Planes, hotels, and conference stages aren’t what put you at risk, it’s what you bring with you. In this episode, Dawn Sizer of 3rd Element dives into the real reasons traveling professionals become easy targets: weak policies, poor communication, unsecured devices, and total blind spots around personal data exposure. From conditional access headaches to rideshare risks and AI policy chaos, this is a practical, no-excuses look at how security breaks down in the real world, and what you need to fix before your next trip.
[00:00:06] Welcome to MSP 1337. I'm your host Chris Johnson, a show dedicated to cybersecurity challenges solutions, a journey together, not alone. MSP 1337 this week I am joined by Don Sizer of Third Element. Don welcome to the show. Hey, thanks for having me. As I dropped my pen and almost stabbed myself with it, that was fun.
[00:00:36] That's a good start to all of this. Oh man. So we had put this on the calendar a while back to talk about traveling securely. And ironically, when I've had these conversations with other MSPs, they seem to think I'm crazy.
[00:00:58] So I would like to hear your thoughts just out of the gate, because you and I and Henry Tim and several others have talked about this before of like, just because we're not celebrities doesn't mean that we're not targets when we travel domestically or internationally because of the things that we do. And I think it's not only because of the things that we do, but it's like everything else just because you are traveling.
[00:01:28] And the more often that you do it, the more your chances increases that you not only become a target, but you become the target. Right. So it's kind of like the more often you drive, right? The more your chances increase of getting into a collision, not just because you're a bad driver, just because your chances increase. Sure. It's no different when you're talking about travel. Yeah, the more times I get on an airplane.
[00:01:59] I always sit in the exit row. I try to always sit in the exit row. And I recently was on a flight and the person by the window was a flight attendant. And the person came and did the, you know, here's the overview. Do the thing in the binder. Are you capable of pulling the door?
[00:02:18] And the guy in the middle said, I don't know why they even do this anymore, because, you know, the reality is if you follow the instructions, this is pretty straightforward. And I said, you know, until you actually have to pull the door. Right. And so the flight attendant and this guy both look at me like, what do you mean? I said, when I was in college, I was in high school, I think I was in high school, senior year, freshman year of college, I had to pull the door.
[00:02:47] So we were, we landed, the plane had landed and they were coming back to the gate. And when they turned the plane, they slid the front landing gear slid off the runway and it buckled the front, the front wheels as they were turning around. So nothing crazy. Like the plane didn't like suddenly lurch and everybody like freaked out in the stream. There was none of that. But you got to take the slide. You got to take the slide off the airplane. We got to take the slide. Nice. We did.
[00:03:13] And when they say it's 40 pounds, it's about 40, whatever it was. I don't remember the weight being a factor, but like you're trying to move a door. Like you have to pull the door inside. So if you throw it, you don't want to throw it outside because then you could feasibly damage the slide with the door. And so I just mentioned that and the flight attendant, she goes, you know, I've done the training scenario. She's explaining to us, which is now making me nervous because I don't want to hear from someone that does it regularly that I missed something in 20 years ago, 30 years ago.
[00:03:43] And what she said was really funny. She goes, every time I pull the door, it makes me uncomfortable. I'm like, well, yeah, because that's not the door we're supposed to go out of on an airplane. So it shouldn't make you uncomfortable. The guy in the middle goes, I've decided I don't need to read the little thing in the seat back in front of me because you guys got this figured out. But like to your point, I choose to fly the exit row because I get extra leg room.
[00:04:09] And the outlet is in front of me instead of under the seat where I have to try and figure out an eyeball where to put the two prongs because then I can't see. You get exit row, you can see it right in front of you. Yeah. So, but I mean, am I increasing the probability then of me having to be an emergency responder when the plane doesn't? Absolutely. You know, honestly, I think you're more likely to have forgotten your charger than anything else. Fair. Fair. So.
[00:04:40] Fair. But maybe they'll move me to first class and I don't have to think about it anymore. That would be fantastic. That's right. We could only all be so lucky. Right. So what, what started, Don, you and I think Henry was involved in some of this.
