Organizations have many concerns when it comes to employee travel, from reimbursements and company credit cards to hotel and flight arrangements. But IT should add mobile device security threats to the list.
It's easy for organizations with users that travel domestically or internationally to overlook mobile device security threats. These threat actors are not stereotypical hackers; they can be airport workers, government spies and related parties along the travel path that are interested in an organization's employees, devices or information assets.
There are countless cases of phones and tablets being stolen or left behind. Adversaries can attempt to install malware on found mobile devices to control them for use in other attacks, or they can steal information directly from them. Also, foreign law enforcement can confiscate mobile devices for national security reasons.
Mobile devices store a wealth of sensitive information, from emails and client-related files to business intellectual property. Many users connect their mobile devices to random -- and likely rogue -- wireless access points, which can facilitate man-in-the-middle attacks against the devices.
How users can travel smart and safe
With all of the mobile device security threats involved when traveling abroad for business, it's important for users to travel safely with their mobile devices. The first step is ensuring that end users do their research about the particular area to which they are traveling.
IT should ensure that employees know their privacy rights based on the customs and border protection law for the countries to which they'll travel. In non-adversarial countries, end users can more or less do whatever they want. But in potentially high-risk countries, such as China and Russia, there is always the risk of a search or seizure that results in lost devices.
When employees travel to those types of countries, IT should consider burner devices that employees only use for basic communication on those trips and nothing more. This can be especially important for executives and other high-profile employees.
Practice password best practices
IT should disable biometric authentication on mobile devices to be safe. Law enforcement may not be able to force users to enter a password, but they could compel them to use biometrics for authentication. If law enforcement confiscates a device, there's a chance that they could also steal information, install backdoors or reset the system altogether.
IT should also require multifactor authentication for network and application access with no exceptions.
Employees should be required to use a VPN -- whether it be a corporate VPN or a trusted online option -- for all system usage, including basic web browsing and personal use. IT should encourage -- or ideally, require -- employees to use mobile device hotspots to connect to the internet.
Domain password policies should also extend to mobile devices. Mobile devices with weak or no passwords can work to the advantage of those with malicious intent. IT should encourage users to change their passwords before they leave, and then again as soon as they return.
How to prevent mobile device security threats
IT should constantly update employees' mobile devices to the latest OS version using a third-party application, app update control or unified endpoint management (UEM).
Organizations should have proven endpoint security controls, such as a mobile device management, enterprise mobility management or UEM, to protect against mobile device security threats. The platform should also ideally connect and interact with an existing log management or security information and event management system.
IT pros should incorporate these security best practices into their incident response plans, employee handbooks and security policies. These documents should cover a range of topics, including data backups, email, encryption, passwords and BYOD programs.
More best practices for mobile device security
IT should consider using devices that are known to be more secure than the average device. For example, Google Chromebooks provide heightened security on the hardware side, while Silent Circle's Silent Phone for iOS and Android does so for the software side.
It's essential to limit a user's involvement in security decision-making. When presented with the choice between security and convenience, an end user will likely choose the latter.
IT should also perform an in-depth security assessment related to mobile devices and travel -- and then vow to do something about it. IT can likely address these threats with existing controls and ongoing training to set users up for success.