Business travellers in Hong Kong are prime targets for WiFi attacks. Corporate email, financial systems, client data, and strategic documents are all accessible on a typical business device — making the stakes of public WiFi exposure far higher than for personal use. Here's how to protect corporate data without impeding productivity.
Business travellers are targeted more deliberately and more profitably than personal users on public WiFi. A personal user's account credentials may yield a few hundred dollars in fraudulent charges before being detected. A business traveller's credentials to corporate email, ERP systems, or financial platforms may enable access to accounts with millions in assets, confidential client information, or proprietary business strategy. The value differential means that attackers who invest in sophisticated targeting — identifying executives, timing attacks to coincide with high-value activities — find business targets significantly more rewarding than opportunistic personal credential harvesting.
Hong Kong's role as a major business hub concentrates these targets predictably. The hotel and conference corridors of Central, Admiralty, and Tsim Sha Tsui host significant concentrations of visiting executives from across Asia and globally. Major conference centres — HKCEC (Hong Kong Convention and Exhibition Centre), AsiaWorld-Expo — host events where attendees' corporate affiliations are publicly known from event programmes and LinkedIn, enabling targeted attack preparation. An attacker who knows that a major banking conference is being held at HKCEC can prepare an evil twin network targeting that event's attendees with greater precision than random drive-by attacks, knowing the target pool carries high-value financial sector credentials.
Business email compromise (BEC) is the most financially damaging attack category enabled by compromised business credentials from public WiFi exposure. BEC attacks use access to a corporate email account to impersonate the account holder and redirect financial transactions — payment instruction fraud, invoice redirection, payroll diversion — to attacker-controlled accounts. The average BEC incident causes losses of hundreds of thousands of Hong Kong dollars, and sophisticated BEC operations targeting Hong Kong businesses have been documented by HKCERT and the Hong Kong Police Force. The credential theft that enables BEC can occur through public WiFi MITM attacks, making the connection between public WiFi security and financial loss highly direct for business users.
Most corporate IT departments provide a VPN client for remote access to company systems, but this corporate VPN is typically designed for accessing internal resources (file servers, intranet, line-of-business applications) rather than for encrypting all internet traffic. A split-tunnel corporate VPN only routes traffic destined for corporate resources through the encrypted tunnel — traffic to general internet destinations (cloud email, web browsing) may bypass the corporate VPN entirely and go directly to the internet over the untrusted public WiFi network. Ask your IT department whether your corporate VPN uses split tunnelling or full tunnelling, and whether it is configured to activate automatically on untrusted networks.
For comprehensive public WiFi protection, business travellers often need both a personal VPN (for general internet traffic) and the corporate VPN (for internal system access). The recommended sequence: connect to public WiFi → activate personal VPN (encrypts all traffic) → establish corporate VPN connection over the personal VPN (adds corporate access on top of personal encryption). This layered approach ensures that both general internet traffic and corporate-specific traffic are encrypted before reaching the untrusted public network. Check whether your corporate VPN allows this configuration — some VPN products conflict with each other, but WireGuard-based personal VPNs generally co-exist well with IPSec-based corporate VPNs.
If your organisation does not have a formal public WiFi security policy for remote workers, advocate for one. Key elements of an effective policy include: mandatory VPN use on any non-corporate network, prohibition of accessing corporate systems from open WiFi without VPN, device security requirements (full disk encryption, screen lock timeout under 5 minutes, firewall enabled), and clear incident reporting procedures for suspected WiFi security incidents. HKCERT publishes guidelines for organisational cybersecurity that include remote working and public WiFi sections — referencing HKCERT's guidance in IT policy development lends authority and ensures alignment with Hong Kong-specific best practices. The Computer Emergency Response Team (CIRT) provisions within many Hong Kong financial institutions include public WiFi incident classification.
Business devices used on public WiFi require additional hardening beyond the standard consumer configuration. Full disk encryption is the most important baseline: if your device is stolen or accessed while unattended (a real risk in busy Hong Kong café and hotel environments), full disk encryption prevents data extraction from the storage even without login credentials. On Windows, enable BitLocker (available on Windows 10/11 Pro and Enterprise editions): Settings → Update & Security → Device Encryption. On macOS, enable FileVault: System Settings → Privacy & Security → FileVault. Both implementations use AES-256 encryption and activate automatically on next login if not already enabled. Store the recovery key securely — if lost, encrypted data is unrecoverable.
Screen lock timeout should be set to five minutes or less for business devices used in public. A device left unattended on a café table for ten minutes — to use the bathroom, place an order, or take a phone call — provides an attacker significant time to access open applications, install software, or photograph visible documents. On Windows: Settings → Accounts → Sign-in options → set "Require sign-in" to "When PC wakes from sleep" and set sleep timeout to 5 minutes under Power settings. On macOS: System Settings → Lock Screen → set "Require password" to "Immediately" and screen saver to activate after 5 minutes. Enable remote wipe capability through Microsoft InTune (for corporate-managed devices) or through Apple's Find My service (for macOS/iOS) so that a lost or stolen device can be wiped before data is accessed.
Consider whether your business travel truly requires your primary work laptop. For visits to high-risk destinations or for travel involving access to particularly sensitive corporate systems, some organisations issue "travel laptops" — stripped-down devices configured with minimal access and software, used only for travel and wiped on return. This "clean slate" approach ensures that any malware, spyware, or configuration changes introduced during travel do not affect the primary corporate environment. If a travel laptop is not available, at minimum ensure your work laptop has all unnecessary applications removed, all unnecessary network services disabled, and that you have a clear procedure for what to do if you suspect the device has been compromised during travel.
The non-negotiable rule for corporate data on public WiFi is: all corporate system access requires an active, verified VPN connection. This means email, cloud storage (OneDrive, Google Drive, SharePoint), CRM systems (Salesforce, HubSpot), ERP and financial platforms, video conferencing with confidential content, and any application that transmits business data must only be used when the VPN is active and confirmed connected. Confirm the VPN is active by checking the VPN app's connection indicator before accessing any business system — auto-connect features can sometimes fail to activate, particularly on networks with captive portals or connectivity issues. A quick VPN status check before opening your email client is a worthwhile 5-second habit.
Establish a clear rule for financial authorisations: no financial authorisations, payment approvals, or fund transfers from public WiFi under any circumstances — use mobile data or a trusted wired connection for these activities exclusively. Business email compromise fraud specifically targets the scenario where a finance team member receives a payment instruction change request via email while on public WiFi. If a criminal has performed an MITM attack on that network, they can potentially monitor the email communication and manipulate it. Even with VPN protection, financial authorisations carry enough consequence that using mobile data as an extra precaution is worth the minor inconvenience.
For Hong Kong-based workers in the financial services sector (which represents a significant portion of Hong Kong's professional workforce), regulatory considerations add weight to public WiFi security requirements. The HKMA (Hong Kong Monetary Authority) and SFC (Securities and Futures Commission) have issued guidance on cybersecurity risk management that covers remote access security. Financial institutions in Hong Kong typically have stricter controls on remote access than general businesses — requiring multi-factor authentication for all remote system access, recording and monitoring of remote sessions, and formal incident reporting for suspected security events. If you work in a regulated financial institution and have public WiFi security concerns, escalate them through your institution's compliance and IT security channels rather than relying solely on personal measures.