[00:04:58] Maybe your husband were involved in this conversation of like, where did you start going down the path of like profiling business owners and, and, you know, key leadership roles for identifying what their risk really might be. You know, it's, it's really silly, but I think we started down this road with something completely innocuous, like conditional access. Right. And probably that's where everybody runs into it. Right. You have a client that's traveling.
[00:05:27] Suddenly they decide they're going to, you know, Aruba, you know, on vacation and they don't tell you. And now they're like, I can't get into my email. And you're like, where, where are you? I don't want to tell you. Exactly. Exactly. So I think that's where it started to come into the situation of travel, right? Okay, great.
[00:05:54] So we're, we're going to wherever it is we're going. Like I had to go to London earlier this year. Actually, I started out in Amsterdam and then we ended up on the Eurostar and then over to London and conditional access was fun on this trip. I can, I can tell you that. I can, I can tell you that. And when you're, you're running a red eye from the East coast to Europe, it's not that big of a deal, right?
[00:06:21] Cause you, you sleep on the way over, you get there. It made me a little bleary eyed and I'm looking in a different language going, you know what? I'm just going to call an Uber. They're trying to figure out the trains in a different language. And at that point, I think I started to think too, like, I'm now in a different country with a language. I don't speak calling an Uber and I'm hoping they speak English going to a hotel significantly far enough away from the airport.
[00:06:51] That I'm considering my safety at what was it? 11 o'clock at night or whatever it was, you know? So you think about that and then you think about, okay, now I'm in another country or I'm somewhere where I don't have another adult with me in some way, shape or form. Right. Cause. What are you going to say having an adult with you? Like, okay, you need a chaperone. Got it. Yeah. Well, I mean, have you met me? So that's fair. That's fair. Okay.
[00:07:21] So, and I think, okay, well, I do have my little doorstopper and I have this and I have that. And like, I should be fine. Everything should be fine. All things considered, you know, what are the chances? But when you are traveling, you don't really take all of these things into consideration. You're just like, I'm getting from point A to point B because I'm either working or I'm going on vacation or something else is going on.
[00:07:44] And you're thinking more about that than you are about your physical security, your digital security, your company security, quite frankly, because you're in the middle of doing something else. Sure. Which I think, just to clarify, I think you're defining the fork in the road. Right. The I'm responsible versus they're responsible, right? So like we can accept quickly that I'm responsible for my personal, not work related security.
[00:08:11] But then at the same time, say, oh, I'm not there. My work, they've got this. Right. I hope. Yes. So. But I mean, there's an assumption there that for the average employee of most organizations would tell you that they largely don't worry about things like security because that's somebody else's responsibility. That is 100 percent correct.
[00:08:36] And there is a I think there's a disconnect as well. So, again, coming back to the person that's in Aruba, right? They don't tell it. Hey, I'm going on vacation to Aruba or I'm going on vacation to Mexico or I'm going on vacation somewhere that is not in the continental United States. Sure. So and then you have situations where all of a sudden the sock is alerting with this person is, you know, outside of the conditional access area and something is not right here.
[00:09:06] And then you're having to lock their account and then they're and they're mad at you. And you're like, my friend, we have a policy in place that says you're supposed to tell us when you're out of the country. You forgot. Yeah. Yeah. So double edged sword on the yes, we're protecting you. Yes, it is our job to do so. But the flip side to that is if they weren't on vacation and somebody was trying to get in from another country or whatever, that's what conditional access is there to stop. Sure.
[00:09:34] But I but I think it's bigger than that. Right. So, you know, I remember the first time I configured geofencing on a firewall and then had to turn it off because it wasn't very accurate. Fast forward. I don't think we have that same level of difficulty anymore. We've gotten much better at what geofencing really is. But one of the things that comes to mind is the company or the client that you do that for.
