As we roll into 2024 proper, the events are starting to appear in the calendar again. In an era where connectivity is ubiquitous and threats are omnipresent, safeguarding sensitive data and digital infrastructure demands extra attention, especially during business travel. As MSPs, your role extends beyond mere provision of services; you’re entrusted with the security and integrity of your clients’ networks and systems—and, of course, that includes protecting your own. With staff frequently on the move to attend events, the risks multiply exponentially, necessitating a proactive and layered approach to cybersecurity.
In this blog, Lewis Pope provides a checklist of six key strategies and precautions you can take to help fortify both your own and your clients’ defenses, while also ensuring seamless mobility for teams.
1. Brush up on your cybersecurity awareness training
One of the best places to start is by getting end-users to understand how to take ownership of their risk, and this can be done through cybersecurity-awareness training. You likely already have some sort of cyber awareness training program in place, and some training programs even have modules specific to international travel. It’s a good idea to have users complete a refresher course just prior to their scheduled travel to keep the lessons learned fresh in their mind.
Some things you should make sure to include in this are:
- Avoiding public Wi-Fi networks—Most public Wi-Fi networks are going to have minimal or no real security measures in place. Wi-Fi connections that do not require credentials are subject to being intercepted and manipulated by a physically present attacker. Have users take advantage of their phone’s hotspot, issue them a cellular hotspot to use, or provide a secure VPN service.
- Never using public computers—While those complementary computers at the hotel might seem like a life-saver, their use should be reserved for emergencies and you should avoid logging into business or personal accounts while using them. You have no guarantees about the state of the computer or the network to which it’s connected.
- Exercising caution with social media—Avoid oversharing or sharing live in the moment. If someone is gathering information on you via social media to prepare for a focused social engineering attack, you want to deprive them of as much intelligence as possible. Depriving an attacker of this knowledge can help reduce their effectiveness. Consider waiting until you’re back from your trip and curate the best-of-the-best to post or schedule your social media posts to drop after you’re already home.
2. Monitor for impossible travel
If you have users logging in from different physical locations you can use conditional access and other security controls to help ensure someone is who they say they are when they try to access resources. However, any defense can be defeated, so having the ability to monitor for and block a user who, for example, logs in from San Diego at noon and then tries logging in from London an hour later is now an essential capability that IT defenders should be implementing
3. Make sure all systems and software are up to date
This is one of the most basic—but very effective—ways of keeping users safe. Make sure all systems a user takes with them are fully updated. This includes not just OS and applications, but also firmware and even a user’s personal devices that may be used to access company resources while traveling. Tools like Patch Management can help automate this process for laptops, workstations, and servers.
4. Think about hardening all devices for travel
If you can stretch to it, providing a fresh, hardened laptop for international travel can be an effective step, where budgets allow. If an end-user will be doing extensive traveling, consider providing them with a freshly loaded computer that is fully patched and has your full security stack installed. This can reduce the chance that a user takes an already compromised system with them as well as ensuring the system is hardened and in a known good state. When the user returns, they can go back to their regular computer and the travel laptop can get prepped for the next user.
If your budgets don’t stretch to a whole new dedicated travel laptop, here’s a list of some of the key things you should look at on existing devices to make sure they’re as hard to hack as possible:
- Enable Bios and UEFI Passwords and Security Features—Many modern laptops include ways to improve resilience against attacks that require physical access to devices. Sure, IT might need to be able to change the device boot order but no one else should.
- Disable Bluetooth, USB, and external HIDs—It’s all about the data and keeping it safe. By disabling or restricting Bluetooth or USB devices to a preapproved list you can prevent unintentional data leakage or even data exfiltration
- Encrypt all the things—BitLocker is the drive encryption technology of choice for many as it is a native component of Windows. Even smartphones support device encryption. If a device is lost while travelling, you need the confidence and audit trail to be able to say the device is encrypted and cannot have its data retrieved.
- Enforce idle timeouts—It’s easy enough for an end-user to forget to lock their device under normal circumstances, when they’re travelling this risk multiplies significantly. Setting devices to lock after a specified time can help prevent these situations, which is especially important when devices are being used in public areas.
- Look beyond browser based VPNs—While a browser based VPN might protect you from advertisers and data brokers, it won’t offer the security controls needed for business environments. A solution like DNS filtering is a better option for SMBs.
- Improve end-user device security—Anything you can do to make an end-user safer while they are travelling makes everybody’s life easier. Having an endpoint-protection solution with detection and remediation capabilities can help keep remote support tickets to a minimum by keeping users out of trouble in the first place. If and when they do get into trouble, having automatic remediation and rollback capabilities offered by solutions like EDR will reduce downtime for the end-user and help keep any nasty surprises from coming back home with the device.
- Use agent-based DNS and content filtering—Once an endpoint is no longer on the office network, it loses any protection that may have been provided by firewalls or other network security appliances. DNS Filter provides agent-based protection no matter what network the device is connected to.
- Provide a Privacy Screen Filter—In environments where users handle sensitive information such as PII, EHR, or classified or trade secrets, and those users’ monitors can be seen by others that shouldn’t see that information you either give them their own office or give them privacy filters on their screens in a shared workspace. This should also apply to mobile users. Privacy screens on laptops, mobile devices, and tablets.
5. Backup devices before and during if possible
A laptop gets dropped in a conference hall. A phone gets left in a taxi. A tablet gets left at a party venue. There a myriad ways for things to go wrong when you’re travelling that can result in the loss of data. You can minimize the impact of this by making sure devices and data are fully backed-up prior to the trip. If possible, use a bandwidth efficient, cloud-first backup solution like N-able’s Cove Data Protection that will let you perform device backups no matter where they are.
6. MFA all the things
While this should be standard practice at this point for MSPs and their clients, all services and devices that support MFA should have it enabled. When an end-user is traveling, especially abroad, it makes it more challenging to monitor and audit their access to systems. If an end-user will be travelling and they need access to a service that does not support MFA, consider providing access to this service only over a secure VPN connection that itself requires MFA.
Of course this is not an exhaustive list of things you can do to help protect staff when travelling, but it does cover the basics. And if there is one thing we’ve learned over the past few years in cybersecurity it’s that covering the basics is essential.
Credit: Pete Roythorne: Head of Security for N-ABLE (Feb. 27, 2024)
