Managing cyber risks in overseas travel factsheet
This document has been published through a new responsive cyber guidance pilot project, in collaboration with the QGEA team. All feedback from Queensland public sector entities is welcome via email to the Cyber Security Unit until 30 May 2025. Please clearly mark your email subject as RESPONSIVE CYBER GUIDANCE FEEDBACK.
Overview
When staff go overseas for business or pleasure, they may be under increased risk from cyber incidents. If they have access to agency information, the agency may also be under increased risk. Recognising and addressing the cyber risk associated with international travel is crucial for maintaining information and cyber security on both a personal and professional level. Agencies should implement policies and processes to manage the risks to their information when staff travel overseas.
What cyber risks are posed by staff overseas travel?
Travellers who retain access to agency information or systems whilst overseas are at increased risk that malicious actors could exploit this access. Travellers’ devices may also be compromised. Travellers from Queensland Government entities may be of interest to the security services in countries they visit. Cyber risks can vary significantly from country to country, and risk may be elevated depending on the countries being visited and the level of access to agency information that the traveller retains while overseas.
Advice
Create an overseas travel policy
- develop a comprehensive overseas travel security policy and procedures for staff that include
- whether staff must inform their agency before travelling
- what agency access can be retained by travellers and exception handling
- what device security is required for endpoints that access agency information
- additional requirements for National Security Clearance holders (AGSVA guidance)
- post travel debriefs, and what form they should take.
- develop procedures to assess and control cyber risks posed by overseas travel for staff who
- are undertaking official travel
- are subject to enhanced targeting
- have enhanced or privileged access to systems or sensitive information
- are visiting countries known for aggressive espionage behaviour.
For guidance on risk profiles consult resources from ASIO Outreach or About the Cyber Security Unit.
Train your staff to recognise cyber risks when overseas
- conduct regular training sessions for overseas travellers
- make travellers aware of local laws and risks related to data security and privacy in the destination country
- provide specific advice based on the risk profile of the destination. For example, high-risk countries.
User and device management
- where the risk warrants, consider providing travellers with
- newly provisioned accounts
- dedicated travel devices that can be sanitised post travel where risks warrant
- restricted access to systems and information while overseas.
Incident response plan for overseas travellers
- establish a clear incident response plan to respond to overseas travel issues
- provide a mechanism to allow travellers to report incidents and concerns
- ensure travellers are aware of alternate mechanisms to contact your agency cyber support team.
For additional guidance on how you can assist your staff as they plan overseas travel and actions to take during and after their travel, please refer to the Australian Government Cyber Security Centre’s advice on Travelling With Mobile Devices, Security tips for travelling and Cyber security when travelling overseas.
For any further guidance or advice, please contact the Cyber Security Unit.
Issued
Issue date: February 2025
This factsheet has been approved by the Queensland Government Chief Information Security Officer within the Queensland Government Cyber Security Unit.
It has not yet been consulted or approved under the QGEA process, and as such will remain in PREVIEW mode for three months. All feedback from Queensland public sector entities will be considered for the final review prior to publication.