SHIELD

Travel

Pre-departure preparation: a checklist by threat level

The exhaustive preparation checklist before a business trip, calibrated by destination country and profile.

Published 14 min read Exposed

Last reviewed:

Plane taking off at sunrise

A finance director leaves for Dubai for a closing. He calls me the night before to ask whether his phone is “OK.” His iPhone is connected to the family iCloud, his passwords are lying around in Notes, and the Slack app keeps six months of M&A exchanges on it. The honest answer fits in one word: no. And the evening before, it was already too late for half the fixes.

Angle de lecture

The usual trap

For most people, trip preparation stops at the flight, the hotel and the visa. Digital security is something you “think about once you’re there.” That’s the reflex that ruins the preparation, because the measures that really count are taken before leaving, not in a hotel room on the establishment’s Wi-Fi.

Disk encryption is enabled cold, at home, with a stable connection and the time to handle the reboot prompts. The local eSIMIntegrated reprogrammable SIM card supporting multiple carrier profiles. is ordered 48 hours ahead to be sure it activates. The corporate VPNEncrypted tunnel between your device and a server, masking your IP and traffic from your ISP. is tested from your living room, because in some destinations there’s a real chance it’s blocked — and a Sunday morning in Shanghai is not the right time to discover that. Security preparation is a pre-departure task, dated, planned, not an improvisation.

The second trap is subtler. The majority of travellers prepare as if their risk level were constant. It isn’t. The executive heading to Barcelona for a routine meeting and the same executive heading to Beijing to negotiate an acquisition do not face the same threat. Treating the two situations identically means either wasting energy on a harmless weekend, or seriously exposing yourself on a high-stakes trip. Good preparation isn’t “more security”; it’s security calibrated to the precise trip.

Assessing your threat level before leaving

Before ticking anything, one question alone is worth asking: at what level am I for this precise trip? A trip’s threat modelMapping of actors, motivations, capabilities and potential impacts against a target. is built from three parameters, and it’s their intersection that gives the level, not any one of them taken in isolation.

First parameter: the value of the data carried. No sensitive documents, no trade secrets, no critical access to the information system — low level. A laptop with access to the CRM, client contracts, strategic exchanges and corporate mail — medium to high level, independent of the destination. The question isn’t “am I going to use it” but “what is physically present on the device at the moment it leaves my control.”

Second parameter: the value of the target. A media-exposed profile, an identifiable executive, a lawyer on a sensitive case, an investigative journalist, a researcher on a strategic subject — high level by default, regardless of where you’re going. The target is worth something to someone, and that someone often knows you’re travelling before you do.

Third parameter: the destination jurisdiction. European Union, Canada, Japan, Switzerland: low to moderate. United States, United Kingdom, Israel: extensive customs powers, possibility of an in-depth border searchSearch of electronic devices at borders by customs or police. and compelled disclosureLegal obligation to provide passwords or decrypt devices under penalty. of passcodes, moderate to high risk depending on the profile. China, Russia, Belarus, certain Gulf states, countries under active sanctions: high level systematically, with a mature local interception ecosystem.

The intersection of the three gives the real level. A tourist in Thailand with no professional data: level 1. An HR director in New York with the executive committee’s compensation file: level 2 minimum. A CFO in Beijing for an unannounced deal: level 3, no debate. The classic trap consists of looking only at the jurisdiction. A “safe” destination with a device crammed with sensitive data remains a level 2: the risk doesn’t disappear because the country is friendly. The snatch theft in a European station, the burgled hotel room, the laptop forgotten in a taxi — these mundane vectors don’t read diplomatic advisories.

What really happens, vector by vector

The threat model becomes concrete when you list the real vectors instead of waving the abstract fear of “getting hacked.” They fall into four families.

