You are ultimately responsible for your travel security, be it physical or technical. But this is a tall order. You are most vulnerable when you move and travel because you operate outside of your daily pattern of life, including connecting to the Internet via a third-party service provider with which you may not be familiar.

There is no shortage of unscrupulous competitors or straight-up criminals who have decided you have information that they desire, and they could have you in their cross hairs. You don’t get to choose whether you are targeted, but you do get to control if you are a soft or hard target.

Is Your Hotel Room Secure? Probably Not

If you hold meetings in a hotel room, you may wish to familiarize yourself with the experiences of the CEO of Porsche. In 2008, Porsche scheduled a meeting in a hotel suite. A day prior to the meeting, the team setting up the suite discovered a baby monitor sitting under the sofa. It was innocuous enough that the Porsche team chalked it up to a previous guest having forgotten the monitor when they checked out.

To their credit, they engaged the hotel staff and found that this particular suite had not been used for many weeks, let alone by a family who would have used a baby monitor. The culprit was never determined, but one can glean a few facts from this: the use of the baby monitor put the listener in relative proximity, the culprit had foreknowledge of the meeting locale and the individual used a device that, if found, could easily be explained away by the target. Porsche no doubt did a review of who knew of the meeting locale and its purpose and tightened up the discussions.

Realize the hotel room is only a semisecure space, even if you lock the door. Items you leave in your room should not be considered secured. The hotel safe is to keep items from being lifted by an individual passing down the hallway or staff. Anyone who has ever forgotten the four- or six-digit code on the hotel room safe has had hotel personnel come to the room and open the safe using a commercially available device in seconds.

What Should You Do?

Understand that you don’t control your hotel room and that it may be under surveillance. Similarly, your room is not a safe locale for storing your devices. If you must leave your device in the room, ensure you always lock it down to an immovable object with a cable lock.

Is the Wi-Fi Secure? Almost Never

The hotel industry is focused on putting heads in beds, not information security. Many hotel Internet networks are open. In late 2014, Kaspersky Lab reported on Darkhotel, an advance persistent threat (APT) that targeted senior corporate or state visitors in various hotels in the Far East. The methodology was as much social engineering as it was technical implementation.

Travelers want and need Internet access, so they connect to the hotel network and then fire up their virtual private network (VPN). But what made Darkhotel so effective is that once the hotel network was penetrated by attackers, it allowed man-in-the-middle (MitM) placement of bogus pages to select targets. When targets powered up their laptops, they would be told that, in order to use the hotel network, they’d first have to download an app or widget — thus engaging the device prior to the VPN being put in place.

In June 2015, three hotels hosting the Iranian nuclear talks had their networks targeted and infected with the Duqu 2.0 virus. The variant was found by Kaspersky Lab to have been similar to the virus that had previously attacked Kaspersky’s own infrastructure. Kaspersky estimated the cost to develop this application to be more than $50 million. Nations invest in development of espionage tools at that level of funding — the individual thinking of travel security is no match.

What Should You Do?

With all due respect to hotel Internet connectivity, business travelers should avoid connecting to those networks. As detailed above, an open hotel network is ripe for exploitation. If you must use your laptop, tether it to your mobile device and connect to your company VPN, completely bypassing the hotel infrastructure.

Implement a Travel Security Program

Travel security is an investment in intellectual property and revenue preservation. Having a travel security program takes a large step forward in ensuring all personnel are protecting data in the manner that also best protects the company.

You should ask hard questions regarding your enterprise’s travel security regulations. The following examples are drawn from the author’s book, “Secrets Stolen, Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21st Century.”

  1. Do you have a travel security program?
  2. Does this program include a list of countries posed as high-risk or extreme-risk to those employees or executives who travel or work outside the country of origin?
  3. Does your travel security program require these risk countries to be communicated to the executive team and the personnel responsible for travel?
  4. Does your travel security program identify expatriates working in high-risk countries?
  5. Do you have a traveler briefing program required before every trip to a high-risk environment?
  6. Do your employees understand never to leave confidential material unattended and to keep devices with them while traveling?
  7. Does your travel program monitor and debrief personnel having traveled to high-risk environments?
  8. Does the company’s security awareness and education program include a segment on travel?
  9. Does your travel program brief on the data aggregation capabilities of social networks? What about how the sharing of an itinerary can permit an adversary to document and collate travel plans?
  10. Does your travel program implement a sterile device program for high- or extreme-risk locales (i.e., throwaway mobile phones, sterile laptops, etc.)?
  11. Are these sterile devices reviewed for compromise upon the traveler’s return?
  12. Are all travelers issued cable locks and laptop privacy screens for their devices?

Travel is often an unavoidable aspect of business. Traveling in a manner in which the company’s assets are protected, however, is within reach of every company.

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…