Security for Digital Nomads Working in High-Risk Cities

The digital nomad category has grown substantially since 2020. MBO Partners estimated 15.5 million Americans described themselves as digital nomads in 2021, a figure that had more than doubled since 2019. Similar growth patterns are recorded in the UK, Germany, and Australia. A proportion of those individuals work from high-risk cities: Medellin, Bogota, Bangkok, Manila, Nairobi, Istanbul, and Lagos all appear regularly on nomad hub lists.

James Whitfield, Senior Security Consultant, makes the point directly: working remotely from a high-risk city carries the same threat environment as any other business travel to that location. The difference is duration and the absence of a corporate support structure.

The pattern-of-life problem

Corporate travel typically involves defined visits: two nights in Lagos for a meeting, a week in Manila for a project, then out. Digital nomads often stay for a month or more. That duration creates a pattern-of-life exposure that short-stay travellers do not accumulate.

Pattern-of-life analysis is how professional surveillance teams and opportunistic criminals alike identify targeting opportunities. If you work from the same cafe on Lagos Island at the same hours five days a week, anyone watching the street will notice. Your laptop, your behaviour, your routine — these become predictable within days of establishing a habit.

ISO 31030:2021, the international standard on travel risk management, identifies routine predictability as a material risk factor for travellers in elevated-risk environments. The recommended mitigation is deliberate variation: alternate working locations, vary departure times from accommodation, change routes. This is standard advice for corporate security programmes and applies equally to individuals working independently.

Device security: the non-negotiable baseline

Devices are the primary target in digital nomad environments, both for their hardware value and their content.

Full-disk encryption is the first control. A stolen laptop with full-disk encryption is a hardware loss; without encryption, it is a data breach. BitLocker on Windows and FileVault on macOS provide full-disk encryption. Both are enabled by default on modern devices but are worth verifying rather than assuming.

Authentication discipline follows. A long, complex passphrase is more resistant to guessing and keylogging than a short numeric PIN. Biometrics are convenient but carry a specific risk at border crossings: in jurisdictions without strong constitutional protections, authorities can compel biometric authentication where they cannot compel disclosure of a passphrase. NCSC overseas travel guidance specifically notes this asymmetry. At borders in China, Russia, and several P1 city jurisdictions, PIN-based authentication is the preferable default.

Screen lock set to sixty seconds or under means a device left unattended for any period requires re-authentication before it can be accessed. This is particularly relevant in open-plan coworking and cafe environments where a device theft may take seconds.

Remote-wipe capability requires the device to be registered with a mobile device management solution or the equivalent consumer service (Find My on Apple devices, Find My Device on Android and Windows). This only functions if the device subsequently connects to a network, but it remains a viable last-resort control.

Cameras, microphones, and physical ports deserve attention. A physical webcam cover is a low-cost control for an elevated-risk environment. USB-C and USB-A ports on a laptop can be configured to disable data transfer while allowing charging, reducing the risk from compromised cables or docking stations.

Network security for extended stays

Coworking and cafe Wi-Fi is untrusted infrastructure. The building owner, the network provider, other users on the same network, and anyone who has previously accessed the network all represent potential exposure points.

The NCSC Cyber Essentials framework treats shared-access networks as an attack surface requiring mitigation, not an acceptable baseline. A VPN routes all traffic through an encrypted tunnel before it exits to the internet, preventing interception at the network level. This is necessary but does not eliminate all risk: a VPN does not protect against malware already on the device, against shoulder surfing, or against social engineering attacks.

The cleanest solution for extended stays is a local SIM with a generous data allowance, used as a mobile hotspot rather than connecting to venue Wi-Fi. In most P1 cities, local SIMs are inexpensive and widely available. In Nigeria, the National Information Technology Development Agency requires SIM registration by national ID; in Thailand, the NBTC requires passport registration. These requirements mean local SIMs are linked to an identity, which creates a different data trail, but they eliminate the shared-network exposure.

SIM-based risks require their own mitigation. SIM swap attacks, where a criminal convinces a carrier to transfer a phone number to a new SIM, are used to intercept SMS two-factor authentication codes for financial and professional accounts. The control is not using SMS as a second factor for any account that matters: use an authenticator app (Google Authenticator, Authy, Microsoft Authenticator) instead.

Physical security in public working environments

Laptops, phones, and bags are stolen from cafes and coworking spaces in every major city. In high-risk cities, the frequency and the confidence of the approach are higher. In Lagos, Nairobi, and Manila, opportunistic theft from visible foreign professionals in coffee shops is a documented pattern in OSAC reporting.

Physical controls are simple: keep a laptop cable lock anchored to a fixed point when working in a shared environment. Do not leave devices unattended on a table, even for the time it takes to visit the bathroom. Keep a bag between your feet rather than on an adjacent chair or the floor behind you. In cities with elevated robbery risk, working with noise-cancelling headphones in creates a sensory blind spot; be aware of your surroundings rather than fully isolated from them.