Physical access to the device. This is the dominant vector, and the most underestimated. A laptop left on a hotel-room table during dinner remains accessible to staff, to a visitor, to anyone with a pass. Without active disk encryption and a locked session, copying the entire contents takes a few minutes with an external boot key. The so-called evil maid scenario — a brief, discreet access in your absence — has nothing exotic about it: it just takes a target worth the effort, and a device left alone for ten minutes.

The border and customs. In several jurisdictions, the border officer can demand the device be unlocked, copy its contents, or hold it for several days. In the United States, the border search requires no warrant. Refusing to cooperate can cost a non-citizen entry to the country. That’s precisely why N3 separates the hardware: you can’t be compelled to reveal what you don’t carry.

Local network interception. The Wi-Fi of a hotel or conference, in a mature-interception jurisdiction, is not neutral. An IMSI catcherFake mobile base station forcing nearby phones to connect to intercept communications. captures mobile traffic within a given radius; a MITMAttack where an actor interposes between two parties believing they're communicating directly. on the establishment’s wired network observes the connection metadata even when the content is encrypted. VPN and eSIM aren’t paranoid gadgets: they close this precise vector.

Targeted social engineering. A trip is public far earlier than you think — travel agency, shared calendar, LinkedIn post “delighted to be in Singapore this week.” This information feeds contextualised spear-phishingTargeted phishing on a specific person, built from their OSINT profile.: a fake email from the hotel, a fake alert from the airline, a fake SMS from the local carrier. Travel fatigue lowers vigilance at exactly the moment the attack arrives.

The right approach: three levels, one documented switch

The pragmatic switch consists of stopping thinking “measure by measure” and reasoning “level by level.” You define three tiers, each encompassing the previous one, and you choose the tier based on the threat verdict. This avoids the two symmetrical pitfalls: paranoia on a harmless trip, and carelessness on a high-stakes one.

The breakdown rests on a principle: each level fully inherits the previous one. You don’t “pick” measures from a menu; you go up a notch and apply everything below. That’s what makes it teachable, verifiable, and usable by someone who isn’t a security specialist. On departure day, you no longer think: you tick the list for the chosen level.

Level 1 — Tourist

Safe destination, no sensitive professional data, a standard trip. The basic measures are enough, but “basic” doesn’t mean “nothing.” The risk here isn’t state espionage, it’s the mundane: the phone stolen at a café terrace, the bag forgotten, the device dropped. N1 preparation protects against opportunistic loss and theft, not against a determined adversary — and that’s sufficient for this trip profile.

  • Disk encryption enabled: FileVaultDisk encryption integrated into macOS since OS X Lion. on macOS, BitLockerMicrosoft disk encryption integrated into Windows Pro/Enterprise. on Windows, LUKSDisk encryption standard on Linux, via cryptsetup and dm-crypt. on Linux. Most people believe they have it and don’t. You verify, you don’t assume.
  • MFAMulti-factor authentication: combining two independent proofs of identity to log in. enabled on mail and important accounts (bank, social networks). Preferably TOTP6-digit code generated every 30 seconds by an app (Google Authenticator, Authy, etc.). via a dedicated app, not SMS — an SMS is intercepted via SIM swapAttack where a fraudster convinces your carrier to port your number to their SIM. or by a local sensor.
  • A recent verified backupData copy kept separately for restoration in case of loss or compromise. — not just started, verified. If the phone falls in the water or disappears, you must be able to recover everything without drama.
  • A digital copy of documents (passport, visa, insurance) in the password managerApplication storing and generating unique passwords for each service., accessible offline.
  • The carrier’s emergency number noted separately, to block the SIMFake mobile base station forcing nearby phones to connect to intercept communications. in case of theft.

Level 2 — Standard business

Corporate data, clients, contracts, access to the IS. Moderate-risk destination. All of level 1, plus a logic of surface reduction. The guiding principle changes: you no longer only seek to prevent access, you reduce what there would be to steal if access occurred. A device that contains only what you need for the mission is a device whose compromise costs far less.

