Data & Device Security: It's Not Just Personal

Today's corporate data thieves have developed remarkably sophisticated methods of stealing information from unsuspecting business travelers' laptops and mobile devices. BTN editor-in-chief Elizabeth West recently spoke with Blancco chief strategy officer Richard Stiennon and Erase Enterprises president Kevin Mellott about the data-security risks that travelers face and the steps their organizations can take to protect information.

BTN: What advice can you give to business travelers about the actual theft of their devices?

Kevin Mellott: The first thing that we [suggest] is removable hard drives. We don't like anybody taking a laptop or any kind of device where they cannot remove the hard drive, or at least get the intellectual property out of the device to keep it separate from the device itself.

The second point is compartmentalization. Never let one computer have all the information. If you're traveling in a group, have the encryption codes on one device and the data on a different device, so if someone steals a computer, they can't decrypt the information. We're also real big on remote wipes so that when a person steals a computer, the minute they plug it into the Internet, we can wipe the drive remotely so they can't get the data.

Richard Stiennon: No. 1, now unfortunately in conflict with the new [inflight carry-on electronics] requirements, was never to let the device out of your control. It's always with you; it's under the seat in front of you. So now, you've got this overwhelming issue of what do you do if your devices are no longer going to be in your control, and our No. 1 recommendation is to limit the data that's on those devices. We've encountered this before, of course, with people traveling into hazardous data environments—typically, U.S. business travelers traveling to China.

Once they've targeted your corporation before you travel—and this happens quite often on the international side—they're inside the system to see who's flying where and when."

Erase Enterprises' Kevin Mellott

BTN: You mentioned the U.S. Transportation Security Administration's ban of carry-on electronic devices on inbound flights from 10 Middle Eastern airports. Are there additional issues that regulation brings to the corporate travel space?

Stiennon: There's a kind of coincidence with the travel ban on electronic equipment and more concern over lithium batteries, which are no longer allowed to be shipped en masse on airplanes. Combine the two, and you just won't be able to take your laptop. I think that's going to change corporate travel business practices. It means you'll be traveling to your destination and must get access once you get there. Corporations will have to figure out how to provide equipment for you that can quickly be spun up, probably using the cloud and virtual desktops in order to access that information. That's great, because the data will be under corporate control all the time.

BTN: You mentioned there are certain markets where you should simply assume that your data will be compromised. Which areas top that list?

Stiennon: Nowadays, of course, Russia would be on the list. Oddly enough, traditionally in the security space, France was on the list. France was known for having active state-sponsored industrial espionage. Even though people are very careful about transporting data through France, even France had bans on using encryption just because they needed access to that data.

Countries That Don't Honor IP Laws

Office of the U.S. Trade Representative's 2016 Special 301 Report

Priority Watch List

Algeria
Argentina
Chile
China
India
Indonesia
Kuwait
Russia
Thailand
Ukraine
Venezuela

Watch List

Barbados
Bolivia
Brazil
Bulgaria
Canada
Colombia
Costa Rica
Dominican Republic
Ecuador
Egypt
Greece
Guatemala
Jamaica
Lebanon
Mexico
Pakistan
Peru
Romania
Switzerland
Turkey
Turkmenistan
Uzbekistan
Vietnam

Click here for more detail

Mellott: There are two things you have to remember: 1) There are countries that actively participate in intelligence collection on an economic level. 2) There are countries that do not honor any kind of intellectual property laws. The first thing we tell our clients is to get a copy of the U.S. Trade Representative's 301-R report. The 301-R comes out every April, and it lists all the countries in the world that do not honor intellectual property laws. [Editor's note: See the list on page 38]. The minute you're going someplace that's in that list, you need to think twice about your data.

BTN: What are other ways that data can be breached while traveling that don't necessarily involve actual theft?

Mellott: Itinerary control is essential, and it starts with the fact that if nobody knows where you are or where you're going, it's pretty hard for them to intercept you or your data. Once they've targeted your corporation way before you travel—and this happens quite often on the international side—they're inside the system to see who's flying where and when.

[Certain devices] allow you to mimic any wireless contact in the area. Then you get on the airplane, and people are looking over your shoulder. It absolutely blows my mind the types of data I see from people working on their laptops where I can look over the seat or to my left or right and see proprietary information.

Then we get into Bluetooth intercept, where you start intercepting Bluetooth devices to get into the laptop. And it does not take much to pay a maid to let you get into the room and drop an "execute file" flash drive or go in and copy the drive.

BTN: Is interception still possible even when you are tunneling through with a virtual private network?

Stiennon: I often recommend using a separate VPN, not the corporate VPN, because any man in the middle can still intercept those connections. But add the additional hop of a third VPN and now, even though you're going through a rogue access point that might have had an initial encrypted connection to the access point, you're still tunneling over that encrypted connection all the way to your destination.

That gives you the ability to work inside hotels—because hotels are rather notorious for not having good security—or even in the sky lounge of the airport. Don't just use the open Wi-Fi they provide.

BTN: How can companies increase compliance to security policies they already have in place?

Stiennon: It comes down to technology. Remember the days when corporate policies were that you must reset your password every 30 days? Nobody ever did that until Microsoft instituted automatic password reset requirements. Then it happened. Technology is your enforcement tool.

With the travel ban on electronic equipment and more concern over lithium batteries … you just won't be able to take your laptop. I think that's going to change corporate travel business practices."

Blancco's Richard Stiennon

As for data hygiene—that's where having an agent on the devices that takes care of securely erasing everything that's in the trash bin on a regular schedule, and securely erasing old copies of documents after they've been updated, so you don't have all this data that could be extracted lying around—that's the key to policy enforcement: taking control over your own data.

BTN: Leaving devices at home, erasing data, using multiple VPNs. All of that makes work really hard and can slow travelers down.

Mellott: Well, security is inconvenient. There's no way around that, but the inconvenience of having data compromised is way worse. If they get your data, if they penetrate your system, it may not just be you they're after. They may counterfeit your laptop so that when you come back to the States and you go into the company network, they gain access for a bigger picture. So compliance enforcement is one thing, but another important piece is employee education. They have to know what's at stake.

Return to Taking on Travel Risk Management