One of the great myths of executive travel is the benefit of racking up hospitality rewards for grand vacations in Fiji or the Swiss Alps. In reality, trips are frequent, exhausting and sometimes bound for undesirable destinations that present a slew of security issues.

Travel Security Challenges and Best Practices

While you may not have much say in when and where you travel, understanding your trip’s goals can help determine the best business security practices. A quick, one-day trip to meet a business partner might mean you can leave your computer at home, for example. A month-long globe trot to multiple satellite offices, client meetings and a little R&R would require a more rigorous approach to securing all of your devices.

It is equally important to know the purpose of your trip, the systems and access you will require while traveling, the sensitivity of information you will be handling and the available security resources. These points will determine what travel security precautions you should take before you even pull out your suitcase.

Bring a Bat Phone

Ideally, you would never take your own phone on a trip. Instead, take a burner phone that contains no personal data. Cybercriminals can use information you may not consider sensitive to facilitate attacks or steal your identity. They can use your contact list, phone call history, texts, personal email and calendar to target other members of your organization or compromise even more sensitive data.

Do not leave any IT device, including mobile phones, unattended. Hotel safes offer little protection from determined attackers, corrupt hotel employees or the host government. If you must leave your things unattended for social or cultural reasons, assign a trusted member of your party to watch all computer and communications gear. If possible, leave them secured at the local embassy or consulate.

Consider disabling your computer’s USB ports as well. You should also use a video camera cover, a laptop screen privacy cover and microphone jack disabler.

Software Security

Be sure to complete virus definition and patch update activities before your departure. Always assume your devices will be compromised upon arrival. In addition to local intelligence services, you may be targeted by agencies from other nations, criminal organizations and commercial competitors.

To avoid a compromise, review and harden the software build of all your equipment prior to your trip. This may include disabling unnecessary features such as the microphone, camera and Bluetooth capabilities.

You should expect any online services you use to be compromised the moment you arrive, but there are steps you can take to protect yourself. Have an assistant forward email to a temporary account that you will delete once you return home, for example. Forwarded emails or excerpts should never contain sensitive information.

Additionally, never update software while connected to an untrusted access point. Disable Java and all noncritical plugins and only allow JavaScript on trusted sites. Don’t click on ads or pop-ups or open email attachments from untrusted senders.

Handling Classified Information

Deleting or moving sensitive information prior to travel is not always sufficient. Take a separate device when traveling to countries of concern so you can minimize the sensitive files — including email history — on your devices. Accept no media or files from untrusted parties, including your host. You can view files on your host’s devices when required.

Bring your PowerPoint or other documents to be shared with hosts on a USB drive, then securely dispose of the device when it’s no longer needed. Do not download files to a device in-country. Most importantly, be sure to promptly and securely delete files once they are no longer needed. Never plug anything into your computer that has been in contact with untrusted systems or media. Upon return, dispose of devices used in countries of concern, or at least have them forensically wiped and rebuilt.

Use strong encryption — including full-disk encryption — on all devices that will accept it to protect data at rest. However, you must recognize that these systems can be defeated. When a device passes through customs, for example, it is subject to inspection and may need to be powered up. If so, use trusted platform module (TPM)-based disk encryption and minimum Federal Information Processing Standard (FIPS) 140-2 level 3 devices or the highest level available.

It’s easier to follow these best practices if noncritical features and ports are disabled because it eliminates the social awkwardness of a perceived lack of trust. This awkwardness can be used as a social engineering attack vector.

Destination Unknown

Have devices transported to the local embassy of your destination in a diplomatic pouch, if possible. If your party can travel with an accredited diplomat, he or she can use diplomatic immunity to protect the entire party’s devices from inspection. If you cannot travel with an accredited diplomat, try to have one meet you at the airport ahead of customs.

Assume that hotel rooms, conference rooms, etc. are under video and audio surveillance at all times. Additionally, shredders that are made available to you can have hidden scanners that deliver the documents you are trying to destroy directly to cybercriminals. Similarly, all voice, data and text carried by local telecommunications companies can be compromised. Access all information via secure tunneling with strong end-to-end encryption vetted by your IT department or a competent consultant.

If you find that this system is not working when in-country, consider that and adversary may have disabled it to force you to use a less secure form of communication. Also consider that internet activity conducted through public terminals or wireless networks may point to real or perceived vulnerabilities that intelligence services or others could leverage to provoke, recruit or embarrass you.

Obviously, all these travel security insights and recommendations are not appropriate for every employee on every trip. But maintaining a high level of awareness and pre-travel preparation always provides added security and peace of mind.

More from Data Protection

Cybersecurity 101: What is Attack Surface Management?

There were over 4,100 publicly disclosed data breaches in 2022, exposing about 22 billion records. Criminals can use stolen data for identity theft, financial fraud or to launch ransomware attacks. While these threats loom large on the horizon, attack surface management (ASM) seeks to combat them.ASM is a cybersecurity approach that continuously monitors an organization’s IT infrastructure to identify and remediate potential points of attack. Here’s how it can give your organization an edge.Understanding Attack Surface ManagementHere are some key…

Six Ways to Secure Your Organization on a Smaller Budget

My LinkedIn feed has been filled with connections announcing they have been laid off and are looking for work. While it seems that no industry has been spared from uncertainty, my feed suggests tech has been hit the hardest. Headlines confirm my anecdotal experience. Many companies must now protect their systems from more sophisticated threats with fewer resources — both human and technical. Cobalt’s 2022 The State of Pentesting Report found that 90% of short-staffed teams are struggling to monitor for…

The Importance of Modern-Day Data Security Platforms

Data is the backbone of businesses and companies everywhere. Data can range from intellectual property to critical business plans to personal health information or even money itself. At the end of the day, businesses are looking to grow revenue, innovate, and operationalize but to do that, they must ensure that they leverage their data first because of how important and valuable it is to their organization. No matter the industry, the need to protect sensitive and personal data should be…

Meeting Today’s Complex Data Privacy Challenges

Pop quiz: Who is responsible for compliance and data privacy in an organization? Is it a) the security department, b) the IT department, c) the legal department, d) the compliance group or e) all of the above? If you answered "all of the above," you are well-versed in the complex world of compliance and data privacy! While compliance is a complex topic, the patchwork of regulations imposed by countries, regions, states and industries further compounds it. This complexity has turned…