  • Minimum of local data. Sync on demand rather than full automatic sync. The files you don’t need during the trip have no reason to travel.
  • Standard account, not admin. If you normally work as an administrator, create a standard account for the trip. Fewer privileges, less damage in case of compromise.
  • Corporate VPN tested from home before departure. The exact protocol, not the icon in the bar. If it doesn’t get through, IT has time to unblock it.
  • A pre-purchased local eSIM. A connection independent of the hotel network, harder to intercept locally, often cheaper.
  • Destination sheet consulted. FCDO, State Department: not for geopolitics, for the concrete restrictions on computer equipment and declaration obligations.
  • Emergency contacts accessible without the phone: IT, DPO, lawyer. A number on a slip of paper tucked into the passport is enough.

Level 3 — Plausible target

M&A in progress, active litigation, exposed executive, journalist, lawyer on a sensitive case. High-risk destination. All of level 2, plus a logic of physical separation. Here, surface reduction is no longer enough, because you assume an adversary with both the means and the intent. The only solid guarantee is that the travel device has never contained, does not contain, and won’t be able to access the data you want to protect. You don’t clean the usual machine: you use another one, blank, disposable in the operational sense.

  • A dedicated travel laptop, a clean image provisioned for this trip, never the usual machine. Prepared beforehand, re-imaged on return.
  • A dedicated phone or activation of Lockdown Mode on iOS, which closes a large part of the advanced vectors.
  • Removal of sensitive apps before departure: SignalOpen-source messenger with E2EE by default, operated by Signal Foundation., deal apps, critical access. Reinstallation on return after a check.
  • Temporary credentials distinct from the usual ones, with a rotationCentralized management of identities and access to resources. planned on return, and VPN access limited to the strict mission perimeter.
  • Internal briefing with IT on the context, the access granted, the return protocol. Plus a check-in protocol: “if I don’t make contact within X hours, here’s who to contact.”

What this means in practice

For you, as an individual

Three things to do this week, before your next departure outside your trust zone. None costs more than a few dozen euros.

1. 48 hours before: an encrypted backup and an up-to-date OS. Launch a full backup, verify it completed, and install the pending system updates. An up-to-date device closes the known flaws that interception tools exploit first. It’s free and takes an evening.

2. Disconnect sensitive cloud access from the travel device. Family photos, secondary mail accounts, professional folders you won’t use: disconnect them. If the device is lost, stolen or inspected, it only gives access to the strict minimum.

3. A local eSIM and a tested VPN before boarding. Order the eSIMIntegrated reprogrammable SIM card supporting multiple carrier profiles. two days ahead (Airalo, Holafly, or your carrier’s international plan), and launch your VPN once from home to confirm it works. On site, all you’ll have to do is activate it before joining any network.

For you, the CISO / IT director / executive

The “checklist by threat level” switch changes your framing on four structuring points.

1. The checklist belongs to the security policy, not to an internal blog post. A travel checklist that lives in a forgotten wiki or in one person’s head doesn’t exist operationally. It must be a reference document, versioned, with a minimum level required per country tier. Direct consequence: you write it into the ISO 27001International standard for information security management systems. documentary corpus / security policy, and it becomes auditable on the same footing as access management.

2. The triggering must be automatic, not voluntary. Nobody spontaneously consults the procedure before booking a flight. The reminder must come from an event — expense report, visa request, booking via the corporate agency — and alert HR or IT for at-risk destinations. Direct consequence: you wire a trigger onto the booking or expense tool, with an alert to the SOCTeam and platform continuously monitoring an organization's security. or IT the moment a tier 2 or 3 is detected.

3. The threat level is a piece of trip data, to be classified upstream. The same employee changes tier from one trip to the next. Without systematic classification, you treat everything on average — and therefore badly everywhere. Direct consequence: you formalise a data × target × jurisdiction matrix, and you integrate it into the approval workflow for sensitive trips.

