Light Dark
September 16, 2015 By Douglas Bonderud 3 min read
Data Protection

Travel security risks are nothing new. Evolving technologies and trends, however — such as the rise of on-demand Wi-Fi and the proliferation of mobile devices — are changing this risk landscape. Consider the case of Chris Roberts, a security researcher who claimed he hacked the in-flight entertainment (IFE) system and caused the plane to climb, or more recent instances of incredibly poor in-flight Wi-Fi security.

The result? Travelers are now faced with the prospect of both physical and mobile device risks thanks to new threat vectors, necessitating a change in overall security strategy. Are passengers better served with a carry-on solution that requires constant oversight, or should they opt for a checked baggage scenario in which travel security naturally makes the trip?

My Way or the Wi-Fi?

When it comes to empowering mobile device users on the road, companies face an uphill battle. While employees don’t actively try to sabotage security efforts, they’re naturally resistant to corporate oversight, leading some organizations to back off and allow even limited access from less-than-secure phones and tablets.

But according to Robert Patey, director of demand generation at Fiberlink, “The onus for securing data doesn’t change depending upon device, operating system, time or location. The CIO and CISO are responsible to ensure data security.” This typically takes the form of enterprise mobility management (EMM) applications that allow IT staff to monitor device use and ensure security requirements are met before allowing access. As for employees, Patey argues they “need to release a bit of their Big Brother apprehensions and allow for EMM apps to be housed on their devices.”

Patey compares Wi-Fi access points — in coffee shops, office buildings or even in flights — to wide-open highways complete with bad drivers and shady rest stops. EMM tools act as built-in navigation systems, helping users avoid the wrong turnoff or anticipate a collision. In addition, mobile security solutions ensure that all data is encrypted to keep others from overhearing conversations or peering in the windows.

For Patey and Fiberlink, travel security is something every user needs to carry with them no matter where they’re headed. Combined with solid security training — for example, ensuring users don’t fall for insecure Wi-Fi hotspots, always connect using a virtual private network (VPN) and understand that not all countries view digital privacy the same way — it’s possible to limit the chance of exposure when getting from point A to point B.

This Is Your Captain Speaking

But what happens if the plane, or train or car being used is the victim of an attack? This risk speaks to the need for built-in security that addresses problems at the most basic level to deal with everything from distributed denial-of-service (DDoS) attacks to more sophisticated hack-and-control attempts. According to Chris Poulin, research strategist with IBM Security X-Force, the biggest thing companies can do to protect onboard computers or central access hubs is encrypt data. This doesn’t come as a surprise, and most companies already have a solid strategy in place to handle data in motion using TLS encryption over HTTPS connections.

When it comes to data at rest, however, enterprises often struggle with the trade-off between protection and access. While techniques such as full-disk or on-the-fly encryption offer maximum defense, they also make on-demand access more difficult. Complicating the problem further is that many companies haven’t invested in asset list or data discovery tools, in turn limiting total visibility.

Poulin offers a compromise: monitoring. Even if companies can’t always encrypt data over their network, using the right analysis tools, it’s possible to detect the majority of attacks during their initial phase rather than when attackers have wrested control from pilots or drivers. In most cases, these tools aren’t inherent to workstations and must be leveraged through third parties, which speaks to the need for vendor vetting; IT security is only as strong as the weakest partner.

Consider the example of requirements set by the Health Insurance Portability and Accountability Act (HIPAA). Under this law, if more than 500 reports are stolen or compromised, companies are obligated to disclose this information to the relevant authorities. This is in the hope that effective monitoring will reduce the chance of high-volume document loss and give companies the upper hand in fighting cybercriminals.

In-Hand or Onboard

Are companies better served by equipping employees with EMM tools and VPN gateways, or by baking in tech security at the systems level to limit the chance of malicious attacks to core business function? Ultimately this is a two sides, same coin argument; Patey and Poulin don’t offer conflicting advice, but a road map for companies looking to safeguard data in motion and at rest. Bottom line? Both travelers and their means of transportation are possible attack vectors. Better to check one security solution and carry on another rather than risk either being left behind.

 |  |  |  |  |  |  | 
Douglas Bonderud
Freelance Writer

More from Data Protection
November 19, 2024

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

November 8, 2024

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

November 7, 2024

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature