Top employee cybersecurity tips for remote work and travel

With the holidays approaching, many remote workers, already at heightened risk of cyberattacks, will be traveling booking holiday travel to visit family and friends. This will likely exacerbate IT teams’ anxiety about cybersecurity, already heightened by the pandemic and its aftereffects. In a survey by the Ponemon Institute, 65% of IT and security professionals said they found it easier to protect an organization’s confidential information when staff were working in the office.

Whether employees are working from home, a conference or even vacation, security pitfalls abound. The fact is that with every remote worker, an organization’s attack surface grows larger. Some employees let their cyber guard down while working from home. For others, traveling leads to tiredness and poor decision-making, including taking security shortcuts. This is a problem when 76% of CEOs admit to bypassing security protocols to get something done faster. 

While technology has made significant strides in protecting us from ourselves, working remotely can quickly go south if we don’t take basic cybersecurity precautions. This article covers a range of security best practices for remote work and travel. Obviously, not every tip applies to every situation. That said, it is crucial to understand your current and future surroundings, assess their relative risk and take steps to protect your credentials, devices and confidential data.

Here are some tips to help improve your security posture during remote work or travel.

Do this first: Lock your SIM card 

Trip or no trip, lock your SIM card. SIM-jacking (or SIM-swapping, unauthorized port-out or “slamming”) is a real and underreported crime where threat actors pretend to be you, contact your wireless provider and “port over” your SIM card to your (their) “new phone.” Imagine someone stealing your entire online life, including your social media accounts.

In other words, your phone number is now theirs. All your password resets now run through the threat actor. Considering how many work credentials, social media accounts and apps run through your phone number, the nightmare of this crime quickly becomes evident. If you haven’t already done so, lock down your SIM card with your wireless provider.

Here is some information on Verizon’s “Number Lock” feature.

Cybersecurity tips for remote and traveling workers

Back everything up all day, every day. If traveling, leave the backup at home or in the cloud.

Use a password-protected WPA-enabled Wi-Fi (ideally WPA3) network.

Create a strong password (with upper and lower case letters, distinctive characters, and several characters long). Never store passwords on your person or on the phone, including in the notes section. Ideally, your employer should be using a password manager, but chances are they’re not. According to SpecOps’ 2022 Weak Password Report, 54% of businesses do not use a password manager. Even more troubling, 48% of organizations don’t have user verification for calls to the IT service desk.

Patch and update every device you are using, including apps. Do the same for the browsers and everything else you’re running on those devices. In August 2022, Apple put out the word that unpatched versions of iPads, iPhones and Macs could be essentially taken over by threat actors. Make sure everything is current as you step into an unfamiliar environment.

Here’s how to update every app on your iPhone and iPad if you don’t have them set to automatically update — all at once:

In addition to updating and patching everything, make sure browsers are running strict security settings, especially when outside your home office. If you don’t want to mess with settings, consider downloading Mozilla Firefox Focus and making it your travel browser. Firefox Focus defaults to purging the cache after every use, leaving behind zero breadcrumbs to exploit.

Use two-factor authentication (2FA) everywhere and with everything. When choosing how to receive the authentication code, always opt for token over text as it’s much more secure. At Black Hat 2022, a Swedish research team demonstrated exactly how insecure text authentications are. If a hacker has your login credentials and phone number, text-based authentication simply won’t protect you.

Update your Zoom software. Ivan Fratric, a security researcher with Google Project Zero, demonstrated how a bug in an earlier version of Zoom (4.4) allowed remote code execution by exploiting the XMPP code in Zoom’s Chat function. Once the payload was activated, Fratric was able to spoof messages. In other words, he was able to impersonate anyone you work with. What could go wrong? 

Security and travel: Leaving the home office

Whether headed to Starbucks, Las Vegas or overseas, digital nomads should pack lightly. Leave unneeded devices at home. Take just the essentials to get your job done without compromising your entire personal history. Bring a laptop lock to lock your computer to any workstation, as IBM instructs its traveling employees. Also, invest in a physical one-time password (OTP) authenticator. Some companies, like Google, require employees to use them. Employees cannot access anything without the physical device.

Leave sensitive data at home. Don’t bring devices containing personally identifiable information (PII) or confidential company documents. Do you use a particular laptop for online banking and signing mortgage docs? Leave it at home. Want to take your work computer on holiday? Reconsider. What happens to your career if company secrets fall into the wrong hands? Of course, taking your laptop on a business trip is expected, but just make sure it’s free of your personally identifiable information.

Use RFID blockers to shield your passport and credit cards from “contactless crime.” While contactless payments are convenient at grocery stores and toll booths, they can be quite problematic within range of threat actors employing radio frequency identification (RFID) scanners. An RFID scanner in the wrong hands allows hackers to simply walk past a group of people and unmask identifiable card information.

The simple way to guard against this is to employ RFID blockers (basically card envelopes, or “sleeves”) that protect payment cards, room keys and passports from radio frequency attacks, or skimming attacks. There are now entire categories of wallets, bags and purses integrating RFID technology. Fortunately, more modern RFID chips make pulling off this caper much more difficult — but not impossible.

Consider using a Privacy Screen for your laptop and phone.

When traveling to a security-fraught location, turn off Wi-Fi, Bluetooth and Near Field Communication (NFC) on your phone, tablet and laptop. Funny things can happen when traveling to China or even an unsecured Starbucks. 

Choose a password-protected hotspot over hotel Wi-Fi. If you must use hotel Wi-Fi, pair with a VPN. 

Be wary of Bluetooth devices like your remote mouse, keyboard and AirPods.

Use a VPN everywhere you go. According to Cloudwards, 57% of respondents say they don’t need a VPN for personal use, and 22% say they don’t need one for work.

Encrypt text messages and chats and other communication by using Telegram, Signal or another encryption-based communication platform. Assume third parties are reading unencrypted apps.

Wrapping up

As you can see, most cybersecurity when traveling involves front-end preparation. Like everything else security-related, it’s crucial to keep systems, software and browsers updated and patched. When traveling abroad, understand that not everywhere is home of the free. Know where you’re going and what their local privacy laws are.

In summary, keep a low profile when working remotely or traveling. Don’t take any chances or unnecessary risks.

Roy Zur is CEO of ThriveDX’s enterprise division.