Who doesn’t search the Internet for the news and weather on the eve of travel? But how many of us include a travel security component in those pre-travel searches? If you are traveling to or living in high-risk locales, travel security must remain top of mind both from a personal and professional perspective.
Perspective and context is everything. To some, any country other than the one they live in is high-risk. To others, only those countries embroiled in armed conflict would be considered risky. Then you may have those countries that are not a risk from the personal safety perspective but have evolved a reputation as locales where your devices — and the information within them — are routinely targeted and compromised.
How does a company ensure consistency in the evolution of a travel security program for their personnel? The information security, physical security, finance, legal and human resource entities within your company must make that determination. Readily available, open-source resources exist to help you make this call.
Which Countries Are High Risk?
Want to know which countries the U.S. Department of State has issued travel warnings about? Visit the Alerts and Warnings page on the department’s website and search for the country of interest. If you prefer to have a non-U.S. perspective, the British Foreign Office has a similar service, the Foreign Travel Advice page, where you can obtain up-to-date information on 225 separate countries.
While physical risk is important in any travel scenario, knowledge of economic risk may be equally vital. For a cursory review of the current status, the Economist Intelligence Unit offers up a useful risk chart that is updated monthly, highlighting the changes in perceived economic risk and stability.
If corruption and illicit business practices are a threat to you or your company’s travel security analysis, then the wealth of information offered by Transparency International will be of tremendous value. It offers an easy-to-use research tool to learn about the current level of corruption in various countries, or specific reports such as the one on “Exporting Corruption.”
One must not forget the threat to intellectual property. Companies should avail themselves to information and tools both public and private, free and proprietary, which focus on the foreign competitor or nation-state engagement in the theft of intellectual property. Jeffrey Carr, CEO of Taia Global, provided some recommendations in a previous interview.
“All companies need to invest in recognizing what [value] their intellectual property has to their competition, including state-sponsored/owned entities like those referenced in these recent arrests,” Carr said. “Tools such as Redact are available to highlight foreign government research and development spending on priority technologies and projects and assist companies in identifying potential threat vectors.”
Free public information is available in the U.S. from the FBI, which has created a brochure highlighting the threat to business travelers and their company’s intellectual property.
How Does the Travel Security Team Communicate Risk?
We have discussed previously the need for a symbiotic role between the CSO, CISO and other members of the C-suite, and how their combined responsibilities include communicating the risk presented in all instances involving employees or company assets. There is little argument as to the vulnerability of an employee while in travel mode or a transient state.
Likewise, the aforementioned research on the risk within various locales is worth its weight in gold in ensuring the CSO and CISO have the data required to enact appropriate checks and balances for the safety of both individuals and company property. The leadership team will decide, build or buy the creation of their messaging capability, but messaging is nonnegotiable. Employees will not behave or make choices in accordance with unstated or poorly communicated expectations. Clearly communicating these expectations enhances the likelihood that the employees will make the right decisions when faced with a decision while in travel mode.
What About Travel Briefings and Wellness Check?
With travel risk identified, it is time to ensure that the message is delivered. The recommended methodology does not include pointing your employees to the previously mentioned resources and cutting them loose. Thorough reviews and contextual capture is as important as the content of the risk being communicated to the employee. Mechanisms may include having an assigned travel analyst to communicate the risk via the company travel desk or through a dynamic travel portal on the company intranet that travelers must review prior to visiting flagged countries.
If the company has an operations center, then consideration of a daily wellness check call from an employee in travel status may make sense. If no operations center exists, a call to the employee’s supervisor should be substituted. These calls provide the employer a sense of the risks the employee is facing during travel, especially in this era of targeting company finances.
What If I Work in a High-Risk Travel Locale?
It’s bound to happen for the multinational company: An employee is assigned to a country that the travel analyst, CSO and CISO have all identified as risky for employee travel. These individuals may be subjected to different risk factors than their colleagues located at company headquarters.
The fact that they have technological connectivity may create a circumstance where they have direct and unencumbered access to the same information as their colleagues at headquarters, and depending upon industry, this may require special security implementations to ensure embargoed or sensitive technologies prohibited for export is not accessible to the resident employee.
Devices, Device Security and Tamper Monitoring?
It is important to determine if the travel security program will extend to mobile devices. In this day of bring-your-own-device (BYOD), it may prove difficult to implement, but depending upon how great a risk a specific environment presents, instituting a sterile device program (i.e., throwaway mobile phones, sterile laptops, etc.) for high- or extreme-risk locales is often warranted.
While such programs are expensive to implement, they do reduce the exposure of corporate and personal information that may otherwise be present on the devices used day-to-day by the employee traveler with the mother lode of corporate secrets. In addition, if specific travel devices are to be issued and used, then one will derive additional benefit from creating or obtaining the ability to scan, review and analyze the devices for unauthorized access or tampering. This analysis may produce positive and actionable information to validate the assessment conducted during the research step.
In sum, companies and individuals must determine which countries constitute a high risk, create a mechanism to communicate the identified risk and put in place a travel briefing program and wellness check for employees. Leaders must be prepared to communicate the risks and proper processes to those employees in a high-risk locale while also creating and implementing a device security and tamper monitoring program for company travelers. Bon voyage!
CEO at Prevendra
Christopher Burgess is the CEO of Prevendra, a security, privacy and intelligence company. He is also an author, speaker and advocate for effective security...