1. Evaluate the risk

Protecting University information assets while abroad requires secure behaviours. Considering the risk landscape in the destination can help you assess what precautions you may need to take.

Following the best practices below will help mitigate these risks, safeguard our sensitive data, and help ensure your general safety when abroad. Using technical controls, caution, and forward planning will help guard against threats.

Certain destinations are known for presenting additional cyber security risks: while the list changes, Saudi Arabia, China and the Russian Federation are known to be centres of higher cyber security risks. If you are travelling to those destinations for business purposes, please raise a ticket with the University's Service Desk for advice on additional cyber security protection.

Always refer to Foreign travel advice - GOV.UK and consult with colleagues in your Faculty or School to fully assess the risks associated with your trip. Please ensure the appropriate people are aware of your plans and contact details.

Be mindful of some specific risks:

• Surveillance and Monitoring: Some countries maintain highly monitored digital environments. Foreign academics are likely to be of interest, especially if affiliated with research in geopolitically sensitive areas (e.g., artificial intelligence, defence technologies, or national security).

• Theft of Intellectual Property: The UK’s Intellectual Property Office has warned of rising incidents involving IP theft targeting UK institutions. Sensitive or unpublished research can be vulnerable during travel if accessed or shared through unsecured networks.

• Export Control Restrictions - Those working with potentially controlled information should consult the Export Control Policy to ensure they are compliant. For clarification, email the Export Control Manager via research-governance@bath.ac.uk

• Digital Intrusions and Device Compromise There have been multiple incidents in which UK travellers’ devices were cloned or infected with spyware while abroad. Laptops, phones, and USB drives are all susceptible.

2. Pre-departure: institutional and personal preparation

Should the risk be assessed as high, request a temporary laptop and/or phone from DDaT at least 3 weeks prior to your departure date. These will be provided to you encrypted, free of sensitive data, and remotely wipeable.

For less risky destinations, it’s still important to prioritise information security by taking only the minimum necessary equipment and information with you.

It is advisable to be fully “offline” while travelling wherever possible.

If in doubt, please contact the Chief Information Security Officer for guidance.

3. Safe data handling

Avoid storing sensitive University data on your local device(s) or removable media. Please make use of the University-provided cloud storage solution so that the data is stored in a secure location, which should ensure:

• Data stored within the United Kingdom and aligned with data protection legislation requirements
• Data at rest / stored is encrypted
• Authentication is required before accessing data
• Avoids data leakage due to device loss

Be aware that all traffic on public networks may be monitored, copied and retained. Please always switch on VPN and refrain from communicating sensitive information over public networks.

It is best to avoid taking your University device. If you wish to take your device, the safest option is to minimise the data that travels with it. To avoid any doubt, the safest is not to take any data. If unavoidable, do not take sensitive data. Please consider the following:

• Back up your device before you travel and delete any copies from your device
• Do not store sensitive data on any devices you take with you
• Avoid copying sensitive data to memory sticks or other media that can be easily lost
• Assume all internet traffic, phone calls, and messages may be monitored
• Exercise additional caution with phishing attacks, avoiding suspicious links and unknown attachments
• Ensure email account is configured NOT to download pictures and attachments automatically
• Regard ALL attachments, links, and “QR” codes, CDs, DVDs, and USB drives as potentially hostile and malware-infected. Free USB drives given at conferences should be reformatted before use, or scanned by DDaT on return. It is best to avoid social media while in high-risk countries
• Turn off Bluetooth and Wi-Fi when the device is not in use
  

4. General security awareness

Take a look at the University’s Information Security Policy and the IT Security Best Practice. Below is an extract for you:

Do’s: - Do use a strong password and change it if you think it may have been compromised - Do report any loss or suspected loss of data - Do be on your guard for fake emails or phone calls requesting confidential information - report anything suspicious to the DDaT IT Service Desk - Do keep software up to date and use antivirus software on all possible devices - Do be mindful of risks when using public Wi-Fi or computers - Do ensure University data is stored on University systems - Do password protect and encrypt your personally owned devices

Don’ts: - Don’t give your password to anyone - Don’t reuse your University password for any other account - Don’t open suspicious documents or links - Don’t provide access to University information or systems - Don’t copy confidential University information without permission - Don’t leave your computers or phones unlocked

5. Protection of Bring Your Own Device (BYOD)

Remove University-linked applications such as Outlook, Teams and OneDrive from personal devices prior to travel. Avoid using your personal devices for business.

Always set strong passwords, use a Virtual Private Network (VPN) for all communication and use endpoint security software. Consider enabling extra protection on your mobile device, such as lockdown mode (e.g. Apple Lockdown Mode and Android Lockdown Mode). If using a password manager, some products offer a ‘Travel Mode’ that removes vaults from your computers and mobile devices, except those you mark as safe for travel e.g. 1Password.

Last but not least, always avoid logging in to your accounts on public computers or devices.

6. Protection of University-managed devices

University-managed devices already have security protection deployed. However, please raise a ticket with the University’s Service Desk to add additional device security configuration on the device prior to travel.