[00:09:58] You don't have any sort of like, what do you mean they might be trying to reach out to me from Russia or fill in the blank, not the US. Right. And now we obviously have a different problem where a lot of threat actors can infiltrate. They're already in the US before they try to target my infrastructure. But that's where it gets interesting is to your point about like the communication piece, like telling you that you're on vacation. If you're on vacation, in some some cases, I think we don't do a very good job of just saying you don't have access because you're on PTO.
[00:10:28] Right. And I get it for business owners. I do. Sure. But sometimes, too, it's a whole lot of like, maybe you should just go on vacation. I hear you. Or like have a protocol in place that says, hey, we call you and we need you to look at something. We're going to put some pieces of like step through these hoops to give you access knowing where you are as opposed to like, oh, while you're on vacation. But we might need you just for like a couple of the proposals that we're working on.
[00:10:56] And it's like, well, was it really worth it? I guess it all depends on what it is and what's going on in the seniority level of the person, because there's there's every possibility that we don't have protocols in place or we can't depending on the size of the organization. We always have that problem. We always have that problem, right? Like protocols in place, process and procedures in place, policies in place.
[00:11:20] I think if I could capture one phrase that I've heard over and over and over again, it's the yeah, we all kind of understand what we're supposed to do. So I don't know that we need a policy for that. Oh, good Lord. No, if we could have the documentation, that would be fantastic. It's a good starting point to have documentation because then you're like, oh, there's a flaw in that little document you got there as opposed to it's in your head. So I believe it's perfectly flawless. No, no, thank you. No, no, I don't know.
[00:11:47] I think we were just talking about altering one of our policies earlier today. So it's a I is doing some really weird stuff. And it's what's it doing? It's just more along the lines of like how we have to think about things and the way that we're going at them and who can access what and the just the velocity of how things are going. And I feel like we've had to rewrite our policy three times already this year. And it's June. So it's just.
[00:12:18] Let me ask you an AI policy question, then. AI is for lack of a better explanation. It's another technology that we deal with. Why do we need another policy for AI? In this case, it's what we're using and how we're using it. Sure. So that's the that's the caveat to that.
[00:12:38] I don't think the the data usage that the other things around it stay the same, but it's the what things were allowed to touch are changing on the right. I don't like rules of engagement. Yeah, it's that the models are changing so fast and what they're able to do. Gotcha. So we've talked a little bit about the digital side of this. Talk to me about the physical security.
[00:13:02] I know Henry and I have had some strange conversations about like, you know, the Uber that comes with like, you know, armed bodyguards and like bulletproof glass. And I realized that that's an Uber that I just want to be in just for the sheer nature of being able to say that I rode in that that ride. But like, is it crazy to have that level of paranoia about the world we live in? I think it depends on where you are at any given time. Right.
[00:13:30] And I think that one was in Columbia. And there are places in this world that I would I would feel a lot more confident motoring about, if you will, if there was a bulletproof glass between me and general populace. But for the for the average person, I think just having such an emotional awareness of what's going on around you, who is around you, you know, are you in danger? Are people watching you?
[00:14:00] Are they watching your stuff? Right. Sure. Because when you're when you're looking at what's what's going on in the world, I mean, again, just stepping off a plane somewhere, there's always somebody that's watching people come off that plane. Yeah, maybe they're just judging my back. I don't know. I really I don't want to think about it too awful much that poor things been beat to death. But, you know, you have to think about that.
[00:14:27] And especially once you get out from the doors of the airport, really watching who is around you and the amount of people that this blows my mind to this day, when people are picking up their luggage or when you're walking through the baggage area, the drivers that are standing there like, do you need a ride? I'm thinking to myself, why would anyone say yes to that? That's crazy. Yeah, but I have some prerequisites. Does the van have zero windows?
[00:14:56] And do I need to put a hood over my head before I climb in the van? Like those are just some of the things I want to get out of the way before I say yes, I need a ride. Well, I mean, it all depends on whether the bag is washed and if there's candy. So hold on. It doesn't really matter if the bag's washed, there's candy. Let's be honest. This is my favorite. How'd you know? But yeah, I mean, that kind of thing is a little crazy to me. And the fact that we all depend on an app, right? Sure.