4. The return is part of the preparation. An N3 with no planned return procedure is a potentially compromised device plugging back into the network. The incident responseStructured process for managing a security incident: detection, containment, eradication, recovery. starts at pre-departure. Direct consequence: each N3 trip opens a return ticket (isolation, scan, re-image, credential rotation) before departure even happens.

Mistakes we see all the time

  • A VPN never tested before departure. Blocked at the destination, unusable on site, and a protocol like IKEv2 or L2TP actively filtered in China. Fixing that from abroad on a weekend is half a day lost in the best case.
  • Slack and Teams with twelve months of local history. These apps store months of exchanges on the device. On a lost or seized device, the whole operational memory goes.
  • Confidential documents in the “Downloads” folder. Rarely encrypted separately, never cleaned. A commercial proposal, an HR document, legal submissions that have been sitting there for three weeks.
  • Believing the usual risk level applies everywhere. The “it went fine last time” reflex applied to a destination that has nothing to do with the previous one.
  • No backup copy of identity documents. Passport lost abroad with no offline-accessible copy: the trip stops.
  • The charger borrowed or bought at the airport. Favour your own cables, and a charge-only cable with no data transfer for public stations. Juice jackingMetadata attached to images: date, GPS, device model, capture settings. remains a vector on unknown equipment.
  • No plan if the device is confiscated at the border. Who to call, how to recover access, how to work 72 hours without the device.

Actionable checklist

  • N1 Disk encryption enabled and verified (FileVault / BitLocker / LUKS)
  • N1 TOTP MFA enabled on mail and sensitive accounts
  • N1 Recent backup verified (completed, not just started)
  • N1 OS and apps updated within 48h before departure
  • N1 Digital copy of identity documents in the password manager, offline
  • N1 Carrier emergency number noted separately to block the SIM
  • N2 Trip threat level determined (data × target × jurisdiction)
  • N2 Pre-purchased local eSIM for the destination
  • N2 Corporate VPN tested from home before departure
  • N2 Minimum of local data, standard account rather than admin
  • N2 Downloads folder cleaned of sensitive documents
  • N2 Destination sheet consulted (FCDO / State Dept)
  • N2 Emergency contacts IT/DPO/lawyer accessible without the phone
  • N3 Dedicated laptop with a clean image provisioned for the trip
  • N3 Dedicated phone or Lockdown Mode enabled
  • N3 Sensitive apps (Signal, deal, critical access) removed
  • N3 Temporary credentials with rotation planned on return
  • N3 Internal briefing with IT on context and access granted
  • N3 Regular check-in protocol defined before departure
  • N3 Return procedure opened (isolation, scan, re-image, rotation)

Going further

The FCDO’s country pages are updated regularly and list local restrictions on computer equipment, declaration obligations and entry conditions. The US State Department publishes equivalent advisories with a clear level system. For organisations exposed to economic espionage, the NCSC issues short, factual guidance on travelling securely, too often ignored.

On the hardware: the Travel laptop article details building a clean image and provisioning a dedicated device. On crossing borders and compelled disclosure: Borders and customs. And to close the cycle, the Return-from-mission procedure explains why the return is the most neglected and most risky phase of the trip.

One last point, because that’s where most dispositions fail in practice. A checklist is only worth the discipline that carries it, and discipline erodes the moment it depends on individual goodwill. The traveller who’s made the trip twenty times “knows the drill” and skips steps; the rushed executive delegates the preparation and assumes it was done. The fix isn’t to send more reminders to people who ignore them — it’s to make the good behaviour the path of least resistance. A travel laptop sleeping in a drawer, already imaged, turns an hour of preparation into five minutes of retrieval. A pre-purchased eSIM that renews itself removes a decision. The best pre-departure preparation is the one nobody has to remember, because the system remembers it for them. Build that, and the checklist stops being a document nobody follows and becomes the very form in which trips unfold.

Sources and further reading

Related articles