As globalization and connectivity impacts businesses worldwide, international business travelers face a wide range of risks, many of which they can bring home with them. However, these threats aren’t always understood by the average traveler. Three in 10 business travelers will happily sacrifice safety for hotel loyalty and rewards incentives, according to a recent survey.
According to an American Express study, there is a direct correlation between travel policy education and employee compliance; while most travelers are “very” or “extremely” familiar with their company’s travel policy, many indicate that those policies are unclear, leading to confusion and noncompliance.
So what threats are facing international business travelers this year, and how can enterprises communicate those risks and policies effectively? We asked Chris Duvall, Senior Director at The Chertoff Group, to share some of his insights and best practices.
Security: What are some of the main risks to international business travelers this year?
Duvall: One only needs to read the headlines over the past few years to know that both physical and digital risks for international travelers are evolving and growing. Those targeted and the scope, severity and complexity of physical and cyber risks are becoming increasingly dangerous and destructive for those traveling outside the U.S.
On the physical side, threat actors are actively seeking “soft targets” – public events, social settings, mass audience venues, etc. – to communicate their message, sow chaos and inflict catastrophic harm. On the digital or cyber side, we have seen a marked uptick in mobile device hacking, for credentials or financial gain, through rogue Wi-Fis.
Security: How are those risks different for a member of the C-Suite than for other employees?
Duvall: U.S. citizens, particularly executives of U.S.-based technology companies, are considered high-value targets for nation-state intelligence services and criminally-motivated bad actors. Many countries will go to great lengths and expense to acquire and exploit proprietary information from U.S.-based companies, and view U.S. executives visiting the country as “soft” targets of opportunity. The tactics, techniques and procedures (TTPs) utilized by bad actors are often covert and nearly undetectable by the affected person. Threat actors routinely access, monitor and utilize Wi-Fi networks at hotels and in public spaces to compromise target devices. As such, significant precautions should be taken to protect personal electronic devices (PEDs) and the data connected to PEDs.
Security: What sort of awareness training or education do you recommend for international business travelers, or even those traveling for leisure?
Duvall: When traveling on business, companies should provide their employees with clean computers and cellphones before departure. Upon return, the company should immediately wipe the computer clean to prevent any malicious threats from penetrating the company’s internal cyber-infrastructure. Additionally, companies should educate their employees on the importance of maintaining good internet hygiene and recommend their employees disconnect from all social media platforms while traveling.
Some general tips to share with your employees include:
- Be aware and situationally alert at all times.
- Be aware and situationally alert to the location of your luggage and carry-ons at all times.
- Don’t access unknown, unsecured or public Wi-Fi if at all possible.
- Turn off “auto connect” features and institute stringent privacy controls as much as possible.
- Try to “blend in” – you don’t have to try to look like a local but travelers should avoid gaudy and expensive attire wherever possible.
- Use your common sense – if an offer, invitation or opportunity seems to good to be true…it probably is.
Security: Are there certain areas, globally, right now where travelers and businesses should employ special caution?
Duvall: There are numerous, high-risk countries for which the U.S. Government warns travelers to be wary of mobile malware, mobile device privacy attacks and hot spots for mobile botnets. The U.S. Department of State has the most recent and up-to-date list.
Although U.S. travelers should employ caution while visiting any foreign city, they should be extremely careful when traveling through Russia, China and North Korea. For example, the U.S. Government has investigated numerous incidents in which U.S. travelers’ personal electronic devices have been compromised by Russian authorities while transiting Russian airports, left unattended in public spaces and in travelers’ hotel rooms.
Security: For remote workers and international business travelers, what intellectual property risks are they facing, and how can they mitigate them?
Duvall: When traveling internationally on business, travelers are always at risk of getting their personal identification information (PII), protected healthcare information (PHI) and/or their company’s proprietary information stolen. We recommend travelers and remote workers disconnect as much as possible and continue to practice good internet and social media hygiene while abroad.
Some best practices include:
- Avoid using public Wi-Fi services—unless you use private VPN service for encryption.
- Increase the privacy setting on your technical devices.
- Disable location identifiers on apps.
- Create a new (unlinked) email for internet correspondence.
- Consider purchasing international MyFi devices to decrease the risk of getting your personal identification information (PII) or protected healthcare information (PHI) stolen.
- Use temporary (i.e. burner) phones to protect your data and your contacts.