[00:15:24] The Uber or Lyft or whatever it is that you are using to just call some random stranger essentially that gets a message that says go pick up this random person to you and take them to a new location. Like that still blows my mind to this day. But to be fair, I think it to some degree was worse before the world we live in today. Do you remember going up to the little kiosk area that had like 30 little lit screens that had like different labels on them from hotels to rental cars?
[00:15:54] And you picked up the handset and you told them where you were. And so then they dispatch somebody. So you went from I talked to Nora and now I've got whoever it is, but they didn't tell me that part. They didn't tell me who the driver is going to be. They just told me what to look look out for as far as the vehicle showing up. Right. Yeah, I know. I think I was too poor to have that experience. It was more like, oh, there's taxis out there. Just go jump in one of them and say, follow that car.
[00:16:25] So the free shuttle service was more expensive than getting in a taxi. Oh, really? Well, that's silly. Yeah. She just didn't want to touch the handset that have been touched by how many other people. Well, I mean, yeah, that's fair. Sure. But when we when we think about some of that stuff, I mean, every time I get in an Uber, I mean, one, I have it set for women drivers, like 100 percent women drivers.
[00:16:52] And there's always a notifies my emergency contact that I'm in an Uber. It's with this person. Here's where I'm at. You know, that kind of automatically I have it set to do that already. Yeah, it was really interesting. I was traveling with my husband the last time and I was calling an Uber and he's like, well, wait a minute, you have that set for women drivers. I'm like, yeah. He's like, I didn't even know it could do that. I'm like, well, yeah, you're a man. Why did you know it would do that? It's like I have it set to tell me when someone has a bicycle and they can pick me up.
[00:17:23] But that's an interesting. That's an interesting, you know, along those lines. So forgetting like who I pick as my driver, there are some other things that I think people don't do, like set the security code. Like, how do you know you got in the right Uber? Just because it has a little sticker that lights up says Uber and the license plate allegedly. I mean, there are known problems if the thing that pops up on your screen for the Uber app says, please verify that it's the right car. Right.
[00:17:52] And you're like, and the car, the car was a Tesla. It was black. It said black Tesla. What could go wrong? I don't know how many times I've had my Uber, mine, my personal Uber that was coming to get me. It's mine. And somebody went out, jumped right in it and they left. And I'm like, I wonder where you're going, dude. Okay. So I haven't had that one, but I've had the, the, the, the plan deviated.
[00:18:17] So we were recently at the PAX 8 event and Jenny and I were waiting for our Uber. And it went from like, we're waiting five minutes to we're waiting 15 minutes, which is starting to impact the timeline we have at the airport. Yeah. And when the Uber driver finally got to us, cause like it sat at the same time for pickup for a long time, like 14 minutes counting down, except the time is not moving. It's still staying 14 minutes, you know, 10 minutes later. And he gets there and he goes, I am so sorry.
[00:18:46] He goes, my, my passenger had me stop at the pharmacy. And that's what screwed up the whole, they added a stop on the way. And I'm like, you know, it would have been really nice if you had just said that. Cause I could have said no and gotten a new ride and wouldn't have been a problem. Right. It's like, yes. He goes, I totally could have, you know, done that. He goes, my bad. And I'm like, no, as long as we get to the airport, we're good. Yep. A hundred percent.
[00:19:14] So I'm curious, like, do you use, do you use a YubiKey or anything when you travel? I use a YubiKey when I'm at home. In fact, I have one sitting right here. In fact, actually, this is the backup one. I keep one in a waterproof cylinder along with a flash drive in case I need to get prompted. I'm inside that 30 day window and it prompts me for it. I have the YubiKey. Oh, nice. Nice.
[00:19:39] So we had our set that you had to have it in order to log in at all, which that was fun. Um, so that long story short, we had to adjust our policy on that cause it was getting, it was so tight that we were struggling to use it. And we're pretty. Oh, the YubiKey to authenticate for Uber. Yeah. No, not for Uber. I mean, just to authenticate at all. Like. Yes. So I have not done that.
