsuit by a group of citizens including a NASA employee. Customs agents pressured scientist Sidd Bikkannavar to unlock a secure, government-issued phone.

It’s possible that this ruling may be overturned in future court cases. But, as we stand now, smartphone data is subject to search at border crossings and airports. All the previous airport cybersecurity threats still exist. Plus, now customs agents can search phones.

The law didn’t protect a NASA scientist. So it doesn’t protect your company’s business secrets or your personal privacy. 

The Travel Cybersecurity Angle on Vaccine Passports

The newest change that didn’t exist before the lockdowns, but does now, is the so-called vaccine passport or health certificate required for travel. These exist to show that travelers have gotten the COVID-19 vaccine, have recovered from the disease or have received a negative test result within the past two or three days.

The European Union, for example, is working on something called a Digital Green Certificate. The ‘certificate’ would be required for travel within the European Union, as well as to non-EU countries like Norway, Iceland and Switzerland. Foreign visitors to Europe will need to show acceptable proof that a traveler won’t infect others with COVID-19. And this concept will no doubt go global as countries open up to foreign travelers.

Other countries and regions have been working on similar programs, and there is a strong desire for these systems to work together. It’s likely that these schemes will be mostly electronic, displayable on smartphones as QR codes or barcodes.

Health passes that demonstrate the likelihood that the bearer is disease-free are likely to remain a permanent part of travel. They could also include certification of immunity to other diseases, including future pandemic viruses.

The Problem With QR Codes

The electronic versions of these passports will use QR codes, which are potentially problematic from a security point of view. They are trivially easy to copy — attackers can share or use a simple screenshot of a legitimate QR code. So, it will be imperative for these systems to be secure and user-authenticated. The digital versions of these health passes will also need to securely access medical records, as the immunity conveyed by vaccines is often temporary. 

For all these reasons, health passes represent a non-trivial security challenge for both the official bodies that issue them and for travelers and the businesses they work for. Border agents in some countries, for example, may use smartphone-based health apps as a pretext to take possession of unlocked smartphones. Then, they could bring the phones out of sight of the owners and possibly download their data.

Tomorrow’s Travel Involves New Documents

New documents require new cybersecurity tips, but some haven’t been in place long enough yet for good advice to come through. Another change in the world of business travel is the DTC, or digital travel credential. In late 2020, the United Nations International Civil Aviation Organization, the body that sets the global standards for passports, published a new standard. This DTC standard is a system for carrying the equivalent of a passport on one’s smartphone. (Notably, the standard uses blockchain as well as biometrics.) 

In the near future, it’s likely that business travelers (and tourists) will use smartphones, rather than passports. They may use the passport only as a backup document in case of questions or loss of the smartphone. 

In the short term, frequent travelers will use the DTC first — business travelers, mostly — as part of a seamless travel system. It will operate like today’s Global Entry, where the traveler fills out a questionnaire, goes to an interview and receives a background check. Then, in the future, they can sail past the lines and checkpoints that non-members have to suffer through.

New Doorway to Access Smartphone Data

A recent report found that the U.S. Customs and Border Protection agency purchased vehicle forensics kits for accessing data from cars. As car dashboards get smarter, more people are connecting their smartphones through Bluetooth or direct cable connection, and data flows between the car and the phone. Privacy advocates are concerned that this news represents a trend in which border agencies use these tools to circumvent legal restrictions on smartphone searches. 

Customs agents, spies and threat actors all have new tools that access smartphone data through cars. That means business travelers need new training, awareness and precautions in response. Keep this in mind when you rent cars or otherwise connect smartphones to smart car dashboard systems. 

Cybersecurity Tips to Match New Developments

We’re confronting a future in which business travelers’ smartphones will contain new categories of sensitive personal and business information. They can hold or provide access to contact lists, credit cards, business emails, chat histories, photos and more. They now could also contain access to passport information, health histories and other important data. 

Cyber attackers will understand that breaching a smartphone is the key to a universe of cyber crimes. It can open someone up to anything from social engineering attacks to blackmail to identity theft to embezzlement. State-sponsored spies will have new incentives to target the smartphones of business travelers. And customs agents will have new incentives to download or search the content of smartphones. New rules will allow them to do so globally more and more.

For this new world, we need new cybersecurity tips. On the outside, you should travel with a wiped second phone containing the minimum apps you need. Other travel cybersecurity practices will be evolving quickly over the next few years as we adjust to the new environment. 

So as we re-engage with the practice of business travel, it’s important to understand the new risks and threats and respond accordingly. From there, we can build new assumptions and cybersecurity tips into how our mobile security tools operate and how business travelers should behave while traveling.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…