Resources

Business Trip Security: What are the Risks for Traveling Employees?

business-trip-security

The following is a guest post by Alex Mitchell, a cybersecurity enthusiast, WordPress guru, and data-safety tools tester with over 10 years experience.

Everybody knows the phrase, ‘Big Brother is watching.’

What often goes unsaid, though, is that Big Brother can be anyone, including the amateur hacker who happens to be staying at the same hotel as you.

That amateur hacker can’t watch if he can’t see. He knows this, of course, and he has ways of tricking you into letting him see.

Not only this, but all hackers know that a traveling employee most likely has access to sensitive company information on their laptop. These individuals make the best targets because there is more to gain from them.

In this Process Street article, we’ll take a look at risks such as these (and more) that are faced by traveling employees and how to remedy them. In particular, we’ll cover:

  • Defense against hackers
  • Safety while using public hotspots
  • Password security
  • Data protection during border checks

Let’s get into it

Public WiFi is everyone’s WiFi

Another useful phrase to remember with regard to cybersecurity is, ‘if it seems too good to be true, it probably is.’

This may not seem like it applies to public WiFi because of how prevalent it is in today’s society.

However, when you consider how much your internet service provider (ISP) charges you for internet access—especially if you’re a business owner paying to cover an entire office—then you may begin to wonder where the catch is.

Basically, the catch is that public WiFi is not secure in the slightest, and everyone using it can easily access the data traffic sent and received by every other person using it.

In 2016, USA Today journalist Steven Petrow learned this the hard way. By his account, he was working on an article on a flight, during which he was connected to the airline company’s in-flight WiFi.

At the arrivals gate, a fellow passenger approached him and relayed the entire premise of his article, as well as verbatim recounts of emails he had sent and received.

business-trip-security-wifi
Source

Not only had this hacker gained access to Petrow’s private information, but he also boasted that he did the same for every other passenger on board.

The outcome was little more than embarrassment for Petrow, who makes a living writing about technology, and was presently writing an article about data security in telecommunications.

Were Petrow’s personal information more sensitive than it was, and were the hacker less seemingly good-natured (if arrogant), then the results could have been disastrous.

In the article, Petrow recounts advice given to him by Gogo vice president Steve Nolan: traveling employees should arm themselves with a virtual private network (VPN).

This is great advice. A VPN redirects your connection to a remote server, and a good VPN (such as ExpressVPN) secures that channel with impenetrable encryption. In other words: it’s borderline impossible to hack someone’s private data when they’re using a VPN.

If you want to check out a selection of VPNs then you can look at VPN Watch which finds, tests, and reviews different VPNs so that you’re able to make a more informed decision as to what’s going to work for your needs.

Hackers love cookies

Steven Petrow was only using Google Docs when he was hacked, and yet the hacker managed to sneak a peek at his private emails. How did he do this?

Basically, although Petrow wasn’t accessing his email, he was logged in to his email account. All of your browser activity is stored on cookies, so when you log into something, that gets stored on a cookie too.

When you connect to public WiFi, your device communicates with other devices connected to the same hotspot. They send each other ‘packets,’ which involves passing around cookies, thus making them easier to intercept.

Once a hacker gains access to those packets, they gain access to the cookies. They can then access your accounts without knowing your username or password because the cookie they’ve hijacked says you’re already logged in.

To prove a point, Ars Technica national security editor Sean Gallagher surveyed a (willing) NPR reporter, NSA-style, and observed their internet traffic.

One of the most disturbing revelations was that his target’s online footprint was accessible without them even touching their phone: mobile users who forget to close apps and leave them running in the background are basically sending unencrypted data traffic 24/7.

According to Adam Pash, director of engineering at Postlight, this is the easiest way for someone to steal your whole identity. All it takes is the right cookie, and the wrong employee and a hacker could have all sorts of access to your company’s information.

Similarly, multimedia designer and travel security expert Julie McKellar notes that the simplest way to prevent this from happening in the first place is for employees to log out of every single one of their accounts before embarking on a trip.

(Of course, mobile users should also remember to close all of their open apps when they’ve finished with them!)

Both experts also highly recommend getting a VPN. Many VPN providers (such as VyprVPN) offer business packages that are expressly designed for traveling employees, so it’s always worth reading a few reviews to ensure you’re getting the best possible option.

Your browser doesn’t care about password security

Hackers have countless methods of obtaining your passwords. If you use Google Chrome, however, you’ve already done the lion’s share of the work for them.

Back in 2013, software designer Elliott Kember discovered an inherent security flaw in Chrome’s password management, namely that it had no security measures in place whatsoever.

Essentially, Chrome stores all of your saved passwords in plaintext, meaning that anyone who has access to your cache is able to discover every password you’ve saved in seconds.

Google brushed off Kember’s complaints, even after a co-sign from Sir Tim Berners-Lee, director of the World Wide Web Consortium. Sadly, this ridiculously simple method of accessing passwords in plaintext remains unaltered as of March 2019.

Now, the easiest way of accessing this data is physically; if your laptop or phone has been stolen, you suddenly have a whole bunch of passwords to change, immediately.

business-trip-security-lock
Source

As we’ve already discussed, however, hackers usually aren’t thieves in the physical sense. They’re experts in exposing security flaws and finding backdoors into your personal information—usually through public WiFi.

According to Mike Wheatley, senior writer at siliconANGLE, this problem also exists on a host of other major browsers including Firefox and Opera. Google Chrome is of particular concern, though, seeing as two-thirds of netizens regularly use this browser.

The simplest solution would be to avoid saving passwords, ever. You could also get a password manager, such as 1Password or LastPass.

