What travellers need to know about cybersecurity

Cultivating a relationship with the IT department is the best first step for executives concerned about cybersecurity while on the road.

In addition to the usual travel hassles, today's executives on the go have an additional layer of worry: keeping their electronics and information safe. Mobile phones and computers can be stolen or hacked. Searches at airports, and even active surveillance in some countries, can put sensitive data at risk.

Every traveller can take basic precautions — guidelines that most of us have heard before: Don't use public Wi-Fi connections; don't connect to the internet without a virtual private network (VPN); use a password manager; and never reuse passwords. (Read more in the sidebar, "The Basics of Keeping Your Info Safe While Travelling," at bottom of page.) But for a finance professional on a business trip, such measures are unlikely to be enough.

Finance executives around the world must come to terms with being targets for cybercriminal activities, said Pavan Duggal, president of Cyberlaws.net and an advocate in the Supreme Court of India, among other international appointments in the field of cybersecurity law.

"Cybercriminals want to know the information that is being handled by finance executives, so they must take good precautions, they must have good anti-virus, a firewall," Duggal said. Computers and smartphones are vulnerable, he added.

"Business executives are not dealing with normal data; they are dealing with monetisable data," he said.

Work with IT before you go

UK-based computer security analyst Graham Cluley usually provides advice on how people should keep themselves secure, but more recently he finds himself pulling back for perspective.

"Is what I am saying really realistic? There's a danger sometimes that we will give advice and that people think it's too over the top, it is too much hassle, and they don't do anything," said Cluley.

So what are some basic steps that are necessary — but not overwhelming?

Speaking to the IT team before going is the best step for a financial executive about to travel, Cluley said. He also recommended keeping that channel open and making sure to report the efficacy of measures taken. That's because IT personnel may not travel for the company themselves and can end up putting systems on devices they've never really tried in the field.

"They don't understand the agony and the pain of trying to reconnect to the office network," Cluley said. "Report back to them when you have difficulties. If software is not working properly, you are taking greater risks to get online."

Cluley also recommended using whole disk encryption, a feature available in modern versions of operating systems that is "seamless", meaning it is operating in the background without the user even realising it. As a user, all that is required to encrypt information on the hard drive is a password, and decryption can happen on the fly, he said.

Still, such measures will not protect against situations in which authorities insist that a traveller hand over passwords. For example, in a widely reported case, Sidd Bikkannavar, a US citizen who worked at NASA's Jet Propulsion Lab, was detained at Houston airport, where border agents demanded access to his NASA-issued phone.

Experts warn that ultimately there is no real recourse to this situation, legally speaking. Cluley said that being forced to hand over sensitive information at the border can be avoided by taking a disposable prepaid phone or a laptop that is wiped of all information except that which is essential for the business trip.

Other points for travelling executives to discuss with IT teams include end-to-end encryption for communications and secure cloud storage.

"IT security teams need to consider that data is the lifeblood of the organisation," Cluley said. "But that doesn't mean that it has to be a huge pain for the user. A lot of the best security works mostly invisibly."

Keeping clean with cyber hygiene

Kim Milford, executive director at Indiana University's Research and Education Networking Information Sharing & Analysis Center (REN-ISAC), which provides operational security support to more than 500 higher education institutions, recommended keeping checklists and routines to prevent travelling with more data than you need.

"I am not a data hoarder, so my laptop is ready to travel in 20 minutes," she said.

But someone who keeps all their emails or financials for every quarter may have a lot of information on a computer. Back it up elsewhere, with the assistance of the IT department, then delete it from the computer that's going with you, Milford suggested.

Communicating with the IT department is essential, she said, in particular to make sure they are aware of all the files and folders that may have sensitive information. Some may be obvious, but, for example, if you have a to-do list that contains sensitive information, IT won't know to secure it unless you tell them about it.

Executives should use checklists for risks, answering questions such as: Where are your risks? Do you keep sensitive information on a device that you are going to be taking with you? Do you need to have it there?

Milford also recommended a weekly routine, rather than a "right before you travel" routine: identifying what information is on the device being carried, what needs to be protected, whether it is backed up, and whether it can be removed from that device to avoid risk.

"Going through that data and content checklist is going to save you a lot of time before you travel," she said.

'Darkhotel' and more target travelling CFOs

In any company, there has to be clear guidance and training so that executives are aware of the dangers of travelling and connecting around the world, said Daniel Cohen, a director and head of products at RSA Security's Fraud & Risk Intelligence division, part of Dell Technologies.

The challenge is not just about connecting to Wi-Fi; it's in realising that the technological world is expanding and evolving rapidly, he said.

