Want to feel a little more like James Bond next time you go overseas (once international travel restrictions are lifted)?
The Australian Government Information Security Manual (the manual), prepared by the Australian Cyber Security Centre (ACSC), outlines cyber security guidelines and best practices intended for key personnel.
The manual includes important considerations for travelling overseas with mobile devices due to the increased security risks. Following these steps before, during and after your trip is a sure-fire way to secure your personal and business information. And you may just feel like 007 in the process.
Of course, you will likely be taking other electronic devices overseas in addition to your mobile. The manual defines mobile devices as including “mobile phones, smartphones, tablets, laptops, portable electronic devices and other portable internet-connected devices.”
Before travelling overseas
The manual advises that when leaving Australian borders you should “leave behind any expectations of privacy.”
Prior to setting off overseas with mobile devices, the following steps can be taken to protect your information against the inherent security risks:
- Record all details of the devices being taken, such as product types and serial numbers.
- Update all apps and operating systems.
- Remove all non-essential accounts, apps and data.
- Apply security configuration settings, such as locking screens.
- Configure remote locate and wipe functionality.
- Enable encryption, including for any media used.
- Backup all important data and configuration settings.
Pro tip: you may need your IT guru to help you with some of these as well as upcoming steps.
The manual also recommends that if travelling to high risk countries, personnel are:
- Issued with newly provisioned accounts and devices from a pool of dedicated travel devices which are used solely for work-related activities.
- Advised on how to apply and inspect tamper seals to key areas of devices.
While travelling overseas with mobile devices
Taking a dip in a cenote in Mexico and leaving your mobile in one of the dubious looking lockers?
Whenever your mobile is not on your person, information stored on it could be compromised.
The manual recommends:
- Never leaving devices or media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes.
- Never storing credentials with devices that they grant access to, such as in laptop bags.
- Never lending devices to untrusted people, even if briefly.
- Never allowing untrusted people to connect other devices or media to your devices, including for charging.
- Never using designated charging stations (e.g. at the airport), wall outlet charging ports or chargers supplied by untrusted people.
- Avoiding connecting devices to open or untrusted Wi-Fi networks.
- Using an approved Virtual Private Network (VPN) to encrypt all device communications.
- Using encrypted mobile applications for communications instead of using foreign telecommunication networks.
- Disabling any communications capabilities of devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication.
- Avoiding reuse of media once used with other parties’ devices or systems.
- Ensuring any media used for data transfers are thoroughly checked for malicious code beforehand.
- Never using any gifted devices, especially media, when travelling or upon returning from travelling.
- Reporting the potential compromise of mobile devices to your organisation if they are lost/stolen and later returned, taken out of sight by government officials, or are exhibiting unusual behaviour.
When you return home
While the trip may not have exactly been the spy thriller you imagined, you can rest assured that you took every precaution to protect the security of your mobile devices, and your personal and business data.
But your mission isn’t complete yet. The final steps to take are:
- Sanitise and reset devices, including all media used with them.
- Decommission any physical credentials that left your possession during travel.
- Report if significant doubt exists as to the integrity of any devices following travel.
For any personnel returning from high risk countries, additional steps should be taken including:
- Reset user credentials used with devices, including those used for remote access to their organisation’s systems.
- Monitor accounts for any indicators of compromise, such as failed login attempts.
Additional cyber security tips
The ACSC provides further information on travelling overseas with electronic devices.
They also provide device-specific guidance for popular mobile phone devices such Apple iOS 12 devices and Samsung Galaxy S9 and S9+ devices.