(Of course, using a VPN with 256-bit encryption and strong privacy policy, such as NordVPN is still a necessity here, even if your password manager provides an ‘encrypted vault’.)

Your passwords are probably also terrible

How many different passwords do you use?

This doesn’t include formula variations; these are easy to hack, according to researchers at Dashlane who analyzed over 61 million passwords leaked through data breaches.

Data security expert and Lifehacker staff writer Nick Douglas also points out that once hackers have your information, they will tend to assume, often correctly, that you’ve reused that password a number of times for different accounts.

Of course, sometimes it isn’t your fault that a hacker has gained access to your password. Data breaches occur almost every week, and most of the information being breached includes unencrypted password–username combinations.

Nevertheless, if you’ve reused the same password from any of these 284 compromised websites, your personal information—and potentially your company’s information—is in serious danger.

Similarly, anyone who manages to access your information through shared WiFi is able to get a sample of which passwords you use and reuse.

Once again, password managers are a simple solution here, and a VPN is great protection on top of that, especially one with strong security and privacy measures (like NordVPN, which we mentioned earlier).

You can’t always say what you please

Different countries have different laws. That’s a given, but sometimes those laws pertain to freedom of expression.

Depending on the expression, a traveling employee may quickly find themselves in hot water. Visiting a country and insulting their dictator, as Martha O’Donovan did, could even land you in prison.

O’Donovan is a ‘media activist’ from New York who was visiting Zimbabwe on business (she was working with Magamba TV, a local social media outlet) when she called President Robert Mugabe a “sick man” in a tweet.

business-trip-security-martha
Source

She was freed from jail after a couple of months, but only because Mugabe had ceased to be president and state prosecutors failed to build a case against her.

Not everyone is so lucky. In December 2018, the Committee to Protect Journalists reported that over 250 journalists were arrested globally throughout the year.

Most of these arrests have been made in notoriously repressive countries such as China, Egypt, Saudi Arabia, and Eritrea, alongside nations experiencing political turmoil such as Turkey.

However, these are far from the only instances where such aggression takes place, and it is not simply journalists who are targeted in such a way. According to Freedom House, a Bahraini man was sentenced to six years in prison for retweeting criticism of the nation’s king.

Of course, a VPN is a great way of remaining anonymous online, but even then, it is essential to exercise caution; using a VPN is illegal in many countries around the world.

Aimee O’Driscoll for comparitech has compiled a list of these countries, and the places in which it is illegal include:

  • Belarus
  • China
  • Iran
  • Iraq
  • North Korea
  • Oman
  • Russia
  • Turkey
  • Turkmenistan
  • United Arab Emirates

The best solution for traveling to those countries, then, would be to use a VPN provider that supports SSTP (such as ExpressVPN). This allows your VPN to disguise your connection as regular traffic so surveillance bodies cannot see that you are using a VPN.

Stay safe at the border

Cyber attacks are on the rise, and many countries around the world are working hard to prevent them from happening.

Unfortunately, their methods do not always have your human rights in mind, let alone your data privacy. Border agents around the world now have free reign to rifle through your devices in whichever way they please.

In 2017, for instance, US-born NASA agent Sidd Bikkannavar was detained at customs and forced into unlocking his phone. If NASA agents can’t even cross borders without having their company’s sensitive information exposed, no other traveling employee should expect to, either.

Even more worryingly, ACLU attorney Nathan Wessler claims he has heard rumors of people being ordered to hand over their passwords at the border.

business-trip-security-border
Source

Border checks can thus be a traveling employee’s worst nightmare, especially if the information on their devices is particularly sensitive as in Bikkannavar’s case.

Julia McKellar’s advice of logging out of every online account, which we noted earlier, is particularly useful here; even if you choose not to surrender your password at customs, there is no stopping border agents accessing accounts you’ve already logged in to.

Wessler also notes that in the US at least, ‘American citizens can’t be deported for refusing to give up an encryption or social media password.’

As such, encrypting your hard drive is a particularly good idea, especially through the use of a tool such as BitLocker.

Russell Brandom, the policy editor at The Verge, suggests wiping any sensitive information from your devices, storing said information on an external hard drive, and leaving the hard drive at home.

Either way, you should be mindful that handing over your password to border agents, as opposed to unlocking your device yourself, allows them to decrypt your hard drive and retrieve recently deleted information.

As such, you need to ensure your digital footprint is as clean as can be. Bringing a burner phone with minimal content ensures that you have as little information to turn over as possible.

Using a VPN can help, too. Providers that offer a strong no-logs policy that has been verified through an independent audit (Ivacy is a good one), especially for general usage outside of travel, can ensure your digital footprint is clear before you’ve even begun to plan your trip.

Conclusion

As you can see, the global online environment has the potential to be a dangerous place where half of the people want to steal your information and the other half don’t care about keeping it secure.

As you can also see, however, there are plenty of ways of keeping yourself safe. Some of it involves common sense, but for the parts that don’t, there are many experts eager to help traveling employees keep their data—and their company’s data—safe and secure.

Especially if you’re using a VPN, traveling abroad can be a completely stress-free experience. So long as you bear in mind to read some reviews and carefully select the right VPN provider for your needs, you’ll never have to worry about traveling on business ever again.

What steps do you take to protect your data when traveling? Do you have any recommendations for fellow travelers when it comes to data security? Let us know in the comments below, we’d love to hear your thoughts!

Get our posts & product updates earlier by simply subscribing

Alex Gallia

Alex is a content writer at Process Street who enjoys traveling, reading, meditating, and is almost always listening to jazz or techno. You can find him on LinkedIn here

Leave a Reply

Your email address will not be published. Required fields are marked *

Take control of your workflows today