[00:20:08] But I, what I will say is the physical key definitely makes a difference. In fact, I have one that actually looks like a credit card. I don't have it on me, but it is a, it works. It's an NFC card that works. It's, it supports, it's called a prox key. It looks just like a credit card. Yeah. And you tap it on the back of your phone. Um, it's largely used for cryptocurrency for wallet authentication, but they support the YubiKey protocol. And so I've used that quite a bit.
[00:20:36] I find there's a little bit of paranoia that can happen when I don't want to put myself in a position where I can't authenticate because I don't have, you know, plan B. Um, I was traveling as it was last year. I was, I went international and I forgot my wallet. So I had my passport and I had my phone. So my phone essentially has, and I was expecting a lot more challenges than I did live and learn.
[00:21:02] The U S is more complicated and navigate with a wallet and a phone or a passport or any form of identification than it is to travel internationally and have half of your identification. Yeah. It's wild. Yeah. Uh, so I have one for you and, and, um, I think this is a interesting for our listeners. Third world country, uh, phone gets dropped. Phone gets picked up.
[00:21:32] And fortunately they had life 360 on the phone. So they were able to see where the phone moved and decided to go after the phone, got somebody to call it. They're like, yeah, I picked up this phone. It was on sidewalk. When they got the phone back, everything had been converted to a different language. Uh, they were taking advantage of things on the phone, which is like, it couldn't have been a better educational moment because the person who picked up the phone was taking
[00:22:00] advantage of the fact that they had a new device that had technology that they didn't have as opposed to, I want to take advantage of who had this phone. Yes. And it was actually quite comical because when we got the phone back, cause everything had been converted to another language, things still wouldn't go back. So trying to load Facebook was still loading in a foreign language. And it's like, but I changed it in settings back to English.
[00:22:27] It's like, nah, let's try rebooting the phone and rebooting the phone fixed, fixed some of those issues. But it's like, had they had a pin code established on their phone, the phone would have never been compromised. They didn't even have a pin code on it? No. Oh, wow. Well, you know how inconvenient a pin code is. Like if you, I mean, it's just a personal device or a business device. It was a personal device.
[00:22:57] Well, that's, and that's none of my business other than, you know, that's dumb, but whatever. But, but here's the interesting thing. And this is where I wanted to go with it. Travel internationally and think about things like, yeah, in their case, it was somebody that was curious about a device that they found on the ground. Yep. But when you go through a security checkpoint in another country, the device that they're scanning and the person are together. Yep.
[00:23:21] And they're having a heyday with all of the data that is accessible on your device, unless you've done something like a physical reboot where you've got a pin code in there where biometrics don't work because the phone has been rebooted. They cannot access it. I don't know how many times I've had somebody say that I didn't do that. And I know my data has been compromised. And it's like, I think about the situation that I witnessed small potatoes. You know, we were in a foreign country.
[00:23:51] The device was found by an individual versus someone who's been trained on data exfiltration. I mean, I'm thinking about I'm actually panicking a little bit just thinking about that, like, losing my phone. I wish they panicked more. Yeah. I mean, I can't even imagine that that thing is like, I'm not sure, but it might actually be an appendage at this point.
[00:24:18] Like, the phone is part of my hand, like, or pocket. I'm not sure which, but my life is on there. I've heard it be called, I've actually heard it be referred to as a child. So, like, if they lose it, it's like losing a child in the mall. It is. It's like, well, I mean, I, my kids are grown at this point, but we've got dogs in it. They would be like losing one of the dogs. That knows one of your children. Yeah.
[00:24:49] Yeah. Like, like legitimately, I can't even imagine, but like, is it my entire life is on that phone? And while, while, yes, if I can get ahold of my team, they can wipe it from remote. Great. As long as it's turned on, but. Well, that's the kicker, right? Think about the paranoia that comes with that. Have your phone just stop checking in. Right. Like what happened to it? Did it die? Did someone kill it? What happened?
