Every time an executive at your company enters an airport, mobile security is at a heightened level of risk. Of course, laptops, tablets and smartphones are vulnerable to loss, theft or attack all the time, everywhere. This is a constant challenge and source of worry for IT leaders.
At an airport, however, the normal user controls and legal protections against data searches are temporarily suspended. During security processing, business travelers are required by law to hand control of their devices over to strangers, who may legally search them, copy data or confiscate the devices. In addition, airport Wi-Fi is nearly ubiquitous — and so are hotspots that may falsely claim to be the official provider.
The inconvenient truth about airport risks is that they’re changing every day, and not for the better. Airport, border and customs security increasingly focuses on all things digital. Enterprise policies are generally antiquated, and business travelers remain unprepared for what they might encounter when they cross international borders. This demands a complete rethink about policies and best practices for international travel.
Travel Security Best Practices Evolve With the Threat Landscape
In the past, best practices for keeping company data safe were based in part on the country or region on the itinerary. Different regions were considered either safe or risky, and best practices changed accordingly.
But that assumption is growing incompatible with the realities of border security. Industrial espionage, cybertheft and state-sponsored attacks are becoming bolder and more creative with each passing day. Bad actors are constantly hunting for new entry points into corporate data, and airports are ripe with opportunity. It’s therefore important to look beyond the policies, laws and reputations of various countries where we confront airport security.
Mobile Security Risks for Business Travelers
Airports are risky even beyond the security area. Airport Wi-Fi network spoofing is rife, for example, because thousands of people are trying to log on to the network in a single place. For cybercriminals, this is like shooting fish in a barrel.
Below are some other mobile security risks that business travelers rarely consider.
Loss or Theft of Carry-On Luggage
I once presented in a foreign country with a senior executive from a major Silicon Valley company. He had recently flown on a fully booked flight and found no room for his carry-on bag in the overhead compartment above his seat. A flight attendant said she would store his bag in the front of the plane, but at the end of the flight, the bag was nowhere to be found. The airline had actually lost his carry-on bag! That laptop contained legal details about a major acquisition the company was making.
Theft From Airport Security
Many nations enforce stringent policies and audits around the handling of data examined or downloaded from passenger devices. However, these policies are implemented by people who theoretically could be compromised by criminal actors.
Cybercriminals are increasingly targeting airports, and reports of such attacks seem to be on the rise worldwide. Even if airport security people don’t steal your data and even if your mobile devices aren’t compromised, it’s possible for threat actors to steal the data that’s been copied and stored on servers at the airport.
Stateside Security Struggles
Although it’s tempting to imagine these incidents taking place only at foreign airports, it’s entirely possible for data to be compromised in the U.S. as well. U.S. customs can download all data on a phone or laptop and either keep it or confiscate the devices and return the data months later. They can also demand passwords to company accounts or social networks.
According to U.S. Customs and Border Protection (CBP), the number of phone searches conducted at borders rose from 19,051 in 2016 to 30,200 in 2017. The overwhelming majority of these searches happened to travelers on flights inbound to the U.S.
CPB noted that searches and confiscations are rare and happen to “fewer than one-hundredth of 1 percent of all arriving international travelers.” Still, consider the probability that one of your hundreds or thousands of employees will have his or her data compromised over the course of, say, a decade. The chances that data will be compromised at some airport somewhere at some point in the future is too high to ignore.
Revising Mobile Security Best Practices for Business Travelers
New and unpredictable airport risks call for new mobile security best practices. Some measures that used to be considered extreme should now be implemented for ordinary business travel. Below are eight new best practices enterprise leaders should implement for international business travel.
- Carry clean devices dedicated to travel. Wipe laptops, tablets and phones clean before departure and load only the minimum necessary data.
- Keep sensitive data remote. Leave data behind the company firewall or securely in the cloud, since CBP agents are not allowed to search cloud-stored data. Access company servers or the cloud only with a virtual private network (VPN).
- Airplane mode starts outside the airport. Disable Bluetooth before entering the airport. Make sure any devices to be used at airports connect via the cellular network, rather than public airport Wi-Fi.
- Set up two-factor authentication (2FA) on every resource with sensitive data. Configure it to send a code to a smartphone, then don’t carry the phone. That way, the traveler at the airport can truthfully say that it’s impossible to provide access to his or her device on the spot.
- Encrypt hard drives. Protect that encrypted data with strong passwords.
- Log out of all apps. Before entering the airport, make sure you’ve logged out of every app on your phone and laptop.
- Power down all devices. Most smartphones that are biometrically protected force a passcode entry when booting up. This matters because, while biometrics such as fingerprints and face recognition are not protected, passwords are considered “speech” and therefore are protected by the First Amendment. In other words, you cannot be compelled by law to divulge a password or passcode in the U.S. And, of course, encrypted passwords work only when the system is powered down.
- Tell the truth. When preparing employees and executives to travel internationally, make sure they know that it’s a crime to lie to customs agents or to obstruct their searches. This knowledge actually changes how software and devices should be managed before travel.
Airports have always been risky environments for company data, but the threat possibilities are growing so fast that it’s time to reconsider what we thought we knew about those risks. Most importantly, we must transform our best practices to meet the evolving mobile security challenge.