Protecting your office and living space from the threat of cybercrime is hard enough, but it gets a lot more treacherous during work travel.
By Katrina Lobley
Think employees care about keeping company data secure? You just might have your head in the cloud.
“People generally hold their personal data – their dating profile or their Facebook profile or their bank account – in higher regard than their work data,” says Jamie Beresford, CEO of Practice Protect, an accountant-focused cybersecurity firm with offices in Sydney, Hong Kong, Manila and San Francisco.
That should ring alarm bells. With the advent of cloud technology – accountants have been among its most enthusiastic adopters – Beresford says many firms have lost control of how employees access client data. If staff also travel for work, it can increase the risk of business data or devices falling into the wrong hands.
It’s nerve-racking stuff for data custodians such as accounting firms. “Firms trade on trust … reputation is everything to an accountant,” says Beresford.
“Sixty per cent of the data breaches reported [in Australia] in 2017 were from businesses with under 20 staff. Small businesses are busy – they don’t have those kind of resources [to throw at cybersecurity].
“The other interesting part is that most breaches are due to human error. People trick you into giving away your password – accidental clicks, fake websites, email phishing, an infection on a computer that’s logging keystrokes. It’s not an IT issue, it’s more of a [people] issue.”
Up, up and away: devices on the road
Being on the road increases the ways in which sensitive client or corporate data can be accessed by others. For starters, there’s the potential for simply losing your laptop, phone or tablet, or having them stolen. Stories abound of devices being whisked from airport screening belts or from purses and pockets, as fuzzy-headed passengers prepare to disembark a plane. One professional was crossing a busy road in London while looking at his phone when a thief on a motorcycle simply snatched it from his hand.
Protecting sensitive data is hard enough when everyone is in the office. It becomes even more critical when staff, bosses and employees travel for work and take their devices with them.
“They can log in from anywhere, on any device, on any network, outside of the company’s control,” says Beresford.
"People trick you into giving away your password – accidental clicks, fake websites, email phishing...'" Jamie Beresford, Practice Protect
When employees are required to log in to multiple platforms, websites and apps, it’s not uncommon to take shortcuts with security.
“People have so many user names and passwords to manage that they have to do things like make them all the same,” he says. This practice is known as daisy-chaining.
Forgot your charger and borrowed one from the concierge? Beware – this public charger could upload malicious software onto your device. As for hotel wi-fi networks, Beresford warns that it’s far too easy for others to access those networks, especially if they are administered by people with a lax approach to security.
“You can start seeing what everyone else is doing in the rooms around you,” he says.
Email is a prime target
Besides gaining access to data, sophisticated cybercriminals might also target individual email accounts.
“Email is a big one – it’s really easy to breach,” says Beresford. “What happens is they breach some account somewhere in your life. Perhaps it’s a travel website you’ve signed up to. Then, because you’ve daisy-chained that password, these bots go out and try that password on every website that’s conceivable and then they start trying similar passwords. You don’t have to be an IT guy to do this – these bots will do it for you and once someone’s in, they’re in.”
Someone rummaging around in an email account can easily engage in identity theft.
“Accountants have usually sent and received client financials for years – all these documents might be sitting in their sent or deleted items,” says Beresford. It might take the cybercriminals some time, but they can end up adopting an accountant’s identity to start their own email relationship with a client, with correspondence being diverted from the unaware accountant’s inbox.
CPA Q&A. Access a handpicked selection of resources each month and complete a short monthly assessment to earn CPD hours. Exclusively available to CPA Australia members.
Travel cyber smarter
With the right measures in place, you can avoid being another cybercrime statistic, whether you’re travelling or at home.
- Instead of using hotel and public wi-fi networks, buy a 4G hotspot at the airport upon arrival or use a third-party VPN (virtual private network).
- Keep devices locked when not in use and do not leave them unattended in public places.
- Devise strong passwords for devices and applications, and don’t use the same passwords across applications.
- Ensure you install updates and patches, and check your antivirus software is up to date.
- Be wary of public USB charging stations – people can add malicious software to these points.
- Consider clearing all archives on travelling devices and taking only material that’s relevant for your business trip.
- Download or use a cloud-based content-filtering solution for your computer. “If you’ve accidentally clicked on a dodgy link, it will stop you going to that website,” says Beresford.
- Don’t save passwords in browsers. Not only does it make it easier for someone to hack your account, but with some browsers all it takes is a couple of clicks to see passwords that have been saved there.