Mobile device guidance for high profile travellers (ITSAP.00.088)

High-profile positions, such as politics or senior management, often require travel for work. These roles typically involve using mobile devices to access sensitive data while traveling for business. Mobile devices can be targeted by threat actors seeking information, including foreign intelligence services, criminal groups, or competitor organizations. If a device is compromised, it may lead to unauthorized access to an organization’s network and important data. It is advisable to assess the risks of using mobile devices in certain locations before embarking on business travels.

Threats to your mobile devices and information

Threat actors use different techniques to gain access to devices and sensitive information. The following are examples of common attack methods.

• Shoulder surfing: Using in-person techniques to physically view and steal your sensitive information.
• Phishing: Sending fraudulent emails or texts that include malicious files, malicious links, or requests for personal information.
  • Spear-phishing: Attacking a select group of individuals or a single person and including details that are tailored to be more convincing, making the source appear more legitimate.
  • Whaling: Attacking a big “phish” such as a CEO, or executive because of their level of authority and possible access to more sensitive information.
• Network spoofing: Masquerading as a legitimate network.
• Signal jamming: Interfering with, disrupting, or blocking communications signals and services.
• Adversary-in-the-middle attacks (AitM): Exploiting vulnerabilities to intercept and potentially manipulate communications in transit.
• Ransomware: Using malicious software to encrypt files or lock systems and devices until the victim pays a sum of money.

For more information on these types of threats, refer to:

• Don’t take the bait: Recognize and avoid phishing attacks (ITSAP.00.101)
• Protecting your organization while using Wi-Fi (ITSAP.80.009)
• Ransomware: How to prevent and recover (ITSAP.00.099)

Travel devices

Your organization should identify and consider the risks for high-profile travellers and determine your level of tolerance. If the risk level is significant, you should consider issuing travel devices for high-profile travellers as a mitigation measure. Travel devices have limitations in user functionality and data storage.

If travel devices are not available, your organization should ensure that travellers use corporately owned devices with the appropriate security controls installed. High-profile travellers should also complete awareness training to further mitigate risks.

Your organization should advise against the use of personal devices for business use during travel. For more information on device security and travel, refer to Device security for travel and telework abroad (ITSAP.00.188).

High-risk travel

Travel is considered high risk if a traveller’s identity or occupation is well known or high profile. This is especially true if they are travelling to a widely known event or if the destination is considered high risk by Global Affairs Canada (GAC) Travel advice and advisories by destination.

Your organization should consider all potential risks introduced by international travel and determine its level of tolerance. You and your organization should implement measures to mitigate those identified risks. If you are unsure of the risk of your travel, contact your IT security department.

Guide for high-profile business travellers

Consider the following tips before, during and after your travel abroad.

Before your trip

• Contact your IT security department to implement any additional security measures on your devices or ask for a corporate temporary travel device
• Enforce multi-factor authentication (MFA) to access devices and accounts
• Install anti-virus and spyware protection and a firewall
  • Configure devices to run anti-virus software on storage devices, such as USB drives, upon installation
• Run updates and install patches for operating systems and applications
• Backup devices for possible recovery upon return
• Remove unnecessary data and applications
• Install an approved virtual private network (VPN) application on your devices to securely transfer data
• Encrypt all sensitive information on your mobile device
• Limit administrative privileges in order to secure software settings and restrict downloadable applications
• Turn off Bluetooth, Wi-Fi, hotspot and location sharing when not strictly necessary or when not in use

During your trip

• Encrypt sensitive information
• Avoid using personal accounts
  • If necessary, secure accounts with MFA, inform IT of the use of your personal accounts and change passwords upon return
• Assume that communications transmitted over public servers can be intercepted
• Use your organization’s network and VPN to access and send sensitive information
• Be wary of devices and peripherals given to you by individuals outside of your
• organization
• Keep your devices in your possession and be aware of your surroundings at all times
  • Encrypt your device
  • Ensure your device is locked when not in use
  • Maintain control of chargers, cables and peripherals
• Do not store or communicate information above the approved classification of the device
• Turn off devices before going through customs and security
  • IT if your device is inspected by security
• Communicate security concerns with your IT security department

After your trip

• Use anti-virus software to scan devices for malicious activity before connecting to your home and work networks
• Change passphrases, passwords or PINs on your devices and accounts that you accessed while travelling
• Report suspected security concerns to your IT security department so they can complete the following steps:
  • Compare the device’s image with a backup for signs of malicious activity
  • Conduct forensic research and a factory reset if your device has been compromised
  • Use secure backup to restore the device before further use

If you notice suspicious activity on your device during or after travel, follow these security measures:

• Disconnect your device from the Internet and from any other devices
• Use another device to contact your service provider and your IT team to begin the appropriate incident management processes
• Keep the device disconnected for the rest of your trip
• Examine the device in your organization’s secure environment once you return from travelling
• Eliminate the threat from the device and use the latest secure backup to restore the device
• Replace the device’s SIM card

Learn more

• Using your mobile device securely (ITSAP.00.001)
• Mobile devices and business travellers (ITSAP.00.087)
• Securing the enterprise for mobility (ITSM.80.001)
• Security considerations for mobile device deployments (ITSAP.70.002)
• Using encryption to keep your sensitive data secure (ITSAP.40.016)
• Virtual private networks (ITSAP.80.101)