Employees face a unique set of cybersecurity risks when they travel. They may find themselves in an unfamiliar place without the support of the company's infrastructure—all while trying to keep up with work obligations and home life. Business travelers are susceptible to having a laptop or other device stolen, getting hacked by thieves searching for sensitive information, or even potentially being attacked by state-sponsored or nonstate-sponsored actors with malicious intentions. That’s why it’s increasingly important for HR, IT, and other departments to join forces to help business travelers better protect sensitive company data when they hit the road.
14 Tips for Better Cybersecurity for Traveling Employees
Company travel policies aren’t just about employee safety. They’re also about setting up guardrails to help the employee protect sensitive company information from a data breach—whether the breach is the result of a malicious attack or simply an employee error.
The cost of neglecting this risk could be detrimental, as a single data breach costs an average of $3.92 million.
Consider these best practices designed to reduce the exposure of sensitive company data and defend against opportunistic hackers, while employees are on the road, in a home office, or anywhere they may be unintentionally putting company data at risk.
- Set policies regarding the use of public Wi-Fi - Before employees connect to public Wi-Fi in an airport or hotel, it’s best to confirm both the network name and precise login procedures with the appropriate staff to ensure they connect to the correct network. Employees should be encouraged not to conduct any sensitive activities, such as banking, confidential work-related projects, or even their personal online shopping, on a public wireless network. Many devices automatically seek and connect to available Wi-Fi networks. To avoid this, encourage employees to consider disabling auto connect and Bluetooth features, so they connect only when the employee chooses.
- Encourage and enforce VPN use - One of the more effective ways that businesses can reduce the risk of cyberattacks is to use a Virtual Private Network (VPN) to remotely access company data. The trick is encouraging employees to use it. One survey of US employees ages 18 to 65+ who traveled with corporate devices found that only 17 percent of respondents reported consistently using a VPN outside the office. Reminding employees that VPN use can help protect their personal information as well may give them more incentive to connect to it every time.
- Teach physical security for digital valuables - Travelers often let their guard down once they arrive at their destination, but it’s important to remember that thieves who target travelers know the best times to attack, such as during meals when travelers may leave laptops unattended in their hotel rooms. Employees should be especially wary of conferences and trade shows, as these venues offer thieves both a wider selection of devices that potentially contain sensitive information, as well as more opportunities to access unattended guest rooms during published conference session times. Encourage employees to lock devices in the hotel safe when they leave the room, and teach them the proper protocol if they believe their device may have been compromised.
- Practice situational awareness - Business travelers may need to be reminded frequently that when they are on the road, they are the first line of defense when it comes to data privacy and security. Consider covering situational awareness during employee cybersecurity training, such as positioning themselves while they are working remotely in a way that limits what other people or devices can see or record. This includes considering what a thief could see on documents or devices from multiple vantage points, such as from balconies or upper levels, a zoom lens, or security cameras.
- Encourage employees to pack “data” light - Encourage employees to leave unnecessary electronic equipment at home while traveling. Business travelers often pack light in terms of their personal belongings, but they should also try to pack light in terms of personal and company data. This could help reduce data loss if a device is lost, stolen, or hacked on an unsecured network.
- Be scam smart about “out of office” messages - When an employee puts detailed information in an “out of office” message, it could give criminals the information they need to impersonate the employee in a scam. Some alternatives to detailed out of office messages include: directly notifying clients and colleagues about the absence, arranging for a trusted colleague to check on urgent emails, or providing a generic email address for urgent issues rather than naming a specific person. Out of office messages shouldn’t include the length of time away or location, as these details could make it easier for criminals to execute a spear-phishing attack or other scams.
- Protect mobile devices with passwords and 2FA - Ensure that employee devices are locked and password protected, even including simple storage devices like USB thumb drives. Also consider requiring two-factor authentication (2FA) on employee mobile devices.
- Require regular software updates on all mobile devices - Many attacks look for security flaws in outdated software, which are often resolved in the latest update. Traveling employees should be encouraged, or required, to update software on their devices, including an updated antivirus package.
- Consider securing screens with privacy filters - Shoulder surfing is a low-tech hacking method in which a thief simply watches the screen as travelers enter usernames, passwords, or other sensitive information. Privacy filters, which are typically a polarized plastic sheet placed over the device screen, can help block unauthorized side views for business travelers.
- Distribute personal charging devices or juice-jack protectors - Cybercriminals can modify USB connections to download data from a mobile device or install malware without the owner’s knowledge. Experts recommend that travelers carry their own battery bank to recharge devices, choose a traditional wall plug instead of a USB ports, or use a juice-jack protector, which attaches to the end of a USB cord to help protect devices against data skimming while charging in a public place.
- Consider issuing travel-only laptops - One way to limit access to sensitive information is to provide employees with dedicated travel laptops that contain the minimum amount of data needed for each trip. If an employee must travel with a mobile device that contains sensitive information, consider fully encrypting the device.
- Update devices after international travel - Devices that are used or purchased abroad could be compromised or vulnerable to malware. Experts recommend that travelers update security software and change passwords on all devices after returning from international travel. Remember that laws and policies regarding online security and privacy vary in different countries, and while in a foreign country, employees are subject to local laws. The US State Department website offers travel safety information for various countries.
- Consider implementing a Mobile Device Management solution - Mobile Device Management (MDM) can help employers keep their employees’ devices more secure. MDM solutions can give employers remote control and monitoring of devices, help enforce certain device policies, and separate company data and personal data. If a device is lost or stolen, employers can remotely lock the device or wipe the data.
- Communicate the response plan - All employees should know the proper procedures if a device or document containing confidential information is lost or stolen. The Federal Trade Commission (FTC) publishes a response plan for businesses, Data Breach Response: A Guide for Business.
Additional Resources
- The National Institute of Standards and Technology offers a guidebook Cybersecurity is Everyone’s Job that outlines what each member of an organization can do to protect against cyber threats.
- The Federal Trade Commission provides a web page on Protecting Small Businesses with advice on avoiding scams, protecting computers and networks, and keeping customer data safe.
- The US Department of Homeland Security offers a Tips web page, which provides advice about common security issues in plain language.
- The Federal Trade Commission (FTC) publishes a response plan for businesses, Data Breach Response: A Guide for Business.