Cybersecurity tips for Digital Nomads

15 minutes of readingTips DigitalScribbled by

Tips Digital

 Scribbled by Daisy
 Published:
 Updated: September 14, 2024
 15 minutes of reading
 Tips, Digital
*Disclaimer: This post contains affiliate links. If you use these links to buy something we may earn a small commission at no additional cost to you. Thank you!

Remote work comes with its own set of challenges, most notably in the security department. Digital nomads are particularly vulnerable to this, as they are not simply working from home but often working in public spaces. This means they rely on unknown networks, potentially expose sensitive data to prying eyes, and are more vulnerable to scams and theft.

Because of this, investing in security tools, having good security hygiene in terms of maintaining backups, having multiple passwords, not clicking and trusting anything you see, etc. is of fundamental importance.

In general, paying attention to operational security by identifying potential risks, knowing vulnerabilities, and having plans to mitigate and recover from security breaches, device loss, etc. is arguably the most important aspect of cybersecurity.

In this article, I will cover some basic concepts and provide tips for having and maintaining a decent level of security in the unknown environments and situations that come with working abroad. Embracing these tips will ensure a minimum of peace of mind and equip you with the basic tools and vigilant mentality needed for dealing with the security challenges that digital nomading brings.

Stay safe, and happy travels!

Check out also this article on must-have tools and applications for Digital Nomads

Basic concepts and theory

Cybersecurity is based on six main concepts: confidentiality, integrity, authentication, authorization, availability, and non-repudiation. Without going into too much detail, there are three main pillars of digital security, which are known as the “CIA triad”. These are confidentiality, integrity, and availability. Confidentiality is related to access control and allowing access only to those who are permitted. Think of it as the key to the door that only you should have and that must not be lost. This is what I will focus on most but integrity and availability are also fundamental aspects related to keeping the secret data accessible and unperturbed. The most secure system is actually taking something, breaking it into many parts, locking each one into a safe, and throwing the safes to the bottom of the sea. That is pretty secure, but you, as the owner, will have problems retrieving your data.

Therefore, when talking about cybersecurity, it’s mostly an issue of balancing competing aspects and understanding and evaluating the risks. That is where operational security comes in. Knowing how to assess risks, judge, and gauge situations and vulnerabilities is much more important than the strength of an encryption key. Also, it is important to remember that cryptography and security tools in general are just that: tools, and these can be used effectively or not.

When it comes to operational security, this is based on five steps, namely: 1. Identify critical information. 2. Analyze threats. 3. Analyze vulnerabilities. 4. Assess risks. 5. Apply appropriate countermeasures.

While these steps are mostly used in organizations, the general concept also applies to individuals. It is important to know which information is critical and the different ways in which it can be stolen or tampered with; recognize the weakest links in your security setup; and know what countermeasures to apply or what path you should take in case the information is compromised.

 Pro tip: Introduce some chaos and do stress tests

Security is often an afterthought, and when an urgent or unexpected situation arises, fixing the issue at hand becomes the primary concern, often at the expense of security. It is important to keep a clear head and remember the risks you are exposing yourself to. An emergency can lead you to ask someone to watch over your belongings; an urgent call might lead you to connect to an open wifi at an airport (or even worse, the scam “Airport Free WIFI_2” set up by a sniffer attacker).

So a good exercise is for example, forcing yourself to find a working environment within the next five minutes and seeing how many security aspects you overlook when you’re in a stressful situation.

Another good exercise is to imagine or actually enact breach situations to test your responses. For example, create a scenario where particular critical information is compromised, like an Apple ID email and password, and see how deep the implications are and how effectively and quickly you can recover from this, or limit the damage to someone having this information.

General security tips

The following are basic good practices that should be followed in any situation, not only in remote working scenarios.

  • Browse secure websites. Look for the padlock symbol on the browser toolbar when browsing websites. This indicates the HTTPS protocol, which means the packets transferred are encrypted.
  • Be wary of clicking on suspicious links and running unknown applications. This is especially true when it comes to incoming emails in the form of phishing where emails will try to impersonate trusted senders and attempt to get your credentials. Clickjacking is links and forms in emails that redirect to malware-installing websites and which appear to be from your bank, post office, or mail, warning that your device is infected, that it has been breached, or that you have won the lottery, etc. These are all attempts to gather your personal information and authentication credentials.
  • Avoid useless downloads. Similarly to the above, avoid useless downloads, browser extensions, and anything that can not only bloat your system but also expose your device to programs that can include keyloggers, spyware, malware, etc.
  • Keep your software and devices up to date. Vulnerabilities are discovered every day and most updates are security patches. Because a lot of cyberattacks cast a wide net and look for devices that are vulnerable to known attacks, try to be one of those who are not part of the large basin of vulnerable users.
  • Do not use the same password. More on this later but your secret keys and credentials are the most important things to safeguard. Using the same password means that if you have it compromised, even through no fault of your own, such as a successful hack on a service that you use that exposes user details, all your other logins are compromised. Don’t put all your eggs in one basket.
  • Avoid online shopping with cards directly linked to your bank account. Instead, use payment services such as PayPal or virtual cards or one-use cards such as those provided by services like Revolut.