Screen visibility is an information security concern in any open environment. A privacy filter reduces the visible angle of a laptop screen to roughly 30 degrees either side of the central axis, making the content unreadable from adjacent seats. In environments where corporate espionage is a realistic risk, Istanbul, Dubai, Beijing, and Moscow among them, this is a straightforward control for a straightforward problem.

See the related guidance on security in coworking spaces for detailed venue assessment criteria.

Accommodation security for extended stays

Short-stay hotel security is a known quantity for experienced travellers. Extended nomad stays often involve Airbnb properties, serviced apartments, and guesthouses, where the security baseline is less predictable.

The points to assess on arrival: door lock quality and whether it is a deadbolt or a simple latch; whether there is a secondary lock or chain; whether the property manager holds a copy of the key; whether ground-floor windows have any form of locking mechanism. A portable door jammer, which wedges under a door handle and prevents external opening, costs under GBP 20 and addresses the key-copy problem entirely.

An in-room safe is useful for passport, additional devices, and backup currency, but most hotel-grade safes can be opened by property staff using a master override. Do not rely on in-room safes for anything that would be catastrophic if accessed by a dishonest member of staff. A laptop with full-disk encryption and a strong passphrase is more secure in a zipped bag in your room than unlocked in an in-room safe.

For extended stays in cities with significant violent crime against foreigners, neighbourhood selection matters. OSAC city reports for Lagos, Bogota, Nairobi, and Manila all identify specific districts where incidents involving foreign nationals concentrate. Working from Victoria Island or Ikoyi in Lagos rather than areas to the north, or Polanco in Mexico City rather than districts with a higher incident rate, reflects the same risk-reduction thinking as any corporate travel risk assessment.

Emergency contacts and welfare checks

The institutional support structure that corporate travellers have does not exist for independent nomads. An employer tracks employee travel, has crisis response contacts, and maintains duty of care obligations under ISO 31030:2021 and, in the UK, the Management of Health and Safety at Work Regulations 1999.

Independent workers carry that responsibility themselves. The minimum is a check-in schedule with a named contact: a call or message at an agreed time each day, with a pre-agreed response protocol if a check-in is missed. The response protocol should specify: after how many missed contacts the contact attempts to reach you, what number they call, who they contact if they cannot reach you, and when they would notify local authorities or the relevant embassy.

Your government’s travel registration system is the background layer: the UK FCDO provides the equivalent of a travel notification system via its travel advice pages; the US State Department offers STEP (Smart Traveler Enrollment Program). Neither provides active monitoring, but both give emergency services a reference point if something goes wrong.

For higher-risk destinations or longer stays, a paid check-in service from an international assistance provider or a travel security company provides a more structured welfare framework.

See the guidance on lone worker security in high-risk cities for check-in protocol design.

P1 city considerations

Bogota: The Zona Rosa and El Poblado districts in Medellin are established nomad hubs with lower risk profiles than other parts of their respective cities. Express kidnapping risk in Bogota is real but concentrated in specific areas and time windows, particularly late-night taxi journeys. A trusted app-based service (InDrive, Cabify) is preferable to hailing from the street.

Bangkok: High nomad population, relatively low physical security risk compared to most P1 cities. Digital security concern: Thailand’s Computer Crime Act 2007 has been used to prosecute online speech critical of the government or monarchy. Maintain standard device discipline and be aware that local VPN usage, while common, occupies a legal grey area.

Manila: BGC (Bonifacio Global City) is the established professional district with a significantly lower risk profile than other parts of Metro Manila. Outside BGC, OSAC reporting documents robbery and phone snatching as high-frequency incidents for foreigners. The NBI (National Bureau of Investigation) processes foreign crime reports but response is slow.

Nairobi: Westlands and Karen are the districts with the lowest incident rates. The PSRA requires all private security operators to be licensed; verify any apartment building’s contracted security against the PSRA register. Embassy Quarter has above-average security infrastructure from surrounding diplomatic presence.

Istanbul: Low violent crime rate relative to most P1 cities. Primary concern is digital: FCDO and US State Department both note heightened electronic surveillance capability and a legal framework that can reach foreign nationals for online activity. Standard device and communications discipline applies.

Sources: NCSC Cyber Essentials 2024; NCSC Overseas Travel: Keeping Your Devices Safe 2024; ISO 31030:2021 Travel Risk Management; OSAC Nigeria, Philippines, Kenya, Colombia 2024; MBO Partners State of Independence Report 2021; FCDO Travel Advice April 2026; FBI Denver Field Office USB Advisory April 2023; Management of Health and Safety at Work Regulations 1999.