Travel introduces a specific set of security risks that don’t exist, or exist in a more controlled form, in a normal working environment. You’re operating on unfamiliar networks, in public spaces, with devices that may be subject to inspection at borders, in locations where the people around you are unknown. The controls that protect you at home or in the office – managed networks, physical security, familiar surroundings – are either absent or reduced.
None of this means travel is inherently dangerous, or that working on the road requires extraordinary measures. It does mean that habits which are adequate in a controlled environment need some adjustment when that environment changes.
Before you travel
The most effective security measures for travel happen before you leave, not after something goes wrong.
Update everything. Ensure devices are running the latest operating system and application versions before departure. Updates in transit are less reliable, and travelling with known unpatched vulnerabilities is an avoidable exposure.
Back up your data. If a device is lost, stolen, or seized at a border, you need to know that your data exists elsewhere. Ensure a recent backup exists and that you can access what you need from another device if necessary. Cloud access with strong credentials and MFA provides a reasonable safety net, but it depends on connectivity. Consider what you’d need offline and plan accordingly.
Review what you’re carrying. Think carefully about what data actually needs to travel with you. Sensitive files, credentials, confidential documents. If they don’t need to be on the device, avoid taking them. A device with minimal sensitive data is a much smaller problem if it’s lost or inspected.
Enable full-disk encryption. Most modern devices offer this – FileVault on macOS, BitLocker on Windows, built-in encryption on iOS and Android. Encryption ensures that data on a device isn’t accessible without the credentials to unlock it, which matters significantly if a device is lost or seized. Confirm encryption is enabled before travel, not assumed.
Know your organisation’s travel policy. Many organisations operating in regulated or sensitive sectors have specific requirements around travel to certain countries, device configuration, and what can and can’t be taken. If a policy exists, follow it. If you’re unsure, ask before you travel rather than after.
Networks and connectivity
Public wifi is one of the most consistent risks when travelling. Hotel networks, airport lounges, conference centres, and coffee shops are shared environments where traffic can potentially be intercepted or where other connected users represent an unknown risk.
Use a VPN. A virtual private network encrypts your internet traffic and routes it through a trusted server, protecting what you do online from interception on an untrusted network. If your organisation provides a VPN, use it whenever you’re on a network outside your control. Be aware that some corporate VPNs don’t route all traffic the same way, so understand how yours is configured. If you don’t have one, a reputable commercial VPN provides meaningful protection. Free services often have opaque data practices and may offer limited real-world protection.
Avoid sensitive activity on public networks where possible. Even with a VPN, limiting what you do on public wifi is worth maintaining. Accessing financial accounts, handling credentials, or working on sensitive documents is better done on a trusted connection or via mobile data where possible.
Mobile data is generally more secure than public wifi. Using your phone as a personal hotspot, rather than connecting directly to hotel or public networks, removes a layer of exposure. For example, working from a laptop via your own hotspot in an airport lounge is typically a safer option than joining the open network. Be aware of data costs and roaming, but for sensitive work the trade-off is usually worth it.
Be wary of networks that look legitimate but aren’t. Rogue access points, networks configured to mimic legitimate ones, are a known technique. A network named after the hotel you’re staying in doesn’t guarantee it’s operated by the hotel. Confirm network names with staff, and be cautious of networks that don’t require any form of authentication.
Devices in public spaces
Physical awareness matters as much as technical configuration when travelling. Devices left unattended, screens visible in public, and shoulder surfing – someone reading your screen without your knowledge – are all real risks that don’t require technical sophistication.
Never leave devices unattended in public spaces. A laptop left at a café table while you order, or a phone on a restaurant table, creates a straightforward opportunity for theft. Hotels offer limited security; in-room safes exist but aren’t infallible, and not all accommodation provides them.
Use a privacy screen filter. In airports, on planes, in hotel lobbies, anywhere you’re working in close proximity to others. A privacy screen limits what’s visible to anyone not directly in front of the display. For regular travel involving sensitive material, it’s a simple, worthwhile measure.
Lock devices when not in use. Every time you step away from a device, even briefly, lock it. Configure devices to lock automatically after a short period of inactivity. This is basic practice that becomes more important when you can’t control who’s nearby.
Be conscious of what you discuss verbally. Calls and conversations containing sensitive information shouldn’t take place where others can overhear. Hotel lobbies, airport lounges, and public transport are not appropriate settings for client discussions, internal strategy, or anything involving personal data.
Border crossings and device inspection
Border security agencies in many countries have legal powers to inspect devices – and in some jurisdictions those powers are broad, extending to compelling decryption or access. This is not hypothetical. UK, US, Australian, and other border agencies have exercised these powers, and the legal position varies by country.
Understand the position before you travel. Some organisations take a travel device approach for higher-risk destinations. A separate, clean device is used that contains only what’s needed for the trip, with access to organisational systems provided through controlled remote means rather than local data. This limits exposure if a device is inspected or retained.
If a device is inspected at a border, note what happened and report it to your security or IT team on return. Even if nothing is visibly taken, forensic tools can copy data quickly. Knowing that an inspection took place allows appropriate follow-up.
Biometric data – fingerprints or facial recognition – used to unlock devices can in some jurisdictions be compelled in a way that a password cannot. The right response depends on your destination, your organisation’s policy, and the sensitivity of the device. It’s worth understanding the distinction before travelling to higher-risk locations.
Charging and physical connections
Public USB charging points should be treated with caution. Compromised ports can be used to transfer data from, or install software onto, connected devices, often referred to as “juice jacking”.
Use a mains charger and your own cable rather than public USB ports where possible. If you need to use a public USB point, a USB data blocker, a small device that allows power but blocks data transfer, provides effective protection. Alternatively, use a portable battery pack rather than a fixed public point.
Avoid connecting to unknown devices or accepting unexpected connection requests. A cable left in a hotel room, or a charging point that triggers an unexpected prompt on your device, should be treated with scepticism.
On return
Once you’re back, a small number of steps are worth taking as routine.
Change passwords for accounts accessed during the trip, particularly if you used networks you weren’t fully confident in. Review account activity for anything unexpected. If your device was inspected at a border or left unattended in circumstances that concerned you, report this to your security or IT team and follow any post-travel review process.
The goal isn’t to treat every trip as a security incident waiting to happen. It’s to maintain the same standard of care in a less controlled environment, and to recognise that some of those habits matter more, not less, when that environment changes.
