How to Maintain Digital Security While Traveling for Work
Traveling has become highly common in the modern workplace; whether it’s for a conference or office expansion, many employees find themselves traveling to a number of different countries. We are also seeing an increase in bring-your-own-device (BYOD) work environments, so employees are using their personal devices to stay connected to the office when traveling. Businesses must be aware of any potential security risks posed by an employee’s travel plans, particularly in regards to maintaining the security of endpoint devices. It’s up to the employer to take on the responsibility of educating their employees on how to ensure proper digital security.
Many users are unaware that when mobile electronic devices are taken abroad, they are subject to local laws. Border agents at all international borders can legally inspect the contents of the devices and even seize them indefinitely. Recently, border inspections have become even more rigorous in many countries.
Although courts have yet to officially rule on whether US and Canada border agents can force travelers to surrender device passcodes, the consequences for not complying could range from seizure of the device to being arrested and detained. In most cases, the pressure to comply is overwhelming.
Enterprises requiring their employees to travel should prioritize the development and communication of a policy around what to do if traveling with a company-owned device, or one with company-owned data stored on it.
We recommend that the policy should cover the following points:
- Should a device containing company data be carried or shipped across a border at all?
- What is the protocol employees should follow to protect data at borders and in foreign jurisdictions?
- If requested by a border agent, should employees surrender the device passcodes?
- Who should be informed if a border agent accesses or seizes the device?
- What are the legal protections available for employees if detained (e.g. having a retainer for legal support)?
As a general rule of thumb, we do not recommend traveling across borders with any devices that may hold confidential company data that can harm the business. This is highly critical if employees will be traveling to countries where:
- There is strong industrial and/or nation-state competition
- The country is not on friendly terms with your home country
- There is significant civil unrest, political discord, crime and or violence
However, if employees must carry a device with confidential data, we recommend taking the following measures to keep the company’s data secure:
- If possible, purchase devices specifically used for travel such as a prepaid “burner” phone or use temporary devices such as a freshly-built laptop.
- Backup any information from your device before the trip.
- Cover internal cameras and wipe the devices clean before travel for added protection.
- Carry a physical card with contact information of the corporate counsel, your immediate supervisor, and any other numbers you may need.
- Encrypt your devices and use strong passwords. While this may not be effective if border agents ask you to unlock your device for inspection, it may protect you from future surveillance.
- Minimize the confidential data contained on the device.
- Assume that anything you do on the device, particularly over the Internet, will be intercepted. In some cases, encrypted data may even be decrypted.
- Never use shared public computers or use public Wi-Fi to conduct confidential business. If this is unavoidable, use an encrypted tunnel if possible, although this may be illegal in some jurisdictions. Check local laws before travel.
- As much as practical, keep the device(s) with you at all times during your travel. Do not assume they will be safe in your hotel room or in the hotel’s safe.
- If you manage very confidential or important information, consider restoring the device to factory settings upon your return home – clear the memory and storage and reinstall the operating system.
- Change any passwords that you have used or that are stored on your device.
If your organization requires more information relating to the security risks of employee travel, please feel free to contact one of our security specialists.
About Herjavec Group
Dynamic IT entrepreneur Robert Herjavec founded Herjavec Group in 2003 to provide cybersecurity products and services to enterprise organizations. Herjavec Group delivers SOC 2 Type 2 certified managed security services supported by state-of-the-art, PCI compliant, Security Operations Centers, operated 24/7/365 by certified security professionals. This expertise is coupled with leadership positions across a wide range of functions including consulting, professional services & incident response. Herjavec Group has offices globally including across Canada, the United States, and the United Kingdom. For more information, visit www.herjavecgroup.com.