Information Security Practices During Travel
Michigan State University (MSU) personnel travel globally for various purposes, including participation in our highly ranked Study Abroad program, visiting family abroad, and attending conferences. It is crucial to prioritize the security of our devices and the information they contain whenever Spartans are on the move.
Ensuring the safety and security of our devices involves implementing numerous protocols and adopting a specific mindset, which can be challenging to navigate, especially when traveling internationally. To address these concerns, MSU's has developed guidelines for all students, staff, and faculty. This resource serves as a reference guide to help individuals maintain data security vigilance, regardless of their destination.
Before You Go
Register your travel. All faculty, staff, and students traveling on MSU sponsored international travel must, before their departure, register their travel in the MSU Global Travel Registry. Registration is an essential tool in supporting the health and safety of MSU travelers abroad.
If you don’t need it, don’t take it. If you can do without the device/data, leave it at home. Back up and clear any unnecessary data from devices you must take (e.g., texts, pictures, phone numbers, voicemail. Consider the consequences if your information were stolen.
Back up your information. Back up your contacts, photos, videos and other mobile device data with another device. Using a cloud service will keep data you leave behind available to you, provided you can find a secure connection.
Save restoration images of vital devices. If the device must come with you, creating a restoration image will allow you to wipe any data storage areas and revert the device to it’s trusted, pre-travel state. It is the best way to ensure whatever compromise may have occurred while travelling is contained and not spread to MSU’s network or your own home network.
Encrypt your data. Any device that must come with you should have encryption software, so any data retrieved will still be unusable. Windows OS devices have Bitlocker installed for use; if the PCs are managed by ITS Workstation Services, ideally the system is set up with BitLocker enabled (the default). If neither of these is the case refer to your usual area/dept. representative from that team.
Have a Travel Phone. If feasible, use a different mobile phone from your usual one and remove the battery when not in use.
Change your passwords. Change the passwords (not PINs) granting access to your devices - at least 12 characters long with full complexity – and continue doing so at regular intervals throughout the trip. Never store passwords or other authentication information on the outside of the phone or in the case.
Enable multifactor authentication wherever it is available. This will help prevent unauthorized use of your credentials even if they are compromised.
Disable auto-login to MSU resources. Devices are often configured to automatically connect to Outlook or Teams. Ensure that you only do so when you intend to.
Disable “Remember Me”-type features. Type the password (or require one for your password manager app) every time. Shield yourself while you type.
Disable wireless peer-to-peer technologies. Infrared, Near-Field Signal (ie ApplePay) Bluetooth, and other such technologies can be a significant risk; these convenience- oriented connection types are convenient to attackers as well. Only activate them in immediate need, then turn them back off.
Disable automatic connections. Vet and intentionally connect to any network you want to use. Remember that Anything sent over a network can be intercepted, so be mindful when transmitting confidential information. Any transmission can be intercepted, but if they are encrypted, they are secured to the level expected by MSU IT. Submissions to https sites are encrypted. Transmissions to an MSU service while connected to the MSU VPN are encrypted. Encryption does not guarantee security in extreme circumstances. If you have doubts about sufficient protection for student information or your private information, do not transmit it over the network or in emails while in a high cyber-risk country.
Update your mobile software. Treat your mobile device like your home or work computer. Keep your operating system software, anti-virus, and apps updated, which will improve your device’s ability to defend against malware.
Set up the "find my device feature" on all your devices. This will help you find your phone, tablet or laptop if you lose it and might allow you to disable or wipe data from it if it gets in the wrong hands.
Keep it locked. Get into the habit of locking your device when you are not using it. Require a strong password to unlock it – not a PIN or swipe pattern – whenever possible.
General Travel Practices
Maintain positive control of devices. Your devices should be on your person and they (or the bag they are in) should be held by you at all times. Do not ever leave your mobile devices unattended, in checked baggage, or in a bag on the floor next to you. If your devices are ever confiscated or otherwise taken out of your direct line of sight, assume you have been compromised; have your device cleaned immediately.
