Don’t leave yourself prone to “shoulder surfing”. “I can’t count the number of times I’ve been able to glean confidential information on upcoming presentations, business pitches, stock purchase movements, simply by glancing across to my left or right while on a plane, train or sitting in a coffee shop,” says Steve Durbin, managing director of the Information Security Forum, an independent organization that helps companies develop best practices for investigating and resolving information security and risk management issues.
“Viewing confidential information in public areas without having screen protection can lead to data leakage,” Parekh adds. “Someone watching closely can figure out your password or can read confidential information.”
Inform the security/IT department of travel plans. “Make them aware that you are visiting Nigeria, New York or wherever you happen to be headed,” Durbin says.
“Most organizations will have security policies in place that determine the degree of access and approach that the organization has deemed appropriate for its risk appetite and the individual concerned,” Durbin says. “Access to the level of sensitive data will be a key determinant in what steps your security guys will want you to take.”
If possible provide an itinerary. “If you have security monitoring on your network, it may be helpful for the guys in your operations center to know where you are traveling,” Durbin says. “An attempt at network access from Sydney when you left there two days previously will only ring alarm bells if the security guys know that you were due to leave two days ago, and are now in Singapore.”
Leverage threat intelligence. Executives planning to travel should use cyber threat intelligence similar to the physical threat intelligence available.
“Such intelligence could be created using advanced analytics capabilities [to] integrate cyber and geospatial threat data, and would include hotels, business offices, networks and locales where malicious and unfriendly entities are known to operate,” Jones says.
Knowing the nature and physical locations of such threats will allow executives to mitigate the risk of rogue wireless and cellular access points, captured and monitored traffic, unauthorized physical access to computing devices and installation of malicious code and monitoring tools, Jones says.
“Executives [should] only connect to known safe Wi-Fi or broadband access points, where security credentials and details for those access points could be pre-loaded on the executive's devices,” Jones says. Upon the executive's return to the home office, devices should be analyzed to determine whether, when and how they were attacked. This information can then be processed by an analytics engine and added to future threat intelligence reports, he says.
Don’t forget training. A security awareness program focused on security threats during travel is important, Parekh says.
Sign up for Computerworld eNewsletters.