You are ultimately responsible for your travel security, be it physical or technical. But this is a tall order. You are most vulnerable when you move and travel because you operate outside of your daily pattern of life, including connecting to the Internet via a third-party service provider with which you may not be familiar.

There is no shortage of unscrupulous competitors or straight-up criminals who have decided you have information that they desire, and they could have you in their cross hairs. You don’t get to choose whether you are targeted, but you do get to control if you are a soft or hard target.

Is Your Hotel Room Secure? Probably Not

If you hold meetings in a hotel room, you may wish to familiarize yourself with the experiences of the CEO of Porsche. In 2008, Porsche scheduled a meeting in a hotel suite. A day prior to the meeting, the team setting up the suite discovered a baby monitor sitting under the sofa. It was innocuous enough that the Porsche team chalked it up to a previous guest having forgotten the monitor when they checked out.

To their credit, they engaged the hotel staff and found that this particular suite had not been used for many weeks, let alone by a family who would have used a baby monitor. The culprit was never determined, but one can glean a few facts from this: the use of the baby monitor put the listener in relative proximity, the culprit had foreknowledge of the meeting locale and the individual used a device that, if found, could easily be explained away by the target. Porsche no doubt did a review of who knew of the meeting locale and its purpose and tightened up the discussions.

Realize the hotel room is only a semisecure space, even if you lock the door. Items you leave in your room should not be considered secured. The hotel safe is to keep items from being lifted by an individual passing down the hallway or staff. Anyone who has ever forgotten the four- or six-digit code on the hotel room safe has had hotel personnel come to the room and open the safe using a commercially available device in seconds.

What Should You Do?

Understand that you don’t control your hotel room and that it may be under surveillance. Similarly, your room is not a safe locale for storing your devices. If you must leave your device in the room, ensure you always lock it down to an immovable object with a cable lock.

Is the Wi-Fi Secure? Almost Never

The hotel industry is focused on putting heads in beds, not information security. Many hotel Internet networks are open. In late 2014, Kaspersky Lab reported on Darkhotel, an advance persistent threat (APT) that targeted senior corporate or state visitors in various hotels in the Far East. The methodology was as much social engineering as it was technical implementation.

Travelers want and need Internet access, so they connect to the hotel network and then fire up their virtual private network (VPN). But what made Darkhotel so effective is that once the hotel network was penetrated by attackers, it allowed man-in-the-middle (MitM) placement of bogus pages to select targets. When targets powered up their laptops, they would be told that, in order to use the hotel network, they’d first have to download an app or widget — thus engaging the device prior to the VPN being put in place.

In June 2015, three hotels hosting the Iranian nuclear talks had their networks targeted and infected with the Duqu 2.0 virus. The variant was found by Kaspersky Lab to have been similar to the virus that had previously attacked Kaspersky’s own infrastructure. Kaspersky estimated the cost to develop this application to be more than $50 million. Nations invest in development of espionage tools at that level of funding — the individual thinking of travel security is no match.

What Should You Do?

With all due respect to hotel Internet connectivity, business travelers should avoid connecting to those networks. As detailed above, an open hotel network is ripe for exploitation. If you must use your laptop, tether it to your mobile device and connect to your company VPN, completely bypassing the hotel infrastructure.

Implement a Travel Security Program

Travel security is an investment in intellectual property and revenue preservation. Having a travel security program takes a large step forward in ensuring all personnel are protecting data in the manner that also best protects the company.

You should ask hard questions regarding your enterprise’s travel security regulations. The following examples are drawn from the author’s book, “Secrets Stolen, Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21st Century.”

  1. Do you have a travel security program?
  2. Does this program include a list of countries posed as high-risk or extreme-risk to those employees or executives who travel or work outside the country of origin?
  3. Does your travel security program require these risk countries to be communicated to the executive team and the personnel responsible for travel?
  4. Does your travel security program identify expatriates working in high-risk countries?
  5. Do you have a traveler briefing program required before every trip to a high-risk environment?
  6. Do your employees understand never to leave confidential material unattended and to keep devices with them while traveling?
  7. Does your travel program monitor and debrief personnel having traveled to high-risk environments?
  8. Does the company’s security awareness and education program include a segment on travel?
  9. Does your travel program brief on the data aggregation capabilities of social networks? What about how the sharing of an itinerary can permit an adversary to document and collate travel plans?
  10. Does your travel program implement a sterile device program for high- or extreme-risk locales (i.e., throwaway mobile phones, sterile laptops, etc.)?
  11. Are these sterile devices reviewed for compromise upon the traveler’s return?
  12. Are all travelers issued cable locks and laptop privacy screens for their devices?

Travel is often an unavoidable aspect of business. Traveling in a manner in which the company’s assets are protected, however, is within reach of every company.

More from Intelligence & Analytics

2022 Industry Threat Recap: Manufacturing

It seems like yesterday that industries were fumbling to understand the threats posed by post-pandemic economic and technological changes. While every disruption provides opportunities for positive change, it's hard to ignore the impact that global supply chains, rising labor costs, digital currency and environmental regulations have had on commerce worldwide. Many sectors are starting to see the light at the end of the tunnel. But 2022 has shown us that manufacturing still faces some dark clouds ahead when combatting persistent…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…