Traveling for executives and employees is more challenging than ever with an evolving threat landscape.
In July, British Airways canceled all flights to Cairo for seven days for security reasons. “We constantly review our security arrangements at all our airports around the world, and have suspended flights to Cairo for seven days as a precaution to allow for further assessment,” the airline said in a statement. “The safety and security of our customers and crew is always our priority, and we would never operate an aircraft unless it was safe to do so.”
When your executive or employees travel – either within the U.S. or abroad – do you know where they are?
According to a study by the GBTA Foundation, three in ten (29 percent) travel managers report they do not know how long it would take to locate affected employees in a crisis. Overall, one-half (50 percent) of travel managers say, in the event of an emergency, they can locate all of their employees in the affected area within two hours or less. Additionally, three in five (60 percent) travel managers rely on travelers to reach out if they need help and have not booked through proper channels.
“Research reveals significant gaps in educating travelers about resources available to them and the existence of protocols should the unforeseen happen,” says Kate Vasiloff, GBTA Foundation Director of Research. “Failing to establish and communicate safety measures leaves travelers and organizations vulnerable. As both security threats and technology evolve, even the most robust protocols that once served companies well may now have weaknesses requiring immediate attention and modification.”
“With business travel and global uncertainties on the rise, companies today face more pressure than ever to ensure the safety of their travelers,” adds Mike Eberhard, president of Concur. “If a crisis or incident occurs, it’s critical that businesses be prepared to quickly locate employees and determine who may need assistance.”
Tracking employee and executive travel and ensuring their safety is one of the most important tasks for enterprise security executives. Enterprise security must always take into account where an executive will travel, the activities they will undertake and the individual risk profile, which will help to develop an overall risk assessment for the trip and any threat mitigation strategies that should be followed.
Mitigation strategies can include an executive protection team for the duration of the trip. For elevated risk areas, organizations can employ an executive protection (EP) professional with dedicated transport. For higher risk locations, a team of EP professionals, secure transports and a bullet proof vehicle can be considered.
Staying alert sounds obvious, but according to James Merriman, Global Security Operations Manager at Healix International, the theory covers a multitude of subjects and should be a part of every stage of protection for executives and traveling employees. For instance, having headphones on or looking at your cell phone reduces alertness and may also attract thieves. “Nothing should go out of your sight,” Merriman says.
Airports are where an executive traveler is at their most vulnerable, Merriman notes. Being prepared at every process is one of the best security practices. “Are there ongoing protests, does your trip coincide with elections or anniversaries, which can lead to violence? Are you familiar with the airport you are visiting? You should have a clear plan for transportation from the airport before you arrive. This includes taking advantage of fast tracking through immigration queues, and pre- arranging transport to hotel or meeting venue. Do not leave the airport if you feel uncomfortable with the environment and if your transport has not arrived, and do not accept lifts from strangers,” says Merriman.
Safety at the Airport
Sherry Stein, Head of Technology Strategy at SITA, notes the vulnerabilities at airports as well and advocates for biometrics as a safer way to travel. Today’s security process, which requires an agent or officer to make an assessment by looking at the photo on the license or passport and then determining if the photo matches the person, is time-consuming, she suggests. Furthermore, it places a towering responsibility on the agent to not only make an accurate assessment, but also to manage the queues and wait times to effectively reduce traveler anxiety.
“We need a better process, as travel volumes double every few years,” she notes. The public areas around check-in, bag-drop and security become soft-targets that are vulnerable to bad actors that may choose to exploit the unsecure areas of the airport, leaving executives and employees at risk, Stein says.
“Technology that can perform the identity verification process much more quickly and accurately than historically possible streamlines airport security and allows for choke-points and vulnerabilities in areas that represent soft-targets to be mitigated or eliminated. Travelers are able to move more quickly to the secure areas of the airport,” Stein says.
Increasingly, cybersecurity is a concern for traveling executives and employees. Travelers can be victims of phishing, ransomware attacks and malware. Additional data from GBTA found that 70 percent of travel buyers say their business travelers have been affected by a payment-related data breach from an outside vendor such as an airline, hotel or retailer in the past year. The study also found that only 62 percent of companies provide their traveling employees with data security tips.
To mitigate the risk of falling victim to cybercrime, Merriman says, “Travelers should back up all sensitive and essential content on electronic devices to an external hard drive prior to travel. As a precaution, individuals should only travel with devices containing data that is necessary for the trip.” Merriman adds employees should always be aware of company policy with regards to loss of work equipment, and report any compromises in a timely manner, to allow security to remotely delete sensitive work.
Mitigating Threats with GSOCs
In recent years, organizations have been employing GSOCs to mitigagte security risks for traveling employees and to ensure duty of care. Red Hat, a provider of enterprise open source solutions, recently branded its global security operations center (GSOC) an Information Sharing and Analysis Center, enabling security to obtain actionable intelligence in order to analyze, identify and communicate risks for the almost 5,000 company employees who are constantly on the go as remote workers.
Two weeks after Red Hat began employing notification system software at their Information Sharing and Analysis Center, the Paris terrorst attacks occurred that killed 130 people and wounded 494 people. With the notification system software, Red Hat was able to quickly locate employees and account for their well-being. Alan Borntrager, Head of Global Security, Safety and Resilience at Red Hat, says, “We went from, frankly, days to hours in terms of being able to account for our associates.”
In another example, Rackspace, a provider of IT as a service, operates many data centers and offices around the world. As part of its duty of care responsibilities for traveling employees, Rackspace employs a notification system that integrates with risk and threat analysis systems at its corporate GSOC, which allows security to immediately send notifications to employees.
In 2017, London experienced a total of four terror attacks, in which 36 people died and 166 were injured. The notification system allowed Rackspace to share information in real-time during all of the terror attacks, and account for all employees who were in London.
Overall, what are some of the tactics that you can employ to protect traveling executives and employees?
- Monitor travel authorizations and bookings to flag when enhanced information asset protection is needed
- Use pre-departure information protection and counterintelligence training
- Issue travel cloned laptop and mobile devices
- Use VPN applications and secure communications
- Provide camera detecting and bug finder devices for hotel and meeting rooms
- Provide employees with a travel printer to avoid using hotel or third- party printer
- Implement mobile device (Android and iOS) malware detection apps
In addition, here is a list of common travel cybersecurity concerns and possible solutions.
Problem: Loss of laptop or mobile device.
Solution: Disk should be encrypted with a two-factor authentication to access the device. Enterprises should have the ability to remote wipe the device clean.
Problem: Theft of data in transmission – data or voice.
Solution: Use a VPN for data and an end-to-end secure communications apps such as WhatsApp.
Problem: Listening devices and hidden cameras.
Solution: Do not conduct sensitive calls in the hotel room or any location that is risky. Find a safe spot to discuss sensitive information instead, and avoid using the same spot frequently.