[00:25:17] I mean, at this point, it's a couple of years old and I need to do one. So if it died, it would be okay with that. I mean, like when you say it's getting older, are you like, you have to go through two battery packs or three battery packs, the Henry Tim way or like not quite that severe. Um, I'm I it sits in its own little charger unless it's in my hand. So it's it's it's lived a full life. That's funny.
[00:25:47] That's that's fair. So we've got a few minutes left and I wanted to take it full circle. Um, when I I think I had reached out to Henry, we were having this conversation about do I know what my profile looks like? And he sent me this like dossier dossier folder and basically scared living daylights out of me. Can you share a little bit about that?
[00:26:13] Because I think that is where the audience needs to be, is that there is a profile on you. It's a question of who has it. And it doesn't really matter because you don't know, you'll never know who has that dossier on you. It's what you do to prevent that dossier from being problematic for you when you travel for when you are at home. Yeah, I mean, yeah, go talk to chat GPT first and foremost. Like, go find out what it knows about you.
[00:26:44] And that in and of itself, when you can say, okay, this is this is me go go find out how much you can find out about me. That alone will give you an idea. Hopefully you're not doing that. It's going to make you cry. Um, it'll give you an idea. It's what's available just readily available. And that should give you a starting place for the things that you can start to erase either
[00:27:13] before you travel or just, you know, going about your daily. There's a couple of services out there that aren't terrible that, um, especially MSPs can go sign up with or whether it's personal, whether it's for the MSP for the VIP clients cloaked is one or as another. I use or personally, I really like it. It is good for getting rid of some of the data that is out there.
[00:27:40] But one of the biggest things if you turn on the call prevention, it actually will stop the hounding of all of the vendors that try to get ahold of you through your cell phone number that they have somehow gained. Um, so it stops that, which is fantastic. Well, apparently we've got our chat TPT. So dialed in, it says, um, I can't do that search. There you go.
[00:28:07] But for those of you that are on your personal plans or things along those lines, that's a good thing. Uh, go check that out. Go check out what Google knows about you as well and start from there. But yeah, there's, um, there's some prompting that you can do. Uh, I know Henry has it. I know we have it in our deck for this year. So if any of you see us at any of the Channel Pro events, you can get a copy of that dossier for yourself
[00:28:31] and some OSINT prompts that'll give you some really good intel on how to protect yourself a little bit better and what other people can find out about you. But the other part to that, if you haven't really thought about your children or your parents, especially if they're aging, is protecting them as well. Whether you're traveling, whether you're home, because your, your kids or your parents will give out information about you without thinking about it or thinking about the ramifications of it.
[00:29:00] And whether it's just on a simple site like Facebook or Instagram, or even just somebody calls them up and says, Hey, I know so-and-so, you know, they have a little bit of information about you. Your chances are they're gonna, you know, give away more information than they should. Sure. Fun, fun. We have a little bit of time left, barely a little bit of time. Uh, I asked this just about of every guest that's on the show. Is there a book that you're reading that you would like to share with the audience that you think that they need to read?
[00:29:30] It can be fiction, nonfiction. Actually, there's no rules on what book you're reading. I just finished out the Dungeon Crawler Carl series. Ha ha! Um, it was fantastic. It was a fantastic read. And I can't wait for the next book. Um, but the other one that I would say if you haven't read Extreme Ownership yet, um, any business owner should read that at least once. Extreme Ownership. Got it. Yeah, that's a good one.
[00:29:59] And the other one that I would say that you should read, and this is just a commentary on the world that we live in. There's a book called Evicted. And it was a case study done by, I believe, as a master's degree student in Milwaukee on housing. And it was done in, I think, the early 2000s. But it is, it is a wild ride through what poverty and what the housing market looks like in that, in that range.
[00:30:29] And there's, it's, it's eye opening. I'll say that. Well, there you have it. Uh, Dawn, how can someone get ahold of you? LinkedIn is usually the best way. If you don't have my contact information, just ping me on LinkedIn. I'll respond. I'm pretty active there. All right. Well, for those of you listening, this has been an active. This has been an episode of MSP 1337. Thanks and have a great week.