Skip to main content
IT Services

Travelling to a High Risk Country

Some staff may reside or travel as part of their role to countries classed as “high-risk”.

 

As published by the National Cyber Security Centre (NCSC), the following countries are defined as high-risk.

  • Russia
  • China
  • Iran
  • North Korea.

More guidance can be found on the NSCS website.

Types of travelling staff

The equipment you will be provided with, and your best practice will vary depending on the category of travelling user you fall into.

UK Based Professional Services Staff

If you are a Professional Services Staff permanently based in the UK visiting a high-risk country, you will need to take the following steps before, during, and after your travel.

Your Queen Mary Managed Device will be available for use while in the United Kingdom. This device is not to be taken to any High-Risk Country

If you are travelling to any High-Risk Country, you will need to request a Loan Device by logging a ticket with the IT Service Desk, giving at least 10 working days as notice

Prior to travel to any High-Risk Country, you will need to complete the security training module which can be found on the LMS

Whilst travelling, if the device is seized, you must report the incident to the IT Service Desk as soon as possible by email or via self-service using the following template

On return to the UK, you must return the device to IT Services (ITS) as soon as possible. ITS will then wipe the device to prevent any risk of malware or data leak.

UK Based Academics

If you are an Academic permanently based in the UK visiting a high-risk country, you will need to take the following steps before, during, and after your travel.

Your Queen Mary Managed Device will be available for use while in the United Kingdom. This device is not to be taken to any High-Risk Country

A Queen Mary-owned unmanaged device will be supplied for use when visiting any High-Risk Country. (Note: unmanaged devices are non-standard and self-managed, built to meet the teaching requirements and flexibility of various teaching areas in high-risk countries)

Users shall be required to read and confirm acceptance of the Information Security Guidelines for Staff travelling to high-risk countries

Whilst travelling, if the device is seized, you must report the incident to the IT Service Desk as soon as possible by email or via self-service

Upon return from each trip or at least annually, you must return the device to ITS as soon as possible. ITS will then wipe the device to prevent any risk of malware or data leak and required software reinstalled. Information Security (InfoSec) will periodically audit devices used for travelling to high-risk countries to ensure compliance.

Permanently based abroad in a high-risk country

If you are an Academic/ Professional Services staff permanently based abroad in a high-risk country, please follow guidance below.

A Queen Mary-owned self-managed device will be supplied for use. (Note: unmanaged devices are non-standard and self-managed)

Users shall be required to read and confirm acceptance of the Information Security Guidelines for staff travelling to high-risk countries

Whilst travelling, if the device is seized, you must report the incident to the IT Service Desk as soon as possible by email or via self-service using the following template

If traveling to the UK, you can use your self-managed device on Eduroam.

Protecting yourself

Of course, most of the advice below for protecting Queen Mary also applies to protecting yourself if you must visit any environment that you can’t fully trust. But there is also some other guidance specifically for protecting yourself.

Advice when travelling

When travelling to a country considered high-risk, please follow the guidance on what you can do to protect yourself and Queen Mary. For more information, please visit the Staff travelling to high-risk countries Guide.

We strongly recommended you access data remotely via Web Access or using Queen Mary’s “Appsanywhere” service. However, if you do have to move data, ensure that is it encrypted. This includes data stored on a device’s hard drive, USB, or SD cards.

Data considered sensitive must be protected by UK law. If you intend to use patient or medical trials data, please contact your departmental Data Protection Officer or the Joint Research Management Office (JRMO) for advice and guidance. Unpublished research data or results are considered sensitive in terms of value to both Queen Mary (QM) and the individual. Please refer to the JRMO website for more detailed information about the risks of research data.

For technical protections that could be applied, please contact QM Information Security team

Ensure all available updates are applied prior to travel to reduce the vulnerability of your device. This includes the basic operating system, applications, and device firmware such as the BIOS. It’s always advisable to keep your device up to date because this reduces the number of ways it might be vulnerable to attack. It’s also best to do any updates in an environment you trust. So, make sure all available updates are applied before you travel.

Don’t install unnecessary software on any device that you might have to take to an environment you can’t trust.

Software packages often contain components that can access data they shouldn’t need to access for their advertised purpose. The simplest way of dealing with this problem is to refrain from installing any unnecessary software packages.

Don’t access any IT service that may be controlled by any person, company, organisation, or state that you can’t trust. This applies to any IT service anywhere in the world, but it’s especially important where the people or company operating such a service can themselves by plausibly coerced by nation states to support their aims. This includes foreign-controlled social media services. For further guidance on accessing QM services via your web browser, please refer to the Loan Laptop Guide.

Public Wi-Fi services can also be more of a risk than they first appear. It costs money to operate such a service, and unless there is a clear reason for the operator to provide the Wi-Fi service, the operator will be making money some way or another, usually by selling information about the users of the service.

 Here are some suggestions on what to look out for:

  • Make sure the operating system firewall facility is turned on. This helps protect your machine from attacks over the network. It can also help prevent data leakage from your device.
  • If you must log in to the service with a working e-mail account, your account, and other details of what you do are likely to be sold.
      • Any relationships between the Web services you access using that Wi-Fi service can be useful for targeting advertising. This isn’t a big risk but it’s surprising how much data can be gleaned from large-scale data mining of this sort of data.
      • There are identifiers for your individual machine that are not obvious to you, and these can be collected and correlated between different sessions on different Wi-Fi services, leaking more data about what you are using that might first appear.

 

Many more modern devices draw power or are charged via USB interfaces. Inserting USB devices that you can’t trust is a very real risk. But it is not always at all easy to be sure that a device that claims to be a charge point is only a charge point. This applies especially to devices that use a USB-C socket.

You can reduce the risk here by:

    • Taking your own USB charger and plugging it into the mains power yourself.
    • Taking your own USB charging cable that picks up power from the charger but explicitly blocks the capability to transfer data. These cables are more expensive for USB-C because the data wires are used to negotiate fast charging and cannot be blocked by simply not connecting those pins of the cable.

If you are required to reveal any passwords, change them as soon as you can safely. You should also notify your service provider as soon as possible; this includes QM and any personal service providers such as your bank. You should bear in mind that if anyone has obtained access to any of your devices this means they could have access to any saved account credentials stored on your device, for example in your Web browser. One of the simplest things that can reduce the risk to both QM and yourself, is to use a clean device with the minimum amount of data (including registrations with social media) and then have that device wiped by ITS when you return to remove any malware that might have been introduced to the device during the trip

 

Don’t carry personal data you do not need. It is very common that border authorities are permitted by local law to demand that you decrypt any device carrying data that you carry across a national border; this includes the UK border authorities. If you have any data that you do not wish such authorities to see, perhaps because it is critical of that government, and especially if it is illegal in that country, don’t carry it across a border where it can be inspected. This applies both when entering and leaving a country. It is worth remembering in this context that this can apply to any device be it a computer, tablet, smartphone, or memory device like a USB drive.  And “data” includes text, photos, audio recordings, movies, and even traditional printed or hand-written material.

Make sure your travel itinerary is known by someone in the UK. In the event if something does happen to you, someone else will be able to raise an alarm with QM and the authorities if you are unable to communicate.

Back to top