Light Dark
September 16, 2015 By Douglas Bonderud 3 min read
Data Protection

Travel security risks are nothing new. Evolving technologies and trends, however — such as the rise of on-demand Wi-Fi and the proliferation of mobile devices — are changing this risk landscape. Consider the case of Chris Roberts, a security researcher who claimed he hacked the in-flight entertainment (IFE) system and caused the plane to climb, or more recent instances of incredibly poor in-flight Wi-Fi security.

The result? Travelers are now faced with the prospect of both physical and mobile device risks thanks to new threat vectors, necessitating a change in overall security strategy. Are passengers better served with a carry-on solution that requires constant oversight, or should they opt for a checked baggage scenario in which travel security naturally makes the trip?

My Way or the Wi-Fi?

When it comes to empowering mobile device users on the road, companies face an uphill battle. While employees don’t actively try to sabotage security efforts, they’re naturally resistant to corporate oversight, leading some organizations to back off and allow even limited access from less-than-secure phones and tablets.

But according to Robert Patey, director of demand generation at Fiberlink, “The onus for securing data doesn’t change depending upon device, operating system, time or location. The CIO and CISO are responsible to ensure data security.” This typically takes the form of enterprise mobility management (EMM) applications that allow IT staff to monitor device use and ensure security requirements are met before allowing access. As for employees, Patey argues they “need to release a bit of their Big Brother apprehensions and allow for EMM apps to be housed on their devices.”

Patey compares Wi-Fi access points — in coffee shops, office buildings or even in flights — to wide-open highways complete with bad drivers and shady rest stops. EMM tools act as built-in navigation systems, helping users avoid the wrong turnoff or anticipate a collision. In addition, mobile security solutions ensure that all data is encrypted to keep others from overhearing conversations or peering in the windows.

For Patey and Fiberlink, travel security is something every user needs to carry with them no matter where they’re headed. Combined with solid security training — for example, ensuring users don’t fall for insecure Wi-Fi hotspots, always connect using a virtual private network (VPN) and understand that not all countries view digital privacy the same way — it’s possible to limit the chance of exposure when getting from point A to point B.

This Is Your Captain Speaking

But what happens if the plane, or train or car being used is the victim of an attack? This risk speaks to the need for built-in security that addresses problems at the most basic level to deal with everything from distributed denial-of-service (DDoS) attacks to more sophisticated hack-and-control attempts. According to Chris Poulin, research strategist with IBM Security X-Force, the biggest thing companies can do to protect onboard computers or central access hubs is encrypt data. This doesn’t come as a surprise, and most companies already have a solid strategy in place to handle data in motion using TLS encryption over HTTPS connections.

When it comes to data at rest, however, enterprises often struggle with the trade-off between protection and access. While techniques such as full-disk or on-the-fly encryption offer maximum defense, they also make on-demand access more difficult. Complicating the problem further is that many companies haven’t invested in asset list or data discovery tools, in turn limiting total visibility.

Poulin offers a compromise: monitoring. Even if companies can’t always encrypt data over their network, using the right analysis tools, it’s possible to detect the majority of attacks during their initial phase rather than when attackers have wrested control from pilots or drivers. In most cases, these tools aren’t inherent to workstations and must be leveraged through third parties, which speaks to the need for vendor vetting; IT security is only as strong as the weakest partner.

Consider the example of requirements set by the Health Insurance Portability and Accountability Act (HIPAA). Under this law, if more than 500 reports are stolen or compromised, companies are obligated to disclose this information to the relevant authorities. This is in the hope that effective monitoring will reduce the chance of high-volume document loss and give companies the upper hand in fighting cybercriminals.

In-Hand or Onboard

Are companies better served by equipping employees with EMM tools and VPN gateways, or by baking in tech security at the systems level to limit the chance of malicious attacks to core business function? Ultimately this is a two sides, same coin argument; Patey and Poulin don’t offer conflicting advice, but a road map for companies looking to safeguard data in motion and at rest. Bottom line? Both travelers and their means of transportation are possible attack vectors. Better to check one security solution and carry on another rather than risk either being left behind.

 |  |  |  |  |  |  | 
Douglas Bonderud
Freelance Writer

More from Data Protection
November 2, 2023

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

November 1, 2023

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

October 25, 2023

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature