By Jim Kent

Connectivity is now assumed, whether travelling for business or working remotely from abroad. Laptops tethered to smartphones, cloud applications accessed from hotel rooms and video calls taken from unfamiliar locations have become routine. Yet while attention often focuses on public Wi-Fi risks, a less discussed question remains:
how secure is your data when it travels across mobile phone networks in unfamiliar or high-risk locations?

Public Wi-Fi is an obvious threat. Unencrypted hotspots, fake access points and man-in-the-middle attacks make airports, cafés and hotels prime hunting grounds for cybercriminals. But switching to mobile data does not automatically guarantee safety. In many regions, particularly in politically unstable or poorly regulated environments, mobile networks themselves may be subject to interception, weak encryption standards or opaque routing practices.

Location matters. When travelling through certain countries, data traffic may be routed through infrastructure that offers limited transparency or falls under legal regimes very different from those in Europe. This raises real concerns around data sovereignty, compliance and exposure to surveillance. For organisations handling sensitive financial, legal or personal data, this is not a theoretical risk but an operational one.

Another overlooked issue is control. Consumer roaming services prioritise coverage and cost, not security or predictability. Data may jump between multiple partner networks, each with different security postures. For IT teams, this creates blind spots at precisely the moment employees are operating furthest from the corporate perimeter.

So, what does a safer approach look like?

If you pose this question to many security professionals, they often refer to VPN technology, but many users misunderstand the term. In this instance VPN does not refer to simply rerouting your internet connection to watch football geo-limited to a different country. A true VPN forces data to a specific server and the associated security layers.

Corporate VPNs still play a critical role in securing remote access and branch connectivity. When encryption standards are strong and traffic routing is properly configured, they remain an effective enforcement layer within enterprise security architectures.

But mobile devices introduce a more complex reality.

Even when using well-known smartphone and tablet brands, organisations have limited visibility into how their IP stacks are implemented. Proprietary optimisations, often

marketed as “performance” or “experience improvements”, may alter traffic handling in ways that are not fully transparent. In certain scenarios, this can create unintended pathways that bypass established VPN controls and expose sensitive traffic.

Artem Kirillov, COO at MTX Connect said.

“The challenge is structural. Mobile operating systems are inherently proprietary. They typically lack full manageability, deep traceability, and low-level network debugging capabilities. As a result, IT teams are often forced to rely on vendor reputation rather than technical transparency. In an era where sensitive data is accessed everywhere, that is no longer sufficient.”

Zero Trust architectures are evolving to address exactly this gap. By extending Zero Trust principles to mobile connectivity, organisations can regain visibility, enforce policy at the connection level, and reduce the risk of data leakage beyond traditional VPN perimeters.The question is no longer whether your VPN is secure. The question is whether your mobile layer is truly under your control.

Secondly, organisations should rethink how mobile connectivity is delivered. This is where eSIM technology becomes relevant, but not all eSIMs are created equal. Research from the 34th USENIX Security Symposium last year indicated that while eSIM technology enables remote provisioning and greater flexibility, the researchers demonstrated that this convenience comes with significant trade-offs. Their empirical testing of dozens of travel eSIM providers found that user traffic is often routed through third-party infrastructure in foreign jurisdictions, sometimes without the user’s knowledge. In many cases, data was “home-routed” through networks in countries entirely unrelated to the user’s physical location, creating jurisdictional exposure and surveillance risks.

The study also reveals that eSIM resellers — who face minimal regulatory oversight — can access sensitive user metadata such as IMSI, ICCID and, in some cases, device location data. Some reseller platforms can assign public IP addresses to mobile devices, making them directly reachable from the internet. This significantly expands the mobile attack surface.

Travelling does not have to mean surrendering control of your data. But in a world of fragmented networks and shifting geopolitical boundaries, secure mobility is no longer just about convenience. It is about choosing connectivity designed with security, predictability and governance in mind.

Join us on the 17th of March to meet the team from MTX Connect the leading authority on this area in Luxembourg.