How to keep your data secure while traveling
Thinking of bringing your corporate laptop abroad? Think twice.
Are data thieves the new pickpockets? Travelers have long been advised to zip their cash into money-belts, lock up their suitcases, and watch out for purse snatchers. Meanwhile, they don't always follow that same advice when it comes to protecting their data, choosing insecure passwords for email accounts, leaving laptops unprotected, and downloading unknown attachments from unfamiliar emails.
Business travelers, especially, are in the cross-hairs. Just think of all the new opportunities would-be thieves have: Meetings once held in person are now streamed via Skype, vital account information is just a password away, and documents can be accessed around the world thanks to a free Google or Dropbox account. All of that comes with an element of risk.
Luckily, just by reading this you've taken a step in the right direction — 91 percent of Americans surveyed by Pew in 2014 said they hadn't taken any precautions to keep their information safer online, despite being concerned about privacy.
So here's a quick primer on a few steps you can take to safeguard your data while traveling. Remember these are just basic principles and that you should do further research and seek assistance when implementing any of these steps.
Don't think it won't happen to you: You don't have to be a top-level executive or have access to proprietary information to be vulnerable. Whether you are on the road or at your desk, be vigilant for threats, including so-called "phishing" attacks, in which an innocuous-seeming email triggers a virus or other code that allows hackers access to your organization's system. It's a tactic that's been blamed for several major corporate breaches, including 2014's hack of retailer Target, in which more than 100 million customers had their data stolen.
Make a plan: More than fancy software or uncrackable encryption, it's planning that often makes the difference between keeping data safe and scrambling to stop a loss.
One of the most effective ways to plan for any trip is to try out the idea of "threat modeling," in which you determine who might want your data, how they might get it, what they would do if they got it, and how to prevent that from happening. Depending on where your travels take you, this could be an important part of your pre-trip planning.
For example, if you're visiting a country where you know corporate espionage is common, think about the ways a rival firm could access your system. Would they try a phishing attack? Slip malware into your system? Bribe a colleague for information? Or would they simply hire someone to steal your laptop as you work at a coffee shop? The answers aren't always high-tech mayhem; sometimes it's the lowest-tech approach that ultimately is the most effective.
During planning stages, it's important not to forget the resources in your own office. Unsure of what to expect when going somewhere new? Ask your colleagues who have traveled recently about their experiences and what, if any, precautions they used while in the region.
You might also try a few reputable online guides. Though many are geared towards journalists or other professions that work with sensitive information, they are usually written for entry-level users and won't be too jargon-laden to understand. Two of the best are the Committee to Protect Journalists' Technology Security Guide and data journalist Jonathan Stray's two-part series on digital safety, both of which go into detail about developing a plan to keep your data safe while traveling, safely accessing the internet in unfamiliar places, and developing a security routine. (Full disclosure: I worked as a researcher at the Committee to Protect Journalists and help lead safety trainings for journalists today.)
Once you've had a chance to develop a model, you can start to plan countermeasures in conversation with your colleagues. Sometimes the solution may involve steps like encryption or other software, but more often it will involve clear communication within your team, a certain level of vigilance, and a step-by-step plan for protecting your data that's simple enough to actually execute.
Get some gear and learn some skills: Unfortunately many of the tools designed to help keep your communications and browsing comprehensively secure online are often not "out of the box" solutions. But whether they are appropriate for your travels at all is really determined by your level of risk.
Think about the digital devices you need on a trip — is the company laptop filled with proprietary documents really one of them? If not, consider swapping out your standard equipment for travel-only devices that you won't use when you return home. While it may not be the most cost-effective way to travel, it's one way to avoid bringing unnecessary information into an insecure setting. Some business executives on trips to countries like China will only bring blank laptops and "burner" cellphones.
And if you give yourself sufficient time and assistance, tools like anonymous browsing systems and encrypted email can be your ally here, too. Though they have a learning curve and aren't appropriate in every country, understanding the basics of systems like virtual private networks (or even the robust anonymous browsing system Tor) and encrypted email options like PGP will put you a league apart from fellow travelers. The big caveat here is the difficulty of properly using these systems — don't rely on them during your travels until you've learned from an expert.
But for the majority of business travelers, an awareness of basic risks and a familiarity with a few tools and behaviors is a good place to start. Read over this list of easy-to-implement steps by digital security researcher John Scott-Railton, who covers the basics, including encrypting a computer's hard drive, enabling two-factor authentication on important accounts, and choosing a tough-to-crack password.
But remember: The primary goal of studying these guides and developing these plans isn't to learn complicated tools but rather to develop a mindset in which security is something you actively consider rather than take for granted. No amount of sophisticated software or spy-movie tradecraft is going to keep your data safe unless you understand the risks and stay vigilant.