September 16, 2015 By Douglas Bonderud 3 min read

Travel security risks are nothing new. Evolving technologies and trends, however — such as the rise of on-demand Wi-Fi and the proliferation of mobile devices — are changing this risk landscape. Consider the case of Chris Roberts, a security researcher who claimed he hacked the in-flight entertainment (IFE) system and caused the plane to climb, or more recent instances of incredibly poor in-flight Wi-Fi security.

The result? Travelers are now faced with the prospect of both physical and mobile device risks thanks to new threat vectors, necessitating a change in overall security strategy. Are passengers better served with a carry-on solution that requires constant oversight, or should they opt for a checked baggage scenario in which travel security naturally makes the trip?

My Way or the Wi-Fi?

When it comes to empowering mobile device users on the road, companies face an uphill battle. While employees don’t actively try to sabotage security efforts, they’re naturally resistant to corporate oversight, leading some organizations to back off and allow even limited access from less-than-secure phones and tablets.

But according to Robert Patey, director of demand generation at Fiberlink, “The onus for securing data doesn’t change depending upon device, operating system, time or location. The CIO and CISO are responsible to ensure data security.” This typically takes the form of enterprise mobility management (EMM) applications that allow IT staff to monitor device use and ensure security requirements are met before allowing access. As for employees, Patey argues they “need to release a bit of their Big Brother apprehensions and allow for EMM apps to be housed on their devices.”

Patey compares Wi-Fi access points — in coffee shops, office buildings or even in flights — to wide-open highways complete with bad drivers and shady rest stops. EMM tools act as built-in navigation systems, helping users avoid the wrong turnoff or anticipate a collision. In addition, mobile security solutions ensure that all data is encrypted to keep others from overhearing conversations or peering in the windows.

For Patey and Fiberlink, travel security is something every user needs to carry with them no matter where they’re headed. Combined with solid security training — for example, ensuring users don’t fall for insecure Wi-Fi hotspots, always connect using a virtual private network (VPN) and understand that not all countries view digital privacy the same way — it’s possible to limit the chance of exposure when getting from point A to point B.

This Is Your Captain Speaking

But what happens if the plane, or train or car being used is the victim of an attack? This risk speaks to the need for built-in security that addresses problems at the most basic level to deal with everything from distributed denial-of-service (DDoS) attacks to more sophisticated hack-and-control attempts. According to Chris Poulin, research strategist with IBM Security X-Force, the biggest thing companies can do to protect onboard computers or central access hubs is encrypt data. This doesn’t come as a surprise, and most companies already have a solid strategy in place to handle data in motion using TLS encryption over HTTPS connections.

When it comes to data at rest, however, enterprises often struggle with the trade-off between protection and access. While techniques such as full-disk or on-the-fly encryption offer maximum defense, they also make on-demand access more difficult. Complicating the problem further is that many companies haven’t invested in asset list or data discovery tools, in turn limiting total visibility.

Poulin offers a compromise: monitoring. Even if companies can’t always encrypt data over their network, using the right analysis tools, it’s possible to detect the majority of attacks during their initial phase rather than when attackers have wrested control from pilots or drivers. In most cases, these tools aren’t inherent to workstations and must be leveraged through third parties, which speaks to the need for vendor vetting; IT security is only as strong as the weakest partner.

Consider the example of requirements set by the Health Insurance Portability and Accountability Act (HIPAA). Under this law, if more than 500 reports are stolen or compromised, companies are obligated to disclose this information to the relevant authorities. This is in the hope that effective monitoring will reduce the chance of high-volume document loss and give companies the upper hand in fighting cybercriminals.

In-Hand or Onboard

Are companies better served by equipping employees with EMM tools and VPN gateways, or by baking in tech security at the systems level to limit the chance of malicious attacks to core business function? Ultimately this is a two sides, same coin argument; Patey and Poulin don’t offer conflicting advice, but a road map for companies looking to safeguard data in motion and at rest. Bottom line? Both travelers and their means of transportation are possible attack vectors. Better to check one security solution and carry on another rather than risk either being left behind.

More from Data Protection

Why safeguarding sensitive data is so crucial

4 min read - A data breach at virtual medical provider Confidant Health lays bare the vast difference between personally identifiable information (PII) on the one hand and sensitive data on the other.The story began when security researcher Jeremiah Fowler discovered an unsecured database containing 5.3 terabytes of exposed data linked to Confidant Health. The company provides addiction recovery help and mental health treatment in Connecticut, Florida, Texas and other states.The breach, first reported by WIRED, involved PII, such as patient names and addresses,…

Addressing growing concerns about cybersecurity in manufacturing

4 min read - Manufacturing has become increasingly reliant on modern technology, including industrial control systems (ICS), Internet of Things (IoT) devices and operational technology (OT). While these innovations boost productivity and streamline operations, they’ve vastly expanded the cyberattack surface.According to the 2024 IBM Cost of a Data Breach report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.Apparently, the data being stored in industrial control systems is…

3 proven use cases for AI in preventative cybersecurity

3 min read - IBM’s Cost of a Data Breach Report 2024 highlights a ground-breaking finding: The application of AI-powered automation in prevention has saved organizations an average of $2.2 million.Enterprises have been using AI for years in detection, investigation and response. However, as attack surfaces expand, security leaders must adopt a more proactive stance.Here are three ways how AI is helping to make that possible:1. Attack surface management: Proactive defense with AIIncreased complexity and interconnectedness are a growing headache for security teams, and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today