Travel is making a comeback; the busy airports and roadways are just one indication of this. Companies should prepare for the increased risk posed by their employees who use company resources, including laptops, phones, and other devices while traveling on vacation or business trips.
Most security and data breaches are attributable to human error; thus, employers should regularly communicate expectations and train employees on good cyber hygiene. Employers may need to adopt additional guidance specifically related to travel. For example, there has been a reported increase in surveillance by airport security personnel in some countries and an uptick in reports of security officials asking travelers to unlock their devices and allow officials to review content. Employees should be made aware of these trends and have directives on how to respond in these situations. For example, some companies prohibit employees from storing sensitive data on the device and require that the device be set to “travel mode” to help prevent access to the company’s cloud or other data storage environment. Other companies require employees to take steps prior to travel, including changing passwords, backing up devices, and ensuring that applications and antivirus software are up to date.
Employees should also receive guidance about using their devices while traveling, including:
- Do not leave devices unattended or unsecured. The most common cyber threat for travelers is theft or loss of the device itself. Devices should always be packed in carry-on luggage, not checked luggage. If an employee leaves a device in a hotel room during travels, the device should always be locked in a safe. If a device is stolen or lost, employees should immediately report the incident to company IT.
- Always secure devices with a complex password when not in use.
- Do not use public charging stations. Cybercriminals commonly modify USB ports to allow unauthorized access to connected devices.
- Avoid the use of public Wi-Fi networks, including in hotels and airports, which generally are unsecured and can be easily intercepted. Employees should always access sensitive data through the company’s VPN, and multifactor authentication should be enabled.
- Turn off Bluetooth and auto-connect features on any devices that may contain sensitive information.
- Share location and travel details sparingly, including on business systems and personal social media, particularly with outside parties. If a cybercriminal knows an employee is traveling, this could make it easier to execute a phishing attack or impersonate the traveling employee.
There are also additional steps employers can take to help protect company assets and data when an employee travels, including:
- Installing mobile device management software on the device to allow remote monitoring and remote locking or wiping if the device is lost or stolen.
- Enforcing complex password policies.
- Issuing refresher training to employees on cyber and privacy requirements, policies, and best practices.
- Running malware and virus scans on devices to check for unknowingly installed bugs.
- Upon receiving a report of an incident, including theft or loss of a device, employers should respond immediately to secure systems and data.
Additional information about security while traveling can be found on the websites of the Cybersecurity & Infrastructure Security Agency and the Federal Trade Commission. The Baker Botts Privacy and Data Security Team is also available to assist whenever needed.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.