Given the necessity and frequency of international business travel in today’s economy, many CIOs must address a harsh reality facing their organizations – the increased data security risk presented by those travels. The FBI continues to warn that corporate espionage – many times with the aid of foreign governments – is an increasingly serious threat.
What risk management precautions can companies with international business travelers employ to protect corporate data?
One way to assess and address the information security threat posed by international travel is to break it down into risk components: the probability that a security event will occur and the impact of an event, should it occur. The following considerations, presented in that context, may assist organizations in implementing, improving or reinforcing practices protect their data, even as their teams travel the globe.
Reduce the Probability
Of course, in an increasingly global economy, the frequency of international business travel won’t likely slow any time soon. However, the probability of the occurrence of a data security event can be reduced in other ways.
A recent survey conducted by Morning Consult on behalf of IBM Security revealed found that only 40% of Americans believed it was likely they would be targeted for cybercrime while traveling and that business travelers are even more likely to engage in cyber-risky behaviors. While the survey didn’t focus on international travel, it indicates a mindset and underscores the importance of education on the risks posed by international business travel. CIOs can promote a culture of empowerment and vigilance in this regard, including refreshers for even hardened road warriors on what may be taken for granted.
Travel to certain regions may warrant extreme caution and pre-travel risk assessments can identify those areas. One resource for identification of higher-risk countries and regions and specific issues is the Overseas Security Advisory Council (OSAC), a joint venture between the Department of State and the U.S. private sector to interact on overseas security problems of mutual concern. OSAC’s Crime and Safety Reports on specific countries and regions and often include cyber security advice. Other resources include the “heat map” and statistics published by Kapersky on the geography of users attached by mobile malware.
Everyday technical best practices can also reduce the probability of a breach while abroad – from ensuring that anti-virus software, operating systems and apps are up-to-date to enabling remote lock settings on mobile devices to resetting passwords upon return. When it comes to remote access, the danger of Wi-Fi should especially be called to mind for international travel. As the University of Nebraska-Lincoln cautions, if travelers need access email or other systems while abroad, they should utilize an encrypted network such as a VPN provided by their organizations. Note, however, that some countries may ban or block VPNs.
Minimize the Consequences
Encrypted devices are not allowed into some countries and are subject to confiscation. By reducing or eliminating the amount of sensitive data contained on devices, the consequences of a cyber breach can be minimized.
Included in the FBI’s cautions are that, if a traveler can do without a device abroad, they shouldn’t take it with them. However, for devices that are necessary for use during international travel, a common approach suggested by CIOs is to provide travelers with clean, encrypted loaner or throwaway devices that contain no sensitive data or even company identification. The University of Nebraska-Lincoln advice adds that, upon return and prior to additional use, those devices should be securely scanned and reviewed by technical support personnel. In some instances, it may be necessary to wipe and reinstall the operating system.
Both by employing technical best practices and by empowering travelers to be vigilant, CIOs for organizations whose personnel travel internationally – whether rarely or frequently – can reduce the probability and consequences of a cyber breach while abroad.