One of the great myths of executive travel is the benefit of racking up hospitality rewards for grand vacations in Fiji or the Swiss Alps. In reality, trips are frequent, exhausting and sometimes bound for undesirable destinations that present a slew of security issues.

Travel Security Challenges and Best Practices

While you may not have much say in when and where you travel, understanding your trip’s goals can help determine the best business security practices. A quick, one-day trip to meet a business partner might mean you can leave your computer at home, for example. A month-long globe trot to multiple satellite offices, client meetings and a little R&R would require a more rigorous approach to securing all of your devices.

It is equally important to know the purpose of your trip, the systems and access you will require while traveling, the sensitivity of information you will be handling and the available security resources. These points will determine what travel security precautions you should take before you even pull out your suitcase.

Bring a Bat Phone

Ideally, you would never take your own phone on a trip. Instead, take a burner phone that contains no personal data. Cybercriminals can use information you may not consider sensitive to facilitate attacks or steal your identity. They can use your contact list, phone call history, texts, personal email and calendar to target other members of your organization or compromise even more sensitive data.

Do not leave any IT device, including mobile phones, unattended. Hotel safes offer little protection from determined attackers, corrupt hotel employees or the host government. If you must leave your things unattended for social or cultural reasons, assign a trusted member of your party to watch all computer and communications gear. If possible, leave them secured at the local embassy or consulate.

Consider disabling your computer’s USB ports as well. You should also use a video camera cover, a laptop screen privacy cover and microphone jack disabler.

Software Security

Be sure to complete virus definition and patch update activities before your departure. Always assume your devices will be compromised upon arrival. In addition to local intelligence services, you may be targeted by agencies from other nations, criminal organizations and commercial competitors.

To avoid a compromise, review and harden the software build of all your equipment prior to your trip. This may include disabling unnecessary features such as the microphone, camera and Bluetooth capabilities.

You should expect any online services you use to be compromised the moment you arrive, but there are steps you can take to protect yourself. Have an assistant forward email to a temporary account that you will delete once you return home, for example. Forwarded emails or excerpts should never contain sensitive information.

Additionally, never update software while connected to an untrusted access point. Disable Java and all noncritical plugins and only allow JavaScript on trusted sites. Don’t click on ads or pop-ups or open email attachments from untrusted senders.

Handling Classified Information

Deleting or moving sensitive information prior to travel is not always sufficient. Take a separate device when traveling to countries of concern so you can minimize the sensitive files — including email history — on your devices. Accept no media or files from untrusted parties, including your host. You can view files on your host’s devices when required.

Bring your PowerPoint or other documents to be shared with hosts on a USB drive, then securely dispose of the device when it’s no longer needed. Do not download files to a device in-country. Most importantly, be sure to promptly and securely delete files once they are no longer needed. Never plug anything into your computer that has been in contact with untrusted systems or media. Upon return, dispose of devices used in countries of concern, or at least have them forensically wiped and rebuilt.

Use strong encryption — including full-disk encryption — on all devices that will accept it to protect data at rest. However, you must recognize that these systems can be defeated. When a device passes through customs, for example, it is subject to inspection and may need to be powered up. If so, use trusted platform module (TPM)-based disk encryption and minimum Federal Information Processing Standard (FIPS) 140-2 level 3 devices or the highest level available.

It’s easier to follow these best practices if noncritical features and ports are disabled because it eliminates the social awkwardness of a perceived lack of trust. This awkwardness can be used as a social engineering attack vector.

Destination Unknown

Have devices transported to the local embassy of your destination in a diplomatic pouch, if possible. If your party can travel with an accredited diplomat, he or she can use diplomatic immunity to protect the entire party’s devices from inspection. If you cannot travel with an accredited diplomat, try to have one meet you at the airport ahead of customs.

Assume that hotel rooms, conference rooms, etc. are under video and audio surveillance at all times. Additionally, shredders that are made available to you can have hidden scanners that deliver the documents you are trying to destroy directly to cybercriminals. Similarly, all voice, data and text carried by local telecommunications companies can be compromised. Access all information via secure tunneling with strong end-to-end encryption vetted by your IT department or a competent consultant.

If you find that this system is not working when in-country, consider that and adversary may have disabled it to force you to use a less secure form of communication. Also consider that internet activity conducted through public terminals or wireless networks may point to real or perceived vulnerabilities that intelligence services or others could leverage to provoke, recruit or embarrass you.

Obviously, all these travel security insights and recommendations are not appropriate for every employee on every trip. But maintaining a high level of awareness and pre-travel preparation always provides added security and peace of mind.

More from Risk Management

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

GenAI: The next frontier in AI security threats

3 min read - Threat actors aren’t attacking generative AI (GenAI) at scale yet, but these AI security threats are coming. That prediction comes from the 2024 X-Force Threat Intelligence Index. Here’s a review of the threat intelligence types underpinning that report.Cyber criminals are shifting focusIncreased chatter in illicit markets and dark web forums is a sign of interest. X-Force hasn’t seen any AI-engineered campaigns yet. However, cyber criminals are actively exploring the topic. In 2023, X-Force found the terms “AI” and “GPT” mentioned…

How will the Merck settlement affect the insurance industry?

3 min read - A major shift in how cyber insurance works started with an attack on the pharmaceutical giant Merck. Or did it start somewhere else?In June 2017, the NotPetya incident hit some 40,000 Merck computers, destroying data and forcing a months-long recovery process. The attack affected thousands of multinational companies, including Mondelēz and Maersk. In total, the malware caused roughly $10 billion in damage.NotPetya malware exploited two Windows vulnerabilities: EternalBlue, a digital skeleton key leaked from the NSA, and Mimikatz, an exploit…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today