Do I really need to give travelling staff a burner phone?
Q: Do I really need to give staff travelling to high-risk countries a new laptop and burner phone? Aren’t the surveillance concerns overblown?
A: Good device security is advisable wherever you are, but you should tighten this for travel to “high-risk” countries, writes Shaun Reardon, a former Scotland Yard detective who now works in cybersecurity.
If you or a member of staff are travelling to a country where intelligence agencies advise there is a heightened risk of espionage, then a new laptop and burner phone could be the right choice, but only if you take the right measures to make these efforts effective.
Even in your home country, you should use a VPN (virtual private network) to access your systems and servers, and you should set up your devices so they are encrypted at rest. When travelling to high-risk countries, know that these measures may not guarantee security and question whether you should access company systems at all.
Don’t assume espionage won’t happen to you or your company. Assume that it will.
Ensure a personal briefing between the person responsible for cybersecurity who understands the issues and the person travelling. Be rigorous in your instructions to staff and have a written travel policy.
Be careful what you connect your devices to. Don’t plug your device into a computer. Take your own chargers and exclusively use those. Don’t connect any devices given to you. One person I know was once gifted an electronic photo frame that had spyware installed.
Always pack electronics or communications devices in hand luggage, as being separated from your devices is not a position that you want to be in. I recommend storing devices in sealed, numbered bags so if you are separated it’s easier to identify if your devices have been tampered with. Think along the lines of mobile phones being copied through contactless equipment: it doesn’t take much for your data to be stolen. It’s also possible that your device could be compromised if someone has accessed it physically.
Devices have unique identifiers such as the MAC number for communication. If someone with sufficient resources knows one of your identifiers, such as through gaining physical access to your device, they can track you. In my career, I’ve experienced security services using device identifiers to track persons of interest.
So how do burner devices help? Should someone get past your efforts to secure your devices, then the risk to you and your company is lower with a burner. You are more resilient against the threat if you have limited the data and systems that can be accessed, and you don’t risk continuing to use a compromised or tracked device, However, this only applies if you manage your burners correctly.
Discipline is essential. Understand that a burner used twice is not a burner. Only use the device for one trip, and when you return give it back to whoever oversees your organisation’s security. It may be compromised and it may one day be a useful piece of physical evidence if you have been breached.
Ultimately, when you travel you should do everything you can to secure your company’s data and systems. Half of this is securing your devices. The other half is being prepared if your devices are compromised, and here burner devices can help you.
Shaun Reardon is a former detective at Scotland Yard, where he worked on digital forensic cyber-investigations, and is now head of industrial systems cybersecurity at DNV, a quality assurance and risk management company