Security tips when abroad

The following are some general tips for decent security when abroad and away from the comforts and assurances of your private home.

  • Avoid public wifi. Do not just log onto any public wifi without a VPN. In general, it is better to use your private WiFi as a mobile hotspot. Also beware of the “evil twin” or “man in the middle” attacks, where fake Wi-Fi networks with names similar to legitimate ones are created, tricking users into connecting.
  • Always be aware of your surroundings. Finding the “correct” spot to physically stay is also important. Sitting in a café outside on the sidewalk not only makes it harder for you to concentrate but clearly exposes you to potential theft by people passing by. When inside public places, a seat where your shoulders are facing the wall is clearly better, as you don’t have to worry about prying eyes behind you (and this will also lead to better concentration).
  • Be wary not only of prying eyes but also of ears. Discussing sensitive information over the phone in a public place is clearly to be avoided.
  • This goes without saying but do not leave your devices unattended and asking a stranger to look after your belongings while you go to the bathroom is obviously a bad idea.
  • Keep your devices not discoverable, meaning file sharing, Bluetooth, etc. should be turned off.
  • While it’s not necessary to have your backpack always locked, try to buy a slightly more secure backpack that makes it harder for a pickpocketer to simply unzip and extract your devices.
  • Consider a thumb drive-bootable operating system. By having an operating system image loaded on a USB drive and working on that, you effectively make your entire laptop device an anonymous commodity, as all of your valuable data, applications, and the entire system are kept on the USB stick. This can be useful in some situations as it increases portability and also lowers and entirely removes the need to take care of and keep an eye out for your main device (except for the monetary cost of the actual device).
  • Consider decoy devices. See the pro tip below

 Pro tip: Wrench attacks and decoys

When it comes to security, one of the most effective attacks is the “$5 wrench attack”, which simply involves physical force on you to reveal your keys (basically mugging to get your valuables). While you can hardly prevent this, it is always a good idea to remain vigilant of the possibility that no matter how secure your devices are, you can simply be coerced to authenticate.

Another possible protection against this, which can also be used for physical precious belongings (like wallets, etc.), is to have dummy accounts or decoy devices and objects. The idea here is that instead of trying to block access, you immediately grant access to a secondary decoy object, which can hopefully appease the attacker but not expose your true belongings.

This is especially used with physical money and crypto wallets. Having a decoy wallet with a few crypto coins, an actual wallet with a small amount of money or a debit card with little cash on it can get you out of nasty situations and you will appease the attacker but lose very little.

Integrity aspects

Another challenge of working abroad and often being on the move is the integrity of your data and your devices so consider the following:

  • You need a durable device. Your device will be “thrown” around more than others, as it will hardly be sitting on the same desk. Also, being location-independent might mean you find yourself suddenly under the rain or in other physically stressful situations for the devices.
  • Back up your data regularly. Either with an external hard drive or a cloud storage solution. Even better if both. The best way is known as the 3-2-1 backup rule, where you keep three copies of your data, two of which are on two different local devices (external hard drives) and one copy at an offsite location (so cloud storage).

Personal Identifiable Information and Social Engineering

Most digital security breaches are not done through brute force attacks or sophisticated hacking techniques, but rather through social engineering. Since you are traveling and are usually in unknown environments, you are more prone to scams. From an operational security point of view, the most critical information to keep secure is your PII (personally identifiable information). This information is valuable for attackers in a number of ways. Just think of how much more vulnerable you are to phishing emails or physical approaches if someone knows your name, date of birth, or address. This information can be used to create sophisticated scams or to simply correctly guess security questions for recovering passwords.

As such, always keep in mind the following:

  • Your social media footprint, especially if you have a public profile, what you post on social media reveals a lot about you. Knowing your whereabouts, movement plans, and general location are all valuable information that can be used against you. If an accurate profile of you is made, it can be used in advance social engineering attacks, and spear phishing scams.
  • Be wary of prying ears, not only eyes. Discussing sensitive information over the phone in a public place is clearly to be avoided, but other less sensitive information can be used by eavesdroppers to know a lot about you. It’s the same argument as the above on social media: knowing your plans or who you talk to can be valuable information to potential attackers.

Authentication Tools

A fundamental aspect of modern cryptography is that the security of a system is only as good as the strength of the encryption key. This is a paraphrase of the Kerckhoff principle, which states that a cryptosystem should be secure, even if everything about the system, except the key, is public knowledge.

This simply means something we all know: your security key is key (pun intended) to maintain your data secure and if someone obtains your login credentials, they are effectively you.

Authentication is a way to prove you are you and is the first thing that should be kept secure so that only you can access what is being secured. Historically, authentication was based on what you knew (usually a password). More recently, authentication can be based on who you are (facial recognition unlocking, fingerprint readers, iris scanners), and it can also be based on what you have (this is what 2FA is based on, so authenticator apps or SMS on your personal mobile device).

