back to notes

Anti-espionage travel tips

May 21, 2013 | The Financial Times | by Alicia Clegg.

Work trips can leave businesses particularly vulnerable to security breaches. Alicia Clegg looks at how you can reduce the risk

Experience has taught Ashifi Gogo to play his cards close to his chest. There was the time, for example, when the Ghanaian-born founder of Sproxil, a Massachusetts-based anti-counterfeiting tech business focused on emerging markets, had reason to believe that a competitor "with a strong government connection" in a developing country was mining data that Sproxil had supplied to local officials.

Having encrypted his company's laptops and educated employees to watch out for scams and skulduggery, Mr Gogo reckons that he is "reasonably well-protected". However, he admits that ensuring trade secrets stay secret while courting clients, negotiating operating licences and looking after customers is a juggle. "When people are wearing several hats . . . they [may feel] they just don't have the time to focus on security," he observes.

Businesses have long been diversifying geographically, and even smaller companies, such as start-ups, now find customers overseas before they find them at home. A less welcome consequence of trading internationally may be to make a business a target for economic espionage, which according to FBI statistics has risen by 50 per cent in two years.

Countries "where the state is pervasive"; and whose governments are willing to poach knowhow to benefit their economies; pose the greatest threat to business travellers, according to risk management advice from the Centre for the Protection of National Infrastructure , a UK-government authority. However, virtually all states have surveillance capabilities that can intercept calls or emails and eavesdrop conversations.

While the security needs of businesses with intellectual property to protect differ from those whose laptops have only their street value, there is some advice that applies to almost all organisations. Varying routines makes it harder for observers to second guess a person's movements. "If everyone gets together for a conference call, at 10am, it creates an opportunity for the bad guys to set up eavesdropping or plan a break-in," says Martin Baldock, a managing director at Stroz Friedberg in London, a digital risk consultancy .

Likewise, disclosing as little as possible on visa applications denies intelligence agencies or corrupt officials in the pay of competitors advance information that could be used for surveillance purposes. When stating where he will stay, one security consultant, who asked not to be named, says he writes down one hotel then books another. So long as you fill in the visa first, he says, you can always claim afterwards that your plans changed.

The ubiquity of technology creates pitfalls for unwary travellers. Among the hazards are state-linked telecommunications operators with a mandate to intercept data that might benefit homeland businesses and insecure hotel WiFi that hackers can hijack or "spoof" to harvest passwords and trade secrets.

Adding in the personal information that people strew online increases the privacy and security risks further still. "By piecing together the photographs, social media updates and emails that people store on their phones, a hacker can build virtually a complete picture of someone's life," says Sarb Sembhi, a director of Incoming Thought, a UK-based business risk consultancy. That information can open the door to spear phishing emails , crafted to read like messages from a friend.

Fortunately, there are ways around most problems. Using "travel laptops" containing just an operating system and data essential for the trip, limits how much is at risk if a machine is lost, hacked or stolen.

Likewise taking a "clean" basic mobile, with a fresh chip, for phoning out and only switching on your regular smartphone to check emails and receive calls at agreed times reduces the potential for data loss. But be aware that even when turned off, phones can be activated remotely enabling surveillance agents, or criminals, to track the owner's movements and view data and stored messages, warns Mr Sembhi. "To be ultrasecure, you need to remove the [phone's] battery and chip."

For many businesspeople, of course, being hooked up to the internet, more or less continuously, is today a requirement of the job. In which case, advises Mr Sembhi, at least take care to disable any functions running in the background such as Google Maps, WiFi or Bluetooth - and only start them when you need them. "The more you have on, the more likely it is that someone will find holes in your computer [or phone] to attack."

The age-old link between sin, sex and spying has taken a new twist with the arrival of cyber-surveillance. A businessperson observed browsing pornography on hotel WiFi might be blackmailed, for example, or targeted in a honeytrap. To avoid problems Nancy McNamara, an FBI deputy assistant director for counterintelligence, advises businesspeople; and their relatives; to refrain from compromising activities, whether online or off. By way of illustration, she mentions an incident, notified to the FBI, concerning an employee of a US defence contractor whose son committed a drugs offence overseas. Instead of handling the matter judicially, the country's authorities allegedly tried to negotiate with the father for defence secrets.

Seemingly friendly approaches at conferences, where experts gather, can mask clandestine intentions; as the yet undecided case of Benjamin Pierce Bishop, a US defence contractor accused of passing secrets to a Chinese student , whom he met at a conference, may illustrate. To minimise the chances of being hoodwinked, security specialists advise attendees to be careful what they say and view follow-up emails from fellow delegates with caution. "The person sitting beside you could be . . . there with the specific purpose of infiltrating your media or building rapport [in order to] recruit you down the road," says Ms McNamara.

Differences in etiquette and laws can also cause problems. Metin Sitti, founder of nanoGriptech, a Carnegie Mellon University spinout, was surprised to discover that Asian audiences often video speakers without first asking permission. Knowing that data flashed up on a slide momentarily could be pored over at length, he says, has made him warier of what he shows.

Similarly, Richard Parris, founder of Intercede, a UK-based identity software business, never takes "trade secrets" into Russia, knowing that, as in China, customs officials may require him to decrypt his laptop. "You carry what you think is prudent," he says.

Mr Gogo, for his part, says that balancing productivity and security is a judgment call. "[You can make a trip] ultra-secure, but if nobody gets anything done, it's not [yielding] much business utility."

The hidden hazards of hotels

Hotels present various security hazards, say law enforcers and experts. Tips for reducing risks include:

*Eavesdropping: Some authoritarian states routinely bug guestrooms and conference facilities, warns Tracy Andrew, data protection officer at lawyers Field Fisher Waterhouse. Only discuss confidential matters in secure spaces such as client premises or in the open air. ; *Data interception: Hotel internet and WiFi can expose your data and browsing activity to interception. Use a virtual private network from your work server when online. *Key logging: Software installed on hotel keyboards, warns CPNI guidance , can record key strokes, putting passwords and email content at risk.; *Safes: Most safes have overrides that staff can use if guests forget their code - or if instructed by intelligence services. To avoid intrusion, advises Mr Andrew, carry devices with you and lock laptops to immovable objects, such as pipes, while you sleep.

By Alicia Clegg