The recent news that the US is considering ‘extreme vetting’ of those entering its shores, including the ‘laptop ban’, is a clear indication that border controls and travel restrictions across the globe have never been more in flux.
James Plouffe, Lead Solutions Architect of US software firm Mobile Iron, explains the benefits of implementing personal and corporate travel security practices to make sure both personal and professional data is protected from prying eyes at border security.
Not only do our devises contain confidential business information they also hold notes, contacts, messages, call histories, photographs, social media profiles and browsing histories. All of which could draw unwanted attention at certain borders - creating a difficult situation for business travellers.
Policy requirements for mobile business travellers
Border officials have some of the most comprehensive powers available to officers of the state. This includes the legal right to cease your mobile device and search it. And while this can be distressing and unwelcome, you will have to comply if you stand any chance of entering the country.
It is also unlikely that border agents will tell you what they are looking for even though it is your personal information. And after detention of your device(s) how can you be sure that those border agents haven’t then installed a hidden programme without your knowledge?
While this may seem like a scene cut straight from a spy movie, it is not as far-fetched as you might believe. However, there are a number of things corporations and individuals can do to safeguard personal and professional information when in transit.
Safeguarding personal information
At an individual level, services like Bluetooth and wifi can be disabled so that they do not act as ‘auxiliary’ radios that constantly transmit your location.
You can also turn off your device all together prior to embarking and going through border controls. This not only disables biometric identifiers but also means that border officials have to ask for your password if they want to access your device and in some cases this is illegal.
Another effective method is to disable single sign-in on the device when travelling.
This means that you will need to enter a password for each individual service on the device. This then makes going through the phone laborious and time consuming, deterring even the most determined official.
Finally, consider packing your primary smart phone in your checked luggage and carrying on board a ‘lesser’ device that can only do the basics.
Safeguarding corporate information
At corporate level an international security policy should seriously be considered to cover specific issues raised by privacy intrusions at border controls or by authorities when inside the country.
This would include the development of policies for specific countries that pose more of a risk and can be automatically activated based on geographic locations.
Such policies could remove enterprise services and retain those that are necessary and unlikely to be problematic. Other policy ideas could remove apps while enabling employees to access back-end services via a browser and introducing features such as stronger passwords.
However, when developing country specific policies, it is a good idea to map out processes that can be followed to mitigate risk. For example, different countries may require different policies and processes that can be implemented depending on the potential risks of travel to countries deemed ‘high risk’ such as China, the Middle East or Africa.
App in case of emergency
It’s also in the best interest of corporations to develop their own ‘emergency’ application which can be pushed to the device of any employee known to be travelling to/in a ‘high risk’ country. This can include advice on what to do if demands are made for them to hand over their device, detention or what to do if emergency healthcare is needed.
It is also important for an emergency app to include a notification feature so an employee can gain direct access to a designated person or group of people who can act on their behalf in case of emergencies.
The last resort for any corporation is to remotely wipe a device. If a device is shown to be working in one country and the employee is known to be in another, then this might be the time to go nuclear.
But beware, this does have its pitfalls as business travellers might have to change plans last minute and landing in a new destination with a disabled phone is far from ideal.
To alleviate this stress, unexpected demands should be factored into the policies with safeguards put in place. This ensures that information is backed up and that remote wipes are only used as a last resort.
Implementing security policies on travel are an effective way of ensuring data remains private and out of unwanted hands. However, for those policies to be successful, employees must adhere to them. Therefore, it is essential to educate a workforce as to why they are necessary, how to properly use devices when travelling and importantly, why it is not acceptable for border officials to think they have a right to access personal and professional information.
Risk Assessments for Mobile Travelling
Place device in luggage
Deploy emergency app
Set emergency notifications
Enable remote wipe
Turn device off when travelling
Carry companion device