Pre-departure preparation: checklist by threat level

A CFO is flying to Dubai for a closing. He calls me the night before to ask if his phone is “OK.” His iPhone is synced to the family iCloud, he keeps passwords in Notes, and Slack has six months of M&A exchanges stored on it. The honest answer: no.

The common trap

“I book the flight, hotel, visa. Digital security — I’ll sort that out once I arrive.”

By then, some measures are already too late. Disk encryption has to be enabled before you leave, not in a hotel room over the establishment’s Wi-Fi. A local eSIM needs to be ordered 48 hours in advance. The corporate VPN needs to be tested from your home, not in an international airport terminal where there’s a 15% chance it’s blocked. Security preparation is a pre-departure task, not an on-the-ground improvisation.

The second problem: most people prepare as though their risk level is always the same. It isn’t. The executive flying to Barcelona for a routine meeting and the same person flying to Shanghai to negotiate an acquisition are not facing the same threat. Treating both situations identically either wastes energy or leaves you exposed.

Assessing your threat level before you leave

Before checking anything off a list, one foundational question: what level am I at for this specific trip?

Three parameters determine the level:

1. The value of the data you’re carrying. No sensitive documents, no trade secrets, no access to critical systems → low level. A laptop with CRM access, client contracts, strategic communications → medium to high level.

2. The value of the target. A media-exposed profile, an identifiable executive, a lawyer on a sensitive case, an investigative journalist → high level by default, regardless of destination.

3. The destination jurisdiction. European Union, Canada, Japan: low to moderate. United States, United Kingdom, Israel: extensive border powers, moderate to high depending on profile. China, Russia, Belarus, some Gulf countries, countries under active sanctions: systematically high level.

The combination of the three gives you your level. A tourist in Thailand with no professional data: level 1. An HR Director in New York with the senior executive compensation spreadsheet: level 2 minimum. A CFO in Beijing for an unannounced deal: level 3.

Level 1 preparation — Tourist

Safe destination, no sensitive professional data, standard tourist itinerary. Basic measures are sufficient — but “basic” doesn’t mean nothing.

Devices:

• Disk encryption enabled (FileVault on macOS, BitLocker on Windows). Most people haven’t enabled it. Check, don’t assume.
• MFA enabled on email and important accounts (bank, social media). Prefer TOTP (Authy, Aegis), not SMS.
• Recent backup verified — not just started, verified. If your phone falls in a pool or gets stolen, you need to be able to restore everything.

Documents:

• Digital copy of passport, visa, travel insurance, vaccination record: in your password manager (Bitwarden, 1Password), accessible offline.
• Emergency mobile operator number memorized or noted separately to block the SIM if stolen.

Connectivity:

• No public Wi-Fi without VPN for banking or email sessions.
• Bluetooth off when not in use (minor attack surface reduction, zero friction).

Level 2 preparation — Standard business

Company data, clients, contracts. Moderate-risk destination. Executive with sensitive system access. Everything from level 1, plus:

Device footprint reduction:

• Minimum data stored locally. On-demand cloud sync rather than full automatic sync. Files you don’t need during the trip don’t need to travel with you.
• If you normally work with an admin account: create a standard account for travel. Fewer privileges = less damage if compromised.
• Review installed apps: no need to have full system access while traveling if you only need two specific tools.

Connectivity:

• Corporate VPN tested and working from home before departure. Test the actual protocol, not just the icon in the status bar. If it fails, the IT security team has time to fix it.
• Local eSIM pre-purchased for the destination. Independent from the hotel network, harder to intercept locally, often cheaper. Operators like Airalo, Holafly, or your carrier’s international offer cover most destinations.

Briefing:

• Check destination advisories from the US State Department, UK FCDO, or local equivalent. Not for politics — for specific restrictions: banned apps, mandatory declarations for IT equipment, customs conditions.
• Read travel security advisories from your national cybersecurity agency (CISA, NCSC, ANSSI) for high-risk destinations. Short, factual, and routinely ignored.
• Emergency contacts accessible without your phone: IT security team/CISO, DPO/privacy officer, corporate counsel. A phone number on a slip of paper in your passport works fine.

Level 3 preparation — Plausible target

Active M&A process, live litigation, media-exposed executive, journalist, lawyer on a sensitive case. High-risk destination (China, Russia, countries under active surveillance). Everything from level 2, plus:

Dedicated hardware:

• Travel laptop with a clean image, provisioned specifically for this trip. Not your regular work machine. The image is prepared before departure and wiped on return. (→ see Travel Laptop article)
• Dedicated travel phone, or iOS Lockdown Mode enabled (blocks most advanced attack vectors at the cost of some usability).

Reducing your digital footprint:

• Delete sensitive apps before departure: Signal, M&A tools, critical system access apps. Reinstall after return and verification.
• Sign out of secondary email accounts on devices.
• Slack and Teams message history: reduce to 30 days if possible, or switch to a travel-specific account.

Temporary credentials:

• Temporary access tokens and passwords, different from your usual credentials, with rotation planned on return.
• VPN access scoped to the minimum necessary for the mission.

Operational preparation:

• Internal brief with the IT security team on the trip context, granted access, return protocol.
• Regular check-in protocol: “if I don’t make contact within X hours, here’s who to call.”
• Return procedure prepared in advance, including laptop re-imaging and full credential rotation. (→ see Return from Mission article)

What people always forget

The untested VPN. Debugging a VPN connection from Shanghai on a Sunday morning is a half-day lost at best. And some protocols (IKEv2, L2TP) are actively blocked in China. Test from home, using a restriction simulator if needed.

The power adapter. Trivial. And yet. Avoid borrowed chargers from the hotel or last-minute airport purchases. USB charge-only cables (no data transfer) are essential protection for public charging stations.

Slack and Teams with full history. These apps store months of exchanges locally. On a lost or seized device, that’s the entire operational memory of the company.

Confidential documents in “Downloads.” This directory is rarely separately encrypted. A report, a commercial proposal, a sensitive HR document sitting there from three weeks ago: archive or delete it before you leave.

A plan if the phone is confiscated at the border. Rare, but it happens. Have a plan: who to call, how to recover account access, how to work without the device for 72 hours.

Common mistakes

• Leaving without a local eSIM, finding the local network unusable or prohibitively expensive
• VPN untested, blocked at the destination, unusable on the ground
• Slack and Teams with 12 months of history on the travel device
• Unencrypted confidential documents in Downloads
• No backup of identity documents
• Assuming the same risk level applies regardless of destination

• N1 Disk encryption enabled (FileVault/BitLocker)
• N1 MFA enabled on email and sensitive accounts
• N1 Recent backup verified (not just initiated)
• N1 Digital copy of documents in password manager
• N1 Emergency carrier number noted separately
• N2 Local eSIM pre-purchased for destination
• N2 Corporate VPN tested from home before departure
• N2 Minimum data stored locally on device
• N2 Destination advisory checked (State Dept / FCDO)
• N2 Emergency IT/legal contacts accessible without the phone
• N3 Dedicated laptop with clean image for the trip
• N3 Dedicated travel phone or Lockdown Mode enabled
• N3 Sensitive apps deleted before departure
• N3 Temporary credentials with rotation planned on return
• N3 Internal brief with IT security team
• N3 Regular check-in protocol established
• N3 Return procedure prepared in advance (re-image, rotation)