In regards to authentication and safekeeping credentials, consider the following:

  • Password manager: Good security hygiene is to use different passwords and not put all your eggs in one basket. As such, it is best to have strong, complex passwords that are as unrelated as possible to common words and phrases. However, this comes with the need to have a password manager, as remembering dozens of random strings is clearly something we humans aren’t able to do.

 Pro tip: safe passwords & passphrases

If you do not use a password manager and want to have a memorable password, consider choosing a passphrase instead. So instead of having a short word with some l33tspeak variations, date of birth, and 1234 at the end, use a verse of a song, for example, or a longer phrase that you are familiar with, adding simple special characters.

This creates a very memorable and extremely long password. A passphrase like I am the admin and only I can access (which can be transformed into 1m ze @dmin & only 1 can acce$$) is orders of magnitude more effective than $_#Adm1n123456789

Note however, that passphrases guard against brute force attacks (where all possible character combinations are tried) because of the length of the key, but are less effective against dictionary attacks (where common words and common passwords are tried) unless some variability and special character substitutions are used.

  • 2FA. Studies show that the most effective way to protect unwanted logins is to use 2-factor authentication or multi-factor authentication. The most secure encryption mechanism has always been the use of OTP (one-time passwords)—disposable codes that are recognized and accepted by both parties and that can be exchanged and then forgotten. The issue here is exchanging the initial secret, which makes both parties recognize each other. This can be effectively achieved with 2FA by having two or more devices that have been previously synced (where the secondary code-generator device is usually a phone).

 Pro tip: Multifactor authentication and multiple devices

As a digital nomad you will most likely have your phone always with you and use it a lot (think of maps, language translations, hotel and flight booking apps, currency converters, etc.) and this increases the chances of it being stolen or lost.

In that case, as if losing your phone abroad wasn’t enough, if you rely heavily on multi-factor authentication, you can also effectively be locked out of many systems.

Because of this, it is better to have two devices: one for your daily travel and leisure activities, such as taking pictures, using social media, and using maps, and another that is rarely used and is kept safer, which keeps your authenticator apps, sensitive data, etc.

Other security tools and gadgets

Consider the following tools to better protect your digital valuables. Again, remember that tools are just tools and are only effective to the extent to which they are properly used.

  • VPN: This is probably the primary must-have. A Virtual Private Network is of utmost importance to maintain a secure channel between you and the target servers and prevent sniffing of your network packets. This is especially important when using public wifi as the data is encrypted already from your device.
  • Antivirus: a program to detect malicious code and prevent or remove malware from infecting your device is also important.  
  • Screen privacy filter: This is a good addition that can keep your mind at ease from prying eyes. The privacy filter will polarize your screen such that it can be seen and read only from the user sitting in front of it and not from other angles.
  • Device trackers: having a couple of cheap RFID tags to attach to your devices and knowing where they are is very useful. Device trackers can be simple RFID, Bluetooth, or worldwide GPS trackers.
  • If you are particularly wary of masking your location and identity through your IP address, such as in countries with strict government spying and firewalls, consider using TOR (The Onion Router).

 Pro tip: Limitations of TOR

The use of TOR and its masking capabilities can lead to a false sense of security. By default, TOR disables any Javascript and enables private browsing and the absence of tracking cookies. However, at these levels, the issue is usually related to maintaining anonymity from government spying, and governments naturally have extreme observation and control capabilities.

The main security flaw is that TOR relies on the entry and exit nodes and if the entrance nodes are controlled by a spying agency, your traffic is essentially as visible as it would be without TOR.

Also, browsing habits are an effective way to reveal identity. Clearly logging in to any of your personal accounts is an instant giveaway.

Finally, because of the nature of faceless communication, you are never sure who is on the other side, and on TOR websites that involve messaging and social interaction, there is a higher presence of LEOs (Law Enforcement Officers) and people impersonating different identities.

Conclusion & key take-aways

The main things that have been discussed above are:

  • Safeguarding your internet connection by always using secure and encrypted websites and services and connecting to trustworthy WiFi points. To mitigate these risks invest in a couple of security tools such as a VPN, and a portable WiFi hotspot.
  • Protect your devices and accounts with password managers, authenticator apps, and other multi-factor authentication mechanisms.
  • Regularly back up your data and doing so on multiple devices.
  • Be aware of your surroundings to avoid being spied on when using your devices, or more simply be robbed or coerced to give up your digital valuables. This includes keeping your devices always under your control or safely locked away.
  • Have good security hygiene and good usage practices, meaning keeping your devices up to date, being aware of the applications you are installing and using, and being suspicious of incoming emails and SMS messages.
  • Be mindful of your digital profile and what you share online. Try to keep your personal information as much under control as possible, as it can be used together with social media to harness an accurate profile of you which can then be used in advanced social engineering attacks, and spear phishing scams.

Just like with travel, being vigilant is key to being able to tackle and manage the innumerable unexpected situations that can occur.

Again, be vigilant, stay safe, and have a good journey.

Related Posts

Scroll to Top
Contents