The growing difficulty of protecting data on the move

What is the impact of new travel-related regulations that insist on laptops being put in the hold and people being asked to handover passwords? Is it to prevent terrorism or is there a hidden agenda around commercial gain?   

New legislation being considered by the Trump administration suggests that UK citizens travelling to the United States would have to hand over personal information such as passwords to their social media accounts and access to the contacts in their mobile phone or risk being denied entry to the country. This comes just weeks after another travel-based regulation that banned certain electronic devices from some countries in North Africa and the Middle East bound for either the US or UK. At the same time, the upcoming GDPR is putting huge pressure on organisations to secure their data. How do these new travel regulations impact organisations trying to secure their sensitive data?   

Extreme vetting    

In this latest would-be new regulation since the arrival of Trump in the White House,  tourists from the UK as well as other countries which are allies of the US, such as France and Germany, could be impacted.  According to the Wall Street Journal, in what they called a new 'extreme vetting' policy, some tourists would have to hand over not just personal information like social media passwords but also financial information and even face questioning as to their ideological beliefs.   

Although the article suggested that this was just being considered, further reporting from The Guardian suggested that it might already be in force as US Customs and Border Patrol told them that all international travellers were subject to inspection, going on to say, "This inspection may include electronic devices such as computers, disks, drives, tapes, mobile phones and other communication devices, cameras, music and other media players and any other electronic or digital devices." 

If the authorities are mandated to obtain passwords and access codes then suddenly, it becomes impossible for an organisation to limit access to its sensitive corporate data to its trusted employees. At that point, the authorities could in theory target a high-ranking executive who they suspect may have highly commercially sensitive information, demand access, and obtain access to the data on the device. As we know, the US authorities don’t have the best track record on data security so there is a huge exposure here for organisations.  

Restrictions on electronic devices    

This follows a ban on tablets, laptops and games consoles among other devices bigger than a mobile phone in March this year. In the US, the ban applies to flights from eight countries including Egypt, Jordan, Kuwait, Morocco, Qatar, Saudi Arabia, Turkey and the United Arab Emirates. Meanwhile, in the UK, the ban applies to flights from just six countries including Egypt, Jordan, Lebanon, Saudi Arabia, Tunisia and Turkey.     

The impact on the organisation    

Of course, stopping terrorism should be government's top priority but all of these new regulations have a knock-on impact on both people's personal data and the ability of organisations to protect their sensitive corporate data in transit. For organisations who are coming under increasing scrutiny when it comes to their data protection practices, and who have been charged with securing their data against data breaches or risk huge fines with the upcoming GDPR, there must at least be some thought put around how these new laws are going to affect them.   

It's not just the corporate reputation and the fines for these organisations to worry about, lawmakers also need to consider the long term impact of making an organisation's data inherently unsecure by forcing business travellers or even non-business travellers with work devices in tow, to divulge passwords or put their laptops in the hold where they cannot guarantee they will not be tampered with, or lost or stolen. The fact that the electronics ban is so easily circumvented by a terrorist simply asking a friend unknown to the authorities to book a flight to somewhere else, carry the terrorist's device through security and give it to them afterwards so they can take it on the plane, adds insult to injury for organisations trying to do their utmost to secure their data. Indeed, it begs the question as to whether these new travel measures really are to prevent terrorism, especially when they are so easily circumnavigated and not implemented by other allied countries, or if there is an additional, hidden agenda around commercial gain here? 

Terrorism and data breaches    

There is also the link between data breaches themselves and terrorism. Often, cyber security breaches in particular but also data breaches involving stolen USBs and laptops, are used to extort money that then goes towards further criminal or indeed terrorist activities either directly or indirectly. So by dealing with terrorism and the security of data as two entirely different issues and without giving any regard to the other, seems to be a poor strategy from our respective government representatives.    

The difficulties with encryption    

Data on the move has always presented security problems for organisations and the risks associated with data and international travel are not new. Certain countries, China for example, have restrictive policies around encryption and require foreign companies bringing data into the country to report their use of encryption to the Office of State Commercial Cryptography Administration (OSCCA) to obtain approval. Of course, if organisations are required to only use certain types of encryption, this is another potential risk to its data.    

In this new world, where new regulations are presenting another challenge to organisations already struggling to secure their sensitive data against everything from insider threats to cyber hackers in order to avoid the potential 20 million Euro fine or 4% of global annual turnover, whichever is the greater, organisations must look to new solutions. The ability to show a verifiable audit trail for your data and having the option to turn the data off rather than just encrypt it, should become key factors in the decision making around choosing new technologies. 

The problem with encryption is that it's not always easy to use which can result in employees removing it from the device or switching it off. There's also the possibility that employees will write the password for the encryption on the actual device itself because it's simply too complicated to remember any other way - this is especially true when devices are shared between users and it's just easier for the users to always be able to access the data. Of course, this renders the encryption defunct. But that's not the only problem with encryption; if an encrypted device is lost or stolen, perhaps after being forced to be put in the hold of an airplane rather than staying with the passenger, how can an organisation prove it was ever encrypted without recovering the device?

Solutions for the new world    

With new technologies in USB devices and solutions embedded into laptops, organisations are able to have full visibility of where their device and thereby data is at all times. Organisations can also send a command to the device to turn off the data immediately or even set up geographical zones so that the data disappears once the device is outside the zone. The data can later be switched back on or if the device is lost or stolen, the data can be destroyed in a mission impossible style puff of smoke. This allows the organisation to have a verifiable audit trail should a device be lost or stolen. That ability to show the national regulatory body that you're fully in control of your data at all times will do a lot to reduce or negate the upcoming GDPR fines but equally importantly, these new technologies equip organisations to deal with the ever-changing challenges they are presented with, such as these new travel-related regulations.  

Image Credit: Joergelman / Pixabay