Many executives—particularly senior business leaders—frequently travel worldwide as part of their jobs. Hackers and cyber criminals know this, and that adds a risk factor that companies should not ignore.
“Adversaries in the form of businesses, governments and criminals target traveling business executives for the same two reasons they always have: the actual person, and information the executive has,” says Jim Jones, an associate professor in the Computer Forensics program within the Electrical and Computer Engineering Department at George Mason University.
“While physical risks have remained relatively constant, the information risks have grown exponentially,” Jones says. “Information risk used to be limited to what the executive could carry in paper form. Now, not only might the executive be carrying a library's worth of sensitive data on a collection of digital devices, but that data can be copied quickly, quietly and without the executive relinquishing possession.”
To make matters worse, those digital devices provide immediate and possibly long-term access to an organization's assets, Jones says. “Adversaries have the ability to extract unencrypted or weakly encrypted data from any device, including communications to and from those devices, and adversaries may physically modify a device to thwart even the best security and encryption,” he says.
Following are some steps companies and executives can take to enhance travel-related security.
Use extreme caution with mobile devices. This might sound obvious enough, but one of the biggest security risks involving traveling executives is the loss or theft of such devices as well as the data they hold.
A few factors make this a daunting challenge. One is that people rely heavily on their devices, and tend to want to take them wherever they go. Another is that oftentimes it’s not just a matter of one device, but several: smartphones, tablets, laptops, wearables, etc.
Some experts, such as Michael McCann, former United Nations security chief and now president of security services provider McCann Protective Services, recommend that executives leave their devices at home. This is especially true if they are traveling to China, he says. “Second best, make sure it is attached to you; never leave it anywhere,” he says.
All devices should be equipped with technology such as password protection, encryption, data backup and remote data wipe capabilities, in the event that devices go missing.
“Loss of laptops and mobile devices continues to be a significant threat, and many organizations still aren’t encrypting the data on those endpoints,” says Paul Cotter, security infrastructure architect at business and technology consulting firm West Monroe Partners. “Given the simplicity of enabling device encryption on current hardware and operating system platforms, this should be considered a bare minimum data protection requirement.”
When leaving a mobile device in a hotel room, secure the device in a room safe when you’re not in the room, says Richard Greenberg, Information Security Officer at Los Angeles County Public Health.
“Always keep an eye on your laptop,” Greenberg says. “In the airport don't push it through the X-ray machine until you are ready to proceed yourself. Don't leave it at your table in Starbucks to get up and get a coffee. It only takes an instant to grab a device and take off.”
Make sure connections to the home office are secure. Executives on the road will almost certainly be checking in with headquarters on a regular basis for communications or to access information, and this provides a potential weak link.
Using a secure communication channel or secure corporate virtual private network for all network connections is a good idea, says Pritesh Parekh, CISO at Zuora, which provides a billing platform for subscription services.
“It’s much harder to decipher traffic going over encrypted channels,” Parekh says. “At Zuora, all our corporate services uses strong encryption so executives connecting from anywhere during travel use a secure channel to make Web connections.”
A good practice is to use multi-factor authentication with one-time use tokens to access business applications and services while traveling, Parekh says. Most of the critical applications at his company have two-factor authentication. “Zuora personnel have access to applications on a need-to-know basis and are required to enter username/password and a one-time use token,” he says.
[ ALSO ON CSO: Computing on the Go: a Road Warrior Survival Kit ]
By using encrypted and strongly authenticated remote connections over previously identified networks, executives can access the data they need, securely, Jones says.
Be aware of surroundings. Executives on the road need to have a good sense of when they are in potential danger from a security standpoint.
“For traveling executives, it’s important to have a sense of situational awareness,” says Miguel Martinez, a vice president at global risk management agency Pinkerton. “Who are you talking to and sharing information with? Who knows where you’re going? Sharing this information with the wrong parties can make you an easy target.”
Effective security precautions require not only a conscious awareness of one's environment, but the need to exercise prudence, judgment and common sense, McCann says. This is especially true when a business executive has to acclimate to different cultures, customs and laws.
In some cases, executives traveling abroad on business should be aware that they might be targeted by cyber criminals, intelligence agencies, terrorists or even business competitors if they are in possession of or are knowledgeable about proprietary information, McCann says.
This means avoiding indiscreet chatter that might get the executive or company in trouble with bad actors. With advanced electronics technology, someone could be listening in on conversations without the parties even realizing.
Don’t leave yourself prone to “shoulder surfing”. “I can’t count the number of times I’ve been able to glean confidential information on upcoming presentations, business pitches, stock purchase movements, simply by glancing across to my left or right while on a plane, train or sitting in a coffee shop,” says Steve Durbin, managing director of the Information Security Forum, an independent organization that helps companies develop best practices for investigating and resolving information security and risk management issues.
“Viewing confidential information in public areas without having screen protection can lead to data leakage,” Parekh adds. “Someone watching closely can figure out your password or can read confidential information.”
Inform the security/IT department of travel plans. “Make them aware that you are visiting Nigeria, New York or wherever you happen to be headed,” Durbin says.
“Most organizations will have security policies in place that determine the degree of access and approach that the organization has deemed appropriate for its risk appetite and the individual concerned,” Durbin says. “Access to the level of sensitive data will be a key determinant in what steps your security guys will want you to take.”
If possible provide an itinerary. “If you have security monitoring on your network, it may be helpful for the guys in your operations center to know where you are traveling,” Durbin says. “An attempt at network access from Sydney when you left there two days previously will only ring alarm bells if the security guys know that you were due to leave two days ago, and are now in Singapore.”
Leverage threat intelligence. Executives planning to travel should use cyber threat intelligence similar to the physical threat intelligence available.
“Such intelligence could be created using advanced analytics capabilities [to] integrate cyber and geospatial threat data, and would include hotels, business offices, networks and locales where malicious and unfriendly entities are known to operate,” Jones says.
Knowing the nature and physical locations of such threats will allow executives to mitigate the risk of rogue wireless and cellular access points, captured and monitored traffic, unauthorized physical access to computing devices and installation of malicious code and monitoring tools, Jones says.
“Executives [should] only connect to known safe Wi-Fi or broadband access points, where security credentials and details for those access points could be pre-loaded on the executive's devices,” Jones says. Upon the executive's return to the home office, devices should be analyzed to determine whether, when and how they were attacked. This information can then be processed by an analytics engine and added to future threat intelligence reports, he says.
Don’t forget training. A security awareness program focused on security threats during travel is important, Parekh says.
“Security awareness should be a continuous education process and not an annual event,” Parekh says. “We use a combination of online security awareness training, targeted in-person training and frequent email communication to increase awareness.”