Bear in mind, thieves often target travelers. Meal times are optimum times for thieves to check hotel rooms for unattended laptops. If you are attending a conference or trade show, be especially wary: These venues offer thieves a wider selection of devices that are likely to contain sensitive information, and the conference sessions offer more opportunities for thieves to access guest rooms or to offer compromised “gifts.”
Avoid using your University NetID and password as much as possible. Ensure that you connect through the MSU VPN if you require access or transfer of confidential data to or from the University, but refrain from idle use of your login info (e.g. to check emails).
When working with any confidential data housed at/with MSU, ALWAYS utilize the MSU VPN to establish that connection back to campus. Remember: the MSU VPN only encrypts traffic traveling to and from “msu.edu” sites. Confidential data is defined by
Never store confidential data on the computer being used unless absolutely necessary. If a process does indeed require at least temporary storage of confidential data locally, be sure to clear from the system as quickly as possible.
- There are programs that can be used for secure delete such as “Eraser” for Windows.
- For Mac: OS X provides built-in tools to help you securely delete files by using the Secure Empty Trash option, or the secure erase options in Disk Utility. See Apple's documentation for more details. Search Apple support for details about erasing options in Disk Utility.
Don’t use thumb drives given to you. Assume any removable media that doesn’t belong to you is compromised. Don’t use your own thumb drive in a foreign computer for the same reason. If you’re required to use unknown media for some reason, assume you’ve been compromised; have your device cleaned as soon as you can.
Be aware of who may be able to look at your screen. Don’t be ashamed to turn your body or otherwise shield your screen when necessary.
Beware public charging stations. Many modern mobile charging cables and ports double as data ports. Do not physically connect your mobile device to anything you do not control.
Terminate connections when you’re not using them. Open connections are an invitation to compromise.
Clear your browser after each use: delete history files, caches, cookies, URL, and temporary internet files.
Don’t open emails or attachments from unknown sources. DO NOT click on any links in emails. Empty your “trash” and “recent” folders after every use.
Avoid Wi-Fi networks whenever possible. Especially when traveling internationally; in some countries they’re controlled by security services. In all cases they are insecure.
If MSU-controlled information or devices are stolen or otherwise compromised, report it immediately to MSU, local authorities and/or the local US embassy or consulate.
International Travel Practices
Remove all confidential data prior to any border crossing. Ideally, even clear cache and cookies from the web browser before crossing, too.
Visit the U.S. State Department's Alerts and Warnings web page to identify "high risk" countries you plan to visit.
Traveling with IT devices to some countries, most notably China and Russia, is considered high cyber-risk. The U.S. government has issued several advisories that travelers be aware that they could be targets of espionage activities when visiting these countries. Travelers are strongly encouraged to follow these recommendations:
- Take a disposable mobile device. The only way to be sure a possible compromise is not spread is to dispose of the device upon return.
- DO NOT travel with encrypted devices to China unless you have advance approval from China. China severely restricts the import of unapproved encryption. If you attempt to cross the border with an encrypted device, you may be asked for the decryption key or your device may be confiscated.
- The U.S. government prohibits traveling with encrypted devices to countries that are considered state sponsors of terrorism, namely Cuba, Iran, North Korea, Sudan, and Syria. DO NOT bring encrypted devices to these countries.
- Upon your return, immediately discontinue use of the devices. The hard drive of the devices should be reformatted, and the operating system and other related software reinstalled with trusted pre-travel images, or simply disposed of. This previously suggested step is of extreme importance when returning from high- risk international travel. Contact the MSU Help Desk or your local IT administrator to assist you.
When You Get Home
Electronics and devices used or obtained abroad can be compromised. Your mobile phone and other electronic devices may be vulnerable to malware if you connect with local networks abroad. Update your security software and change your passwords on all devices on your return home.