Conducting Business Across Borders
Conducting business across international borders poses material threats to intellectual property and company security.
Whether traveling on behalf of a company, or for leisure, business travelers and executives need to take extra precautions to protect company interests. A simple download, a virus masquerading as a Yahoo or Adobe upgrade, or a device left unattended in a hotel room could have serious and costly outcomes.
Surveillance and Information Sharing
Working overseas puts companies in environments where laws and culture surrounding foreign corporate sovereignty and property rights may significantly differ from those in the United States.
In the U.S., it is not the norm to expect government surveillance to be used for commercial gain. In other words, the U.S. government does not routinely hack foreign corporate networks, or steal from visiting business executives and then pass that information on to U.S. competitors for their commercial advantage.
That’s simply not the case elsewhere. In many countries, the government-corporate divide concerning data sharing is not clear — particularly in countries with state-owned enterprises where companies are part of the regime. When nationalist interests supersede property rights, opinion may flow toward an all-is-fair mentality for the sake of competing against foreign firms. Countries and territories in which this occurs should be considered a high security risk for business travel, and warrant an increased level of concern that a government or sponsored private group may attack you en route or during your stay.
Assessing the Risks
Targeting professionals who conduct business in foreign countries is not new. In 1993, French intelligence was publicly accused of bugging executives flying Concorde to and from Canada and the U.S., in order to gain trade and commercial secrets for domestic French companies.
A more recent example is the 2014 Darkhotel corporate espionage campaignin which bad actors used Wi-Fi networks at luxury hotels to attack traveling executives. By planting malware disguised as legitimate software updates, they were able to view everything typed on devices such as passwords, client info and much more. And according to the Kaspersky Lab these sophisticated attacks were in play for at least seven years before they were discovered.
What can you do about attacks from foreign governments, mercenaries, and competing companies when abroad?
Hackers and bad actors often correctly assume that any information stored on the phone, computer, tablet or any other device of a frequent business traveler will contain valuable information. Whether that’s client contact info, banking information, research and development, trade plans, or simple emails: it’s all of interest and generally sellable on the black market. Here are six essential steps to help you protect company interests while traveling:
- Always keep devices with you. Electronic devices should be kept on your person at all times. Unattended devices — even if left in a hotel room — can be vulnerable. If there is any risk of an electronic device having been out of your possession, do not reconnect that device into a corporate network.
- Use a fresh device when overseas. Whenever possible during travel, use new devices that have only the minimal amount of information needed stored on them. Limit your usage and connections back to company resources when on the road, and don’t connect the devices to your company network when you get home. When on the road, single-use remote access terminals can create an air-gapped segmentation between a travel-specific device and a terminal capable of accessing proprietary information. This segmentation further protects against device imaging when crossing borders or clearing customs.
- Keep loaded data to a minimum. Identify what information is critical to protect. Often companies don’t always fully understand what is valuable, as they don’t know what competitors are looking for. Err on the side of assuming most info has value for would-be attackers. Classification systems for corporate documents are essential, and data deemed critical should be password protected and encrypted before it can be viewed, edited or downloaded.
- Use full-disk encryption. All devices should be protected by full-disk encryption. Encryption software ensures that the only way to get into the device is with a key. Now that most Apple, Windows, and Linux products can be fully encrypted, this is easier than ever to do.
- Avoid public Wi-Fi hotspots. Even if you believe the hotspot is secure, don’t take the risk. As the Darkhotel attacks demonstrate, even luxury hotel Wi-Fi can make you vulnerable. If you must connect to one of these hotspots, do not download anything onto your local device. Disposable virtual desktop interfaces, secured over an SSL encrypted connection, provide a promising option for these circumstances. If something malicious downloads onto a disposable machine, simply discard it without compromising your local device.
- Know regulations and political conditions. Familiarize yourself and your organization with your destination’s current customs and restrictions concerning visitors, device imaging at customs, and more in order to accurately assess the risks — and then take the appropriate precautions. Not every country demands the same level of security, making resource prioritization easier.
No matter the nature of your cross-border activities, take extra precautions to protect individual and company interests. If your organization does not have an official corporate travel policy, think about creating one now. If you do have one, be sure to update it and continue to stay on top of changing foreign policies. Remember even routine travel can pose a risk. For additional resources, consider the FBI-issued guide on strategies concerning executive travel security.