Top employee cybersecurity tips for remote work and travel

As the holidays approach, many remote workers, already at increased risk of cyberattacks, will travel by booking vacation trips to visit family and friends. This will likely exacerbate IT teams’ anxiety about cybersecurity, already heightened by the pandemic and its aftermath. In a Ponemon Institute survey, 65% of IT and security professionals said it was easier to protect an organization’s confidential information when staff were working in the office.

Whether employees are working from home, in a conference, or even on vacation, security pitfalls abound. The fact is, with every remote worker, an organization’s attack surface grows. Some employees let their cyber guard down when working from home. For others, travel leads to fatigue and bad decisions, including taking safety shortcuts. It’s a problem when 76% of CEOs admit to bypassing security protocols to get something done faster.

While technology has made significant advances in protecting us from ourselves, remote work can quickly escalate if we don’t take basic cybersecurity precautions. This article covers a range of security best practices for remote work and travel. Of course, not all advice applies to all situations. That said, it’s crucial to understand your current and future environment, assess their relative risk, and take steps to protect your credentials, devices, and confidential data.

Here are some tips to help you improve your security posture while working or traveling remotely.

Do this first: Lock your SIM card

Travel or no travel, lock your sim card. SIM card hijacking (or SIM card swapping, unauthorized porting, or “smacking”) is a real, underreported crime where threat actors pretend to be you, contact your wireless service provider and “transfer” your SIM card to your (their) “new phone.” Imagine someone stealing your entire life online, including your social media accounts.

In other words, your phone number now belongs to them. All your password resets now go through the threatening actor. Considering the number of work credentials, social media accounts and apps that pass through your phone number, the nightmare of this crime quickly becomes apparent. If you haven’t already, lock your SIM card with your wireless service provider.

Here is some information about Verizon’s “Number Lock” feature.

Cybersecurity tips for remote and on-the-go workers

Back up everything all day, every day. If you travel, leave the backup at home or in the cloud.

Use a password-protected Wi-Fi network that is WPA compatible (ideally WPA3).

Create a strong password (with upper and lower case letters, distinctive characters and multiple characters). Never store passwords on you or on the phone, including in the notes section. Ideally, your employer should use a password manager, but chances are they are not. According to SpecOps’ 2022 Weak Password Report, 54% of organizations do not use a password manager. Even more troubling, 48% of organizations do not have user verification for IT help desk calls.

Fix and update every device you use, including apps. Do the same for browsers and whatever else you run on those devices. In August 2022, Apple made it known that unpatched versions of iPad, iPhone, and Mac could be essentially taken over by threat actors. Make sure everything is up to date when entering an unfamiliar environment.

Here’s how to update every app on your iPhone and iPad if you haven’t set them to update automatically, all at once:

Along with updating and fixing everything, make sure browsers are running strict security settings, especially when you’re away from your home office. If you don’t want to mess with settings, consider downloading Mozilla Firefox Focus and making it your travel browser. By default, Firefox Focus purges the cache after each use, leaving no breadcrumbs to exploit.

Use two-factor authentication (2FA) everywhere and with everything. When choosing how to receive the authentication code, always opt for the token rather than the text because it is much more secure. At Black Hat 2022, a Swedish research team demonstrated exactly how insecure text-based authentications are. If a hacker has your login credentials and phone number, text authentication simply won’t protect you.

Update your Zoom software. Ivan Fratric, security researcher at Google Project Zero, demonstrated how a bug in an earlier version of Zoom (4.4) allowed remote code execution by exploiting XMPP code in Zoom’s chat function. Once the payload was activated, Fratric was able to spoof messages. In other words, he was able to impersonate anyone you work with. What could go wrong?

Safety and travel: Leaving the home office

Whether they’re heading to Starbucks, Las Vegas, or overseas, digital nomads need to pack lightly. Leave unnecessary devices at home. Just take the essentials to get your job done without compromising your entire personal story. Bring a laptop lock to lock your computer at any workstation, as IBM requires its traveling employees. Also invest in a physical one-time password (OTP) authenticator. Some companies, like Google, require their employees to use them. Employees cannot access anything without the physical device.

Leave sensitive data at home. Do not bring devices that contain personally identifiable information (PII) or confidential company documents. Do you use a particular laptop for online banking and signing mortgage documents? Leave him at home. Do you want to take your professional computer on vacation? Reconsider. What happens to your career if company secrets fall into the wrong hands? Sure, it’s okay to take your laptop on a business trip, but just make sure it’s free of your personally identifiable information.

Use RFID blockers to protect your passport and credit cards against “contactless crime”. While contactless payments are handy at grocery stores and toll booths, they can be quite problematic in range of threat actors using radio frequency identification (RFID) scanners. An RFID scanner in the wrong hands allows hackers to simply walk past a group of people and unmask the card’s identifiable information.

The easiest way to guard against this is to use RFID blockers (essentially card envelopes or “sleeves”) which protect payment cards, room keys and passports from radio frequency attacks or skimming attacks. Today there are whole categories of wallets, bags and purses incorporating RFID technology. Fortunately, more modern RFID chips make this much more difficult, but not impossible.

Consider using a privacy screen for your laptop and phone.

When going somewhere where security is important, turn off Wi-Fi, Bluetooth, and Near Field Communication (NFC) on your phone, tablet, and laptop. Funny things can happen when you travel to China or even an unsecured Starbucks.

Choose a password-protected hotspot on the hotel Wi-Fi. If you must use hotel Wi-Fi, pair it with a VPN.

Beware of Bluetooth devices like your remote mouse, keyboard, and AirPods.

Use a VPN wherever you go. According to Cloudwards, 57% of respondents say they don’t need a VPN for personal use, and 22% say they don’t need one for work.

Encrypt text messages and chats and other communications using Telegram, Signal or another encryption-based communication platform. Suppose third parties play unencrypted applications.

Wrap

As you can see, most travel cybersecurity involves preparation beforehand. Like all things security, keeping systems, software, and browsers updated and patched is crucial. When you travel abroad, understand that everywhere is not the home of freedom. Know where you are going and what their local privacy laws are.

In summary, lay low when working remotely or traveling. Do not take unnecessary risks or risks.

Roy Zur is CEO of the enterprise division of ThriveDX.