As a case in point, Cohen referenced the "Darkhotel" attack, whose perpetrators have been reported to be active for around a decade. This attack selectively targets senior-ranking executives staying at high-end hotels in Asia and the US.

It can trick the computer into trusting certain files over the network disguised as software updates, and hackers perpetrate the attack within the confines of the hotel network, Cohen explained.

"Good luck protecting yourself if it's the hotel room," Cohen said. "Even if you are a trained executive and connecting to the hotel Wi-Fi and are immediately connecting to your VPN, you are communicating with the local network first to get the IP address. In those seconds, malicious actors can already be infecting your computer."

Moreover, Darkhotel is just one type of attack, but hardly an outlier, he said. Rather, it exposes the modus operandi of hackers: "They are out to get executives, they will learn travel patterns and how to infect the computer."

Using the mobile phone's data connection could be one way around this. But again, advanced and persistent attackers, like government-backed hackers, could bypass that, too.

Compromise is an inevitability of the digital age we live in today — we must accept this and spend energies not just on preventing, but also on detecting and defeating, Cohen said.

Where to be wary

China and Russia are generally cited as the two most dangerous countries in terms of cybersecurity threats. But other destinations are making their way up the chain.

Threat intelligence analysts in the US are starting to see an uptick in cybercrime activities originating from Latin America, particularly Brazil and Chile, said REN-ISAC's Milford.

She added that travelling executives can check bulletins from US agencies such as the Federal Bureau of Investigation and State Department for alerts that include cyber and physical threats (see the sidebar, "The Basics of Keeping Your Info Safe While Travelling," for details).

Duggal added that executives should be aware of the data protection laws for the jurisdictions they are travelling through. He noted that on 1 January 2018, China adopted a cybersecurity framework that he described as being focused on national security.

"China wants to give a message that it is having cybersecurity as a topmost priority in its national list of priorities," Duggal said.

Even if you are a foreign company, so long as your operations are in China, you will be required to comply with requirements of this national cybersecurity law, Duggal explained.

"You should be relatively aware of the fact that if you are travelling to China for work and any of your actions on your device, whether it's a handheld mobile device or computer, is in violation of the change in cybersecurity law, and if the violation is so detected, you could face potential prosecution," he said.

Duggal also pointed out that countries without strong cyber law frameworks are potentially subject to far more cybercrime activity, and named Europe, the US, and India as having strong legal frameworks.

On the other hand, developed countries in Latin America lack basic strong protections, as do a number of countries in Africa: "Work has not gone in the direction of having comprehensive data protection and data privacy legislation in place," he said.

RSA's Cohen said that any country could be a danger: "If an attacker group wants to get into your organisation, they are going to study your activities and learn where you travel."

"It's humans that develop technology and humans make mistakes, and this is leveraged by malicious actors to infect your computer and get into your digital life," he added.

Anna Reitman is a freelance journalist based in Israel. To comment on this article or to suggest an idea for another article, contact Chris Baysden, a senior manager for FM magazine, at Chris.Baysden@aicpa-cima.com.


The basics of keeping your info safe while travelling

A number of resources are available for individuals, with one of the most referenced publications being “The Motherboard Guide to Not Getting Hacked”. It’s regularly updated with suggestions of trustworthy applications for communications and navigating on the internet.

US Federal Bureau of Investigation (FBI) bulletins about cyber- and travel-related risk are available through the InfraGard program, which is available to individuals who sign up and submit to a background check.

The FBI’s email updates are nonclassified and accessible. The FBI also has a general “Business Travel Brochure” that’s worth looking up.

Meanwhile, the US State Department’s travel advisories are available to the public.

Most countries have a national CERT (computer emergency response team) that can provide information on vulnerabilities and responses. (See a list here.) 

Members of the American Institute of CPAs’ Information Management and Technology Assurance (IMTA) Executive Committee; Steve Ursillo, CPA/CITP, CGMA; and Vincent Accardi, CPA, have some added tips for travellers:

  • Be wary of links solicited through text messages: They can be travel alerts, scare tactics, or other urgent notifications that trick a user into installing mobile malware or spyware.
  • Use device encryption and access control.
  • Use mobile device management (MDM), a type of security software used by an IT department to monitor, manage, and secure employees’ mobile devices that are deployed across multiple mobile service providers and mobile operating systems.
  • Do not use untrusted phone chargers; they can be used to steal data.
  • Use privacy screen protectors (even on phones and tablets).
  • Stay off public Wi-Fi and use your own private hotspot.
  • Disable all wireless services until you are actually using them.
  • Do not openly display company logos or other identifiers while travelling.