The holiday season is upon us, and this can bring huge opportunities for cybercriminals. Whether you’re travelling for work or pleasure, being in an unfamiliar place can make you a perfect target for cybercrime. We spoke to a selection of security experts to find out how to mitigate these risks and ensure that your trip is all smooth sailing.
Patrick Martin, Senior Threat Intelligence Analyst at Skurio:
Nowadays, vacation-bound businesspeople are just as likely to throw devices and chargers into their suitcase as flip-flops and sunscreen. With Cloud adoption and the growing popularity of BYOD, digital risks for businesses have increased enormously.
The biggest risk is having your device fall into the wrong hands whilst you’re away. A threat actor gaining access to your laptop, and the corporate data or local email content it contains, will open a myriad of avenues for attack. Data exfiltration, phishing and financial fraud are some of the most common and damaging results.
Companies that support BYOD, or allow staff to travel with corporate devices, should enforce strict reporting processes and have procedures in place to remotely wipe devices. As a stronger and more reliable line of defence, encrypt local data or use full disc encryption (FDE) to reinforce your security.
Be a beach bum, not a breach bum…
When planning a trip, get your staff and colleagues to be extra vigilant when responding to emails they receive from you while you’re away. Get them to verify any instructions using alternative communication methods and treat correspondence from supply chain partners with caution.
And finally, avoid setting an external out-of-office message that provides hackers with lots of details on how long you’re away, names and email contacts in your absence for different topics or projects, which will signal a green light to cybercriminals to execute very targeted spear phishing attacks with personalised and timely messages to your colleagues.
Stepping up your outer defences is a great way to ensure you’re prepared for attacks being planned when staff are absent. Monitoring chatter in Dark Web forums can also help provide an early warning about planned attacks, alerting a company if they are being discussed by threat actors or if stolen credentials are being sold.
Carolyn Crandall, Chief Deception Officer at Attivo Networks:
Once you’ve decided which devices you need to take on your vacation, it is key to make sure everything is patched and software is up to date before you travel, which can greatly reduce the risk of your devices being hacked.
When travelling around abroad, it is becoming increasingly challenging to pay for everything in cash, so if you do choose to carry your credit cards with you, keep them secure in an RFID wallet to avoid being a victim of contactless card fraud.
It’s best practice to avoid using public WiFi, however if you must, use caution when doing so. Don’t shop or access personal information on public WiFi and always use a VPN when using mobile data. In order to avoid automatic connection to public WiFi, turn it off on your phone alongside Bluetooth if not needed.
Additionally, be sure to use at least two levels of verification for any requests for money exchange while traveling. Don’t purely rely on email.
Finally, if you are tired from a long journey, don’t click on any unknown links. It’s all too easy to miss phishing indicators when rushing or just exhausted from travel.
Fennel Aurora, Security Adviser at F-Secure:
Secure your devices by making sure they are all locked with a passphrase (no PINs, no fingerprints, no face identification), and don’t forget to set a code on your eBook reader, the longer the better. On holiday, you are likely to be in unfamiliar places, more relaxed and less attentive than usual - a perfect combination for getting a device lost or stolen, so you want to limit the damage if the worst happens.
For the same reason, don’t bring all your devices with you – the less you have to protect and remember, the better. It also means that if something goes wrong, you still have a working device at home with all your accounts and data. This goes double if you are visiting a country where basic civil rights protecting your privacy are under threat – if you don’t have your device with you, or if the device you bring does not have access to your accounts, you can’t be forced to provide something you don’t have.
Where possible, avoid using public computers. You don’t know where they have been, who was on them before you, or what’s been installed. If you must use them, avoid logging into any of your important accounts. If you insist on doing so, make sure you logout of everything before you leave, and clear all browser history.
Be careful about what you connect your devices to and where you charge them. When connecting, pay attention to the warnings on your devices asking if you want to allow syncing of your contacts and photos – feel free to say no! This can be avoided by bringing a few power banks.
Joseph Carson, Chief Security Scientist at Thycotic:
Keep valuables in your hotel room locked in your suitcase. Try to always have the “Do Not Disturb” sign up during your entire stay and keep anything you want to remain out of sight locked in your suitcase.
Use cash for payments as much as possible, although today this is getting more and more difficult. Also, when you take cash out of ATM’s try to use only those inside banks and not the ones on the street as they have a higher possibility of being scammed.
Power off devices you are not using and leave sensitive data at home. To reduce the risks of your devices being hacked, power the devices you are not using completely off, even those that you leave locked in the hotel room. For the devices that you carry with you, keep them in airplane mode.
Public WiFi is a no go, however if you must check something then do so knowing your data will be collected and monitored and always use a VPN and a device that does not contain sensitive data.