Travel and remote access: What needs to be in a good policy

It's time to think beyond the VPN. The security experts recommend a travel approach that combines preparation, new best practices, and a postmortem after each trip.
Written by Stephanie Condon, Senior Writer

Thanks to growing connectivity and the increasing mobility of devices, working outside of the office has become more and more commonplace. Large enterprises and small businesses alike have employees who are taking their work on the road. And as the world becomes more connected, a company of any size may need employees to pursue business in different cities or different countries.

Business travelers, however, face a unique set of risks. Travelers in an unfamiliar place -- and without their company's infrastructure to support them -- could be more susceptible to incidents like theft or weather-related disasters. Outside of the office, they could find themselves more vulnerable to state-sponsored or nonstate-sponsored actors with malicious intentions. Even in a home office or a local Starbucks, workers could be putting corporate data at risk.

"Companies with more distributed and global workforces are sussing this out on a daily basis," Forrester analyst Merritt Maxim said. Travel protocol, he said, "is not just about employee safety, it's about data and businesses doing their best to protect themselves from breaches, whether they're malicious or inadvertent."

In response to companies asking for advice on securing business travelers, Forrester has produced a guide for security and risk professionals called Best Practices For Minimizing Business Travel Risk. It offers detailed guidance on preventing cybertheft, espionage and physical harm. The guide advises companies to create a security program for travelers that includes three phases: pre-departure, during travel, and post-trip.

Image: Forrester

Pre-departure best practices

  • Assess your threat level
  • Avoid stereotyping and assumptions
  • Implement device management
  • Enable secure communication methods
  • Manage people, not just devices

The first step in preparing for business travel is assessing the threats and risks involved. That means throwing out any unfounded assumptions about where your employees are going.

When it comes to security breaches, "usually people think these are things that only happen when they go to a far-flung country," Maxim said, "but there's still the ability to exfiltrate data from devices from users in public or semi-public places anywhere."

That said, some nation states present greater risks, Maxim said. "Even if you're a low-level employee without much access to information, your machine may still be useful as a machine to load malware onto, which could be used to infect other systems and allow them to do reconnaissance and gain information about your company in the future."

Along with assessing the threats of a particular location, businesses should consider the identity of the traveler. What is their job title, and what information do they have? Do those factors make them more of a target?

SEE: Follow these steps to protect yourself from cyberattacks while traveling (TechRepublic)

The next step is to equip your employees with the right tools. According to a survey from the Association of Corporate Travel Executives (ACTE), employees are increasingly pressing their managers about corporate communications policies. In the survey, which polled the ACTE's global membership, 37 percent of managers reported seeing a rise in the past year in inquiries about on-trip connectivity and communications.

"Companies are starting to look at what devices do we want our folks to travel with, what access should they have on the road," said ACTE executive director Greeley Koch.

Some businesses, he said, give employees loaner devices that are scrubbed by the IT department following a trip. Others take stock of where an employee is going and what they're doing on the road, and they restrict their device usage accordingly.

The Forrester guide suggests preparing devices for travel by enabling full disk encryption, disabling USB ports, enabling VPN access, installing IT management tools that enable remote wiping if necessary and ensuring a recent backup of the device is available.

Additionally, device management can include methods to ensure a device is 'tamper evident'. Something as simple as putting stickers and glitter nail polish over the screw holes of a device can add a helpful layer of security to make it obvious if someone tried to tamper with it.

"You might hear about devices that are tamper resistant, but tamper resistant is not as important as tamper evident," Maxim said.

Forrester also lays out steps for establishing secure communications methods. "This can be as simple as establishing email as the main point of communication or having your business travelers download Secure Chat, Signal, Telegram, or WhatsApp," the guide says.

Device management is a "crucial" step for securing data, according to Max Saltonstall, technical director of the Google Cloud CTO Office. The next step, he said, is "knowing your people."

While some companies limit travelers' devices, Google uses its employees' identities as a means of limiting information, in or out of the office.

"It can be hard for some companies to know, for instance, that Alice joined in finance but then she switched to legal -- should she have the access of someone in finance, or legal or both?" Saltonstall said.

Google, he said, "had to take a hard look at how we track hires, fires, transfers, how we understand when someone has shifted teams, or shifted roles -- how do we communicate that person's role to give them the appropriate amount of access and trust."

Best practices during travel

  • Help employees stay productive
  • Consider government policies and border policies
  • Stay vigilant of human threats

Identity is one key element behind Google's custom-built security system, BeyondCorp. The other key element is device inventory. BeyondCorp routes all traffic through a proxy to determine who the user is and what internal data they're allowed to access. It also determines whether they're using a Google-approved device that's clear of any malware.

"We've shifted from giving you access based on where you're sitting," Saltonstall said. "Instead, I know who you are and what you're using."

Google developed BeyondCorp about eight years ago, after growing into a massive company with a highly mobile workforce. At that point, VPN-based security models were "hampering people's ability to get work done whether it was inside or outside the office," Saltonstall said.

VPNs can be hard to use on tablets and smartphones, he said. Meanwhile, if a bad actor gets past traditional, perimeter-based security systems, they'll get access to everything on the device.

Google has taken what it's learned from building BeyondCorp to develop a product called Identity Aware Proxy (IAP) for Google Cloud customers.

The security model is premised on the notion that "anybody should be able to work from any device, from any location, without special VPN software," Saltonstall said.

Forrester's research shows that an effective travel policy should indeed keep in mind worker productivity. In a 2016 survey asking workers why they sometimes go around company security policies, 46 percent cited efficiency.

Image: Forrester

Beyond device access, travelers need to think about the context of their surroundings. For international travel, a sound policy should consider different government rules and regulations, the ACTE's Koch said. Last year, when the US banned electronics from airplane cabins on flights to the Middle East, many ACTE members had to reevaluate their device policies, he said. Companies should also advise their workers on how to proceed through borders, where government officials may try to access their devices.

"Rules are changing all the time, threats are coming in different ways," Koch said. "Companies need to stay up to speed."

Travelers also need to think about their in-person interactions.

SEE: Top 5: Ways to keep your data safe while traveling (TechRepublic)

"Our interviews revealed that the human threats, a.k.a. honey traps, are often ignored altogether," the Forrester guide says. "This translates into a need for caution with interactions, such as being approached in a hotel bar by a stranger offering them a free drink. Encourage travelers to keep their devices with them at all times if possible."

Travelers need to keep in mind that people may be listening in on their conversations or snooping over their shoulders. They should be on the lookout for common criminals who may want to snatch a device simply to resell it. Also, they should make sure they don't lose their devices while on the road.

Post-trip best practices

  • Implement a post-trip checklist
  • Debrief, even if nothing went wrong
  • Keep policies up to date

Once a traveler is back from a trip, Forrester suggests running through a list of actions such as changing passwords or running a device through forensics. Businesses should also debrief employees to find out, for instance, about any suspicious behavior encountered on the trip.

Even if a worker travels without incident, a debrief can provide valuable information for future travelers, Maxim noted.

Lastly, policies should be regularly updated. Data theft is an ongoing, evolving risk, Maxim said.

"Businesses are changing as well," he said. "They're making acquisitions, which could alter where their travelers are going... Make sure you have an understanding of how those policies need to adapt."

Sample policies

If you need a place to start in creating or updating your company's policies, these templates from our sister site Tech Pro Research (a paid resource) can help:

Also see

Image: iStockphoto/ViktorCap
Editorial standards