Every time an executive at your company enters an airport, mobile security is at a heightened level of risk. Of course, laptops, tablets and smartphones are vulnerable to loss, theft or attack all the time, everywhere. This is a constant challenge and source of worry for IT leaders.

At an airport, however, the normal user controls and legal protections against data searches are temporarily suspended. During security processing, business travelers are required by law to hand control of their devices over to strangers, who may legally search them, copy data or confiscate the devices. In addition, airport Wi-Fi is nearly ubiquitous — and so are hotspots that may falsely claim to be the official provider.

The inconvenient truth about airport risks is that they’re changing every day, and not for the better. Airport, border and customs security increasingly focuses on all things digital. Enterprise policies are generally antiquated, and business travelers remain unprepared for what they might encounter when they cross international borders. This demands a complete rethink about policies and best practices for international travel.

Travel Security Best Practices Evolve With the Threat Landscape

In the past, best practices for keeping company data safe were based in part on the country or region on the itinerary. Different regions were considered either safe or risky, and best practices changed accordingly.

But that assumption is growing incompatible with the realities of border security. Industrial espionage, cybertheft and state-sponsored attacks are becoming bolder and more creative with each passing day. Bad actors are constantly hunting for new entry points into corporate data, and airports are ripe with opportunity. It’s therefore important to look beyond the policies, laws and reputations of various countries where we confront airport security.

Mobile Security Risks for Business Travelers

Airports are risky even beyond the security area. Airport Wi-Fi network spoofing is rife, for example, because thousands of people are trying to log on to the network in a single place. For cybercriminals, this is like shooting fish in a barrel.

Below are some other mobile security risks that business travelers rarely consider.

Loss or Theft of Carry-On Luggage

I once presented in a foreign country with a senior executive from a major Silicon Valley company. He had recently flown on a fully booked flight and found no room for his carry-on bag in the overhead compartment above his seat. A flight attendant said she would store his bag in the front of the plane, but at the end of the flight, the bag was nowhere to be found. The airline had actually lost his carry-on bag! That laptop contained legal details about a major acquisition the company was making.

Theft From Airport Security

Many nations enforce stringent policies and audits around the handling of data examined or downloaded from passenger devices. However, these policies are implemented by people who theoretically could be compromised by criminal actors.


Cybercriminals are increasingly targeting airports, and reports of such attacks seem to be on the rise worldwide. Even if airport security people don’t steal your data and even if your mobile devices aren’t compromised, it’s possible for threat actors to steal the data that’s been copied and stored on servers at the airport.

Stateside Security Struggles

Although it’s tempting to imagine these incidents taking place only at foreign airports, it’s entirely possible for data to be compromised in the U.S. as well. U.S. customs can download all data on a phone or laptop and either keep it or confiscate the devices and return the data months later. They can also demand passwords to company accounts or social networks.

According to U.S. Customs and Border Protection (CBP), the number of phone searches conducted at borders rose from 19,051 in 2016 to 30,200 in 2017. The overwhelming majority of these searches happened to travelers on flights inbound to the U.S.

CPB noted that searches and confiscations are rare and happen to “fewer than one-hundredth of 1 percent of all arriving international travelers.” Still, consider the probability that one of your hundreds or thousands of employees will have his or her data compromised over the course of, say, a decade. The chances that data will be compromised at some airport somewhere at some point in the future is too high to ignore.

Revising Mobile Security Best Practices for Business Travelers

New and unpredictable airport risks call for new mobile security best practices. Some measures that used to be considered extreme should now be implemented for ordinary business travel. Below are eight new best practices enterprise leaders should implement for international business travel.

  1. Carry clean devices dedicated to travel. Wipe laptops, tablets and phones clean before departure and load only the minimum necessary data.
  2. Keep sensitive data remote. Leave data behind the company firewall or securely in the cloud, since CBP agents are not allowed to search cloud-stored data. Access company servers or the cloud only with a virtual private network (VPN).
  3. Airplane mode starts outside the airport. Disable Bluetooth before entering the airport. Make sure any devices to be used at airports connect via the cellular network, rather than public airport Wi-Fi.
  4. Set up two-factor authentication (2FA) on every resource with sensitive data. Configure it to send a code to a smartphone, then don’t carry the phone. That way, the traveler at the airport can truthfully say that it’s impossible to provide access to his or her device on the spot.
  5. Encrypt hard drives. Protect that encrypted data with strong passwords.
  6. Log out of all apps. Before entering the airport, make sure you’ve logged out of every app on your phone and laptop.
  7. Power down all devices. Most smartphones that are biometrically protected force a passcode entry when booting up. This matters because, while biometrics such as fingerprints and face recognition are not protected, passwords are considered “speech” and therefore are protected by the First Amendment. In other words, you cannot be compelled by law to divulge a password or passcode in the U.S. And, of course, encrypted passwords work only when the system is powered down.
  8. Tell the truth. When preparing employees and executives to travel internationally, make sure they know that it’s a crime to lie to customs agents or to obstruct their searches. This knowledge actually changes how software and devices should be managed before travel.

Airports have always been risky environments for company data, but the threat possibilities are growing so fast that it’s time to reconsider what we thought we knew about those risks. Most importantly, we must transform our best practices to meet the evolving mobile security challenge.

Download the white paper: 11 Best Practices for Mobile Device Management (MDM)

More from Data Protection

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read

Understanding the Backdoor Debate in Cybersecurity

3 min read - The debate over whether backdoor encryption should be implemented to aid law enforcement has been contentious for years. On one side of the fence, the proponents of backdoors argue that they could provide valuable intelligence and help law enforcement investigate criminals or prevent terrorist attacks. On the other side, opponents contend they would weaken overall security and create opportunities for malicious actors to exploit. So which side of the argument is correct? As with most debates, the answer isn't so…

3 min read