Cyber-secure international travel: why senior leaders need to take a role in mitigating this risk
International travel is necessary as UK universities and researchers continue to make their mark on a global scale, but it presents a heightened cyber security risk.
Universities and research institutions are vital to the UK economy, and their intellectual property and data are highly prized by nation-states seeking a competitive advantage. Making cyber security a strategic leadership and governance priority not only ensures the resilience of individual institutions, but also safeguards the integrity of the UK’s research and education sectors and their position at the heart of global collaboration and innovation.
Cyber security was once thought of as simply an IT issue, but that is no longer the case. Against a rapidly evolving threat landscape, institutional resilience to digital threats requires cultural change alongside digital innovation and hence there is a strategic role for leaders to help protect institutions.
Nowhere is this more apparent than in relation to international travel. Trips overseas are desirable, and often crucial, for leaders and staff to pursue international research and educational collaborations, but those most likely to travel are often those most likely to be targeted by ‘bad actors’, including those aligned with nation-states.
These travellers are often high-value individuals, such as institutional leaders, senior academics and researchers, who hold or have access to valuable intellectual property such as research outputs, business contacts, datasets, technology and institutional knowledge that could be useful to other states.
Foreign travel significantly increases the risk of this information being compromised, and the threat of IT systems being breached, which puts institutions at a greatly elevated risk of online fraud, cyber-attacks and ransomware.
A critical challenge for leaders
It is an essential executive responsibility for leaders to ensure their technical infrastructure is as secure as possible, and to model and foster a culture of personal vigilance at all levels of their organisations.
The starting assumption should be that attempts will be made to infiltrate devices and the systems they provide access to during overseas travel, and therefore steps must be taken before each trip to protect against that risk.
This means looking closely at why travel is necessary, the risks associated with each specific destination, the potential vulnerabilities a trip could expose, and the overall cyber security posture of the institution.
People, policy and technology: the three pillars of cyber resilience
The most effective defences against cyber threats can broadly be grouped into three categories: people, policy and technology. If any one of these is weakened, it can become a point of vulnerability.
Leaders should consider all three together. First, are colleagues adequately trained and informed about social engineering methods used by potential attackers, the risks of using personal devices for university business, the need for vigilance when accepting hospitality abroad, and how to protect their devices in the safest way?
Second, from a governance perspective, are there suitable policies in place to ensure compliance with cyber security standards, are risk assessments completed before every overseas trip, and are there clear emergency protocols for responding when an incident is reported? Policies on protective measures, such as regular penetration testing and audits of sensitive information, should also be up to date.
The systems, software and hardware institutions rely on are the focus for cyber-criminals. Key considerations include ensuring devices, apps and software are fully up to date, providing burner devices where appropriate, and implementing network security controls that verify user identities.
Preparation is key
This blog highlights just some of the questions leaders should ask about their institution’s cyber resilience in an international context and the more detailed guidance from Jisc on these issues can be found in our cyber-secure travel to high-risk countries guidance for university leaders below.
The guidance is designed as a practical tool to spark discussion and support decision-making across institutions. It can be shared with relevant audiences, including senior leaders, frequent travellers, research managers and security teams, as well as others with responsibility for safeguarding people, data and infrastructure.
It also includes a checklist for travellers to complete before each trip, helping them reflect on their own practices and identify areas where they may need to adapt or strengthen their approach. Institutions can tailor both the questions and the checklist to their own context, policies and operational needs.
Next steps
- Read and use the cyber-secure travel to high-risk countries guidance (pdf)
- Discuss the leadership questions at executive, governance or risk committees
- Review institutional travel policies and cultural expectations
- Contact your Jisc relationship manager for support
About the author