Please note that, depending on the travel destination and the level of security hardening applied, devices may need to be reset to the standard configuration upon return. This reset may involve a full device erase, including reinstalling the operating system. DDaT can provide a Travel Loan Device to support staff during this process.

7. Traveling with encrypted devices

If you do decide to travel with a device, be aware that some regimes prohibit arriving with encrypted devices, and some prevent travelling with encrypted devices to embargoed countries (for example, the US proscribes Cuba, Iran, North Korea, Sudan, and Syria). Be prepared to unlock your device for inspection by immigration authorities, and possible searching of its contents. Devices which are not unlocked may be confiscated. Export Control regulations restrict the transfer of international components, including commodities, data, hardware, software, and technology.

8. Connect safely (use a Virtual Private Network)

Anything sent over a network may be intercepted. As a precaution, it is worth checking whether your device automatically connects to the internet. It is good practice to disable automated services on your devices. This can also save a considerable amount of data being used ‘in the background’, which is important when data is limited.

Disabling services while 'in transit' is an effective means to stop information from being pulled down and stored on the device. Please ensure that you check networks and only connect intentionally to the networks you choose to use.

VPNs can provide a critical layer of security for online communications and data protection while travelling: the University VPN should already be configured on your University-managed device. If not, please follow the Setting up VPN on your device (https://www.bath.ac.uk/guides/setting-up-vpn-on-your-device/) guidance. If you’re still having problems setting up, please contact DDaT.

Be also aware of VPN legality and limitations in your destination – and be cautious when using VPNs; China, for example considered VPNs a legal grey area that is heavily regulated. At time of writing foreigners have never been prosecuted for VPN use, but returning Chinese Expats have.

Traffic obfuscation tools may also be blocked, and their use may only attract unwanted attention from authorities.

Be aware of potential MFA restrictions in high-risk countries, which may prevent connections.

If you need to access secure University systems, you must use Multi-factor Authentication. Note that in some countries, MFA via mobile phone Authentication may be restricted, so you may wish to investigate alternative MFA methods (such as hard tokens) in advance. DDaT can help with this.

9. Be aware! Don’t forget physical security

• Keep any devices with you at all times: threat actors can, will, and have broken into hotel rooms to steal or place implants and keyloggers in devices. Even the hotel safe is not secure
• Keep your personal information and travel itinerary as private as possible: avoid discussing your itinerary, personal, business, or other sensitive information where others can hear you
• Do not allow anyone other than yourself to use any of your devices and avoid others seeing your device login password in public
• Do carry the appropriate power plugs for your devices and know your country's electrical system. Some countries may require a transformer/voltage converter
• Do clean out your purse or wallet if you tend to carry notes about various accounts or passwords
• Don’t post your location and how long you will be gone on social media
• Vary patterns and routines when venturing out into a new location; do not become predictable
• Do not have any of your electronic devices “repaired” or “worked on” while abroad
• Be situationally alert to the location of your devices, luggage, and carry-ons at all times

10. For ‘persons of interest’ only

Certain individuals may be considered ‘persons of special interest for threat actors. Note this is not applicable to most travellers – only those of high profile who may be expected to have significant amounts of information which may be of use to threat actors.

• Where possible, these individuals should adopt a new temporary email address, with a new password that has never been used on any account in the past. DDaT can assist in this if notice of travel and support requirements are given in writing at least 3 weeks prior to travel
• Emails should be triaged by a trusted associate in the home location, and only those forwarded which have no security implications
• Avoid accessing corporate resources while travelling in an insecure environment. Note that the University VPN and M365 may block traffic from high-risk countries
• Such individuals may wish to use a new (‘burner’) SIM card in order to obtain a new Phone Number. This can separate the user from the University as long as they do not access University systems, thereby adding a layer of protection. Note: many mobile phones are dual SIM. You may also require an additional data package
  
• Virtual Credit Cards – you can set up a virtual credit card service like Privacy to create temporary or single-use credit card numbers. DDaT can assist in this if 3 weeks’ notice is given in advance of travel. Requests for such cards should be sent to procurement@bath.ac.uk

Loan Devices

It may make sense to use loan devices which do not contain sensitive data. These devices and accessories should be procured before departure to prevent potential security risks associated with purchasing hardware or software while abroad. Only log in to your accounts from devices you brought with you (avoid public devices).

DDaT have a pool of devices. Please make a request to DDaT as early as possible, ideally at least 3 weeks in advance of travel. These devices will be made available on a first come first serve basis. Please ensure all essential data is backed up to University storage before returning your temporary device to DDaT. The Information Security team will be happy to answer any questions and provide bespoke advice as needed. Please contact cyber@bath.ac.uk when you know you will be travelling to a high-risk destination.

11. Upon return to the UK

Secure Your Data. Immediately change all passwords and inform DDaT of a post-travel device scan to detect potential breaches or malware.

If approached inappropriately or if you suspect device compromise, report this to the Chief Information Security Officer as soon as possible.

Related guidance

• Overseas travel safety guidance
• Fieldwork safety standard

Document control information

Owner: Chief Information Security Officer (CISO) Created: August 2025 Review date: August 2028