‘Tis the season for holiday travel and …data theft. Your personal choices when traveling could be putting your organization’s data at risk. BIA’s Brian Schrader has tips on protecting company data while you travel.
According to a report by AAA, at least 112.5 million (or one in three) Americans are expected to travel over the coming holidays. That means all their connected devices will travel too. The public’s increased access to gadgets and unprecedented connectivity leaves us more vulnerable than ever to cyber-attacks on our data.
It’s not just our personal data that’s at risk. Recent breaches at companies like Capital One and Equifax have shown that even large corporations can be susceptible to harmful attacks, both in terms of size and sensitivity of the stolen data. If your company deals with sensitive documents, financial data, personally identifiable information (PII) or protected health information (PHI), you should take extra care to avoid data theft and the many costs associated with a breach, especially during your travels.
Seemingly safe or harmless activities like using a personal cell phone to answer work emails or texting coworkers about something work-related can make company data more accessible to hackers.
Before you jet (or drive, or sled) off, take some time to learn how you can protect yourself from common data theft strategies used by hackers. Here are five ways your data might be endangered, along with tips to help you safeguard your company’s data during holiday travel:
1. Airport charging stations
Airport charging stations usually feature two- or three-pronged outlets as well as some USB ports that offer users a power top-off before flying. USB ports are convenient, but they can also put your data at risk. Data can be transferred through USB cables (from your phone to your computer, for example) so bad actors use them as a gateway to your devices. Hackers can use charging ports to install malware or even take data from your device without you knowing a thing. This type of attack has been labeled “juice jacking.”
So, plugging a device into a regular outlet is relatively harmless, right? Yes and no. While data cannot be transferred through a power adapter, you should still avoid using an unfamiliar cable to charge your device. Using someone else’s power cord, or one seemingly left behind by another traveler, could still pose a threat. Malware can be installed in USB cables too, so it is best to use your own instead of taking this risk.
In addition to avoiding public USB ports and always using your own cables, you can also purchase hardware to protect your data. USB “no-data-transfer” cables only allow the transfer of power (not data), and the Juice-Jack Defender is a safe go-between for chargers and devices.
2. Public Wi-Fi
Sometimes, a traveler has no choice but to use a public Wi-Fi network. Unfortunately, such connections are notorious for allowing cyber criminals to steal information or install malware. There are several ways hackers can abuse these networks, including “man in the middle” attacks (where cyber thieves intercept your data using tools inserted in-between your device and the websites you visit), malware distribution through unsecure public Wi-Fi networks, or even misleading Wi-Fi names that trick users into connecting to a criminal’s network.
Here are a few things that can protect you while using public Wi-Fi:
- Virtual private network (VPN): A VPN uses encryption technology to scramble data flowing to and from your computer, blocking cyberthieves from gaining access to your data through a public network.
- Personal Wi-Fi hotspots: Also called pucks, these small devices provide an alternative to endangering your data over a public network. They are conveniently sized and can offer a fast, private connection from your pocket.
- Multi-factor authentication (MFA): Make sure your business requires an authentication code, biometric scan or other multi-factor authentication method to access the network. Having this in place ensures that, even if bad actors access any log-in information, they won’t get past the additional level of protection.
3. Location Services
Long gone are the days of lap-juggling the trusty Rand McNally or fumbling for printed directions from online. Without question, smartphones have changed and elevated the way we travel, offering conveniences like real-time updates and route change capabilities. However, the price we pay for the efficiency and comfort of location services is the potential access we unknowingly offer bad actors about our location.
Down the road, your location data may even be sold to the highest bidder. In 2018, AT&T, Verizon, T-Mobile and Sprint all admitted that they sold access to individuals’ geolocation data. Additionally, companies like LocationSmart can gather users’ location data in real time from cell towers and sell the information to its customers.
Needless to say, you don’t want your location information sold to people with wrongful intentions looking to gain an edge on your company. Attackers could use that data to understand when devices are most vulnerable or know when the office is emptier, enabling them to plan a more damaging breach that affects the entire corporation.
You can reduce these risks by limiting your use of location services; only turn them on when you are actively using them for navigation, and take care to disable them once you arrive at your destination.
4. Ridesharing Apps
Flying out of town during the holidays can mean that your options for getting around are more limited than usual. You might be without your car or unfamiliar with your destination’s public transportation, for example. Ridesharing apps like Uber and Lyft can come in handy in these situations. But even tech giants like these companies are not immune to cyberattacks and data breaches. For example, in 2017, Uber announced that millions of customers’ personal data including names, addresses and mobile phone numbers had been compromised.
It is always a good idea to check the privacy statements of your apps and confirm you are comfortable providing the information that will be stored. If you pay for a ride using a company card, be sure to delete the information from the app after your ride. Ridesharing apps also pose location-based threats as they rely on your phone’s GPS. Unless you turn off location permissions for the apps after riding, they may also store information about where you go and potentially even how much time you spend there. Again, the best way to be safe is to be cautious about what information you provide and only enable location services for the duration of your ride.
5. Rewards Programs
Travel rewards programs from hotels and airlines offer us perks and luxuries such as quick and easy checkout or reward travel miles. But the personal and/or company data that these programs require in exchange is highly desirable to cyber criminals.
Sensitive information – from credit card numbers to passport information – can potentially be accessed through our profiles. The 2019 IBM X-Force Threat Intelligence Index found that the transportation industry is the second highest industry targeted by cyber-attackers, due to the volume and nature of valuable information that can be stolen.
The best and simplest way to protect your personal and company data is to be wary of what information you provide to travel programs. For example, if you use a company credit card to book a business trip, delete that information from your account to reduce the risk of someone coming across it later.
For many, the holidays involve seeing family and friends or perhaps visiting new destinations. Whether your trips are personal or work-related, it is important to be educated on the risks your data faces during travel. Keep these tips in mind to protect your organization’s data and ensure that your company has a safe and secure 2020.
Brian Schrader, Esq. is President & CEO of BIA (www.biaprotect.com), a leader in reliable, innovative and cost-effective eDiscovery services. With early career experience in information management, computer technology and the law, Brian co-founded BIA in 2002 and has since developed the firm’s reputation as an industry pioneer and a trusted partner for corporations and law firms around the world. He can be reached at email@example.com.