Australian firms are going to extraordinary lengths to protect their data from foreign governments, competitors, and criminals when employees travel overseas.
McAfee, Rio Tinto and HP are among those known to have introduced strict policies about the devices staff bring and use on trips, for fear of malware and data theft.
Baker & McKenzie experts say Australian firms tend to be most cautious when travelling to places like Indonesia, China and Russia – known as the top originating countries for cyber attacks.
“Security in general is a big issue for multinationals,” said Baker & McKenzie partner Anne-Marie Allgrove. “There are two different areas [of concern]: one is government monitoring and the other is cyber attacking.”
Partner Adrian Lawrence explained that most jurisdictions – including Australia via the 1979 Telecommunications (Interception and Access) Act – allowed authorities to access private information for specific purposes, like in police investigations.
Corporates tended to be more concerned about unauthorised government access or private hackers, who may seek access to company secrets, intellectual property, financial details, or a vector for spreading malware, he said.
Here’s how Australian companies are protecting their data overseas:
1. Travelling with brand new devices, or forgoing smartphones, tablets and laptops altogether.
When former defence minister Stephen Smith visited Beijing in June last year, he and his entourage reportedly left all mobile phones and laptops in Hong Kong to avoid spying.
The SMH reported at the time that Smith’s staff, including media advisers, were given fresh phones and numbers to use during the trip.
Allgrove told Business Insider that similar practices were shared by corporate giants.
“Companies are requiring employees to take no technology, or have clean [brand new] technology in the countries they visit,” she said.
“The new devices are bought in the home country, not the countries they go to, because that may be problematic.
“Often, they don’t need the most sophisticated devices – the less sophisticated, the better. It’s definitely an additional expense, but for companies, it’s a balance judgement of risk and security.”
2. Limiting strangers’ contact with corporate devices.
Allgrove highlighted the example of one company, for which “if a device gets reviewed at Customs at any airport, they will never use that device again for fear that something may have been installed on it”.
She warned against overlooking the importance of physically securing devices, for example, by leaving them in hotel rooms or unattended in public areas.
Any devices that may have been tampered with should be wiped clean upon returning to the home country, she said.
3. Turning off all wireless technology, such as bluetooth and wifi.
Some companies ask employees to turn off bluetooth and wifi so hackers can’t access their corporate devices wirelessly.
That means they have to rely on fixed line networks. Those can be compromised, but at least it’s slightly more difficult for hackers to get connected, Lawrence explains.
“Wireless just enables greater access for hackers,” he said. “There’s always going to be risk in using any sort of technology device to communicate.
“No technology is going to be perfect for every situation.”
4. Using an encrypted, virtual private network, instead of the public internet.
Experts recommend that employees dial into the corporate network remotely and access their files, applications and the internet via the company’s secure virtual private network (VPN).
That ensures that data is encrypted and limits the opportunities for hackers – and other parties – to snoop.
Because traffic is transmitted to and from via the corporate network, and thus its telecommunications provider at home, remote workers can also bypass national firewalls and access otherwise censored material in countries like China and Vietnam.
Most corporate encryption is safe to use, but Lawrence warned that some countries had laws preventing the export of particularly advanced encryption technology to certain other nations for fear that the technology could be repurposed by an enemy military.
5. Avoiding government-owned telecommunications providers.
Most governments are generally thought to limit surveillance to situations in which interception is permitted by law – for example, in a police investigation with a warrant.
But other governments, authorities or individuals may use their powers in a wider range of situations.
Lawrence said cautious companies tended to limit their use of government-owned telecommunications networks, where providers may be more sympathetic to unauthorised government data access requests.
“Companies using state-owned ISPs may be more cautious about openly connecting to the internet,” he said.
6. Monitoring network traffic at home.
Allgrove and Lawrence said their clients took a number of the above precautions but Baker & McKenzie didn’t quite go to the same extremes when its lawyers travelled overseas.
“We don’t take clean phones, but [IT staff in the home office] do monitor carefully all the data that is transmitted,” Allgrove said.
The lawyers said more common practices such as monitoring network traffic were just good practice for businesses around the globe.
They said the other, more extreme measures tended to be proactive policies rather than the result of bad experiences, but noted that the fact that companies were willing to pay to adhere to them implied that the threats were real.
NOW WATCH: Briefing videos
Business Insider Emails & Alerts
Site highlights each day to your inbox.