What CISOs Should Review in Travel Security Programs

In the past two years, CISOs have been able to temporarily take their employees away from corporate data security tasks for travel mode. Instead of going on a business trip to get some fresh air, we are faced with the reality of having to separate to protect each other from the pandemic. Business trips are on the rise as coronavirus testing and vaccinations are now commonplace, and the travel industry expects to return to pre-pandemic levels in mid-to-second half of 2022.
ⓒ Getty Images Bank

Therefore, every CISO needs to check whether their company is prepared for this kind of situation. As the number of business trips increases, so does the risk. CISOs should ask management and their teams what their travel program should include.

Steve Tcherzian is CISO at XYPRO, where employees regularly travel to different countries. The Tcherzian company has device awareness and procedures, he points out, and the way it travels across borders with data separates the risks by region. In addition, he added that every time an employee goes on a business trip, a travel device is not prepared separately.

Abnormal Security CISO Mike Britten said it’s common practice for employees to take rental laptops with them when they travel to high-risk countries. “For example, when an employee travels far away from their usual place of work, such as the United States, Europe or China, we review all risks and restrictions to ensure the safety of our employees and adequate protection of company assets and information,” Britton explains.

So, how do we determine that one country is at higher risk than another? The best reference is the US Department of State’s Travel Advisory Program. Canada, Australia and the UK also have travel alert programs that are readily available to the general public. It is essential to join the State Department’s Overseas Safety Advisory Committee (OSAC), supervised by the Office of Foreign Affairs and Security. OSAC analysts compile research, extract key points, and present it at international events in a way that can be easily understood by attendees. Given that it costs nothing other than the time required to absorb this information, it’s really worthwhile. By the way, I am a member of OSAC.

Not all employees agree on the need for travel gear. Venn CEO David Matalon countered the claim that travel devices were essential, saying each team would be able to access work apps and data from any device on any network through its SaaS technology. Matalon says his solution provides full app compatibility. “The solution’s zero trust model, which works across all operating systems, keeps devices compliant at all times.” Matalon emphasized that Ben does not provide travel instructions to employees traveling abroad.

If you don’t know if there is a travel program

The following questions are taken from my book Stolen Secrets, Lost Property: Preventing Intellectual Property Theft and Industrial Espionage in the 21st Century. Although it was published in 2008, it is still a meaningful book in 2021.

Does the travel security program include a list of countries classified as high-risk countries for employees traveling or working abroad?

  • Is there a notice in the travel security program that these risk countries must be communicated to travel agents and executives?
  • Does the travel security program identify expatriates working in high-risk countries?
  • Before going on a business trip to a high-risk country, is an instruction delivery program for business travelers compulsory?
  • Are your employees aware that they must carry devices and confidential data with them at all times when traveling?
  • Does the travel program monitor and receive reports on employees who travel to high-risk areas?
  • Does the company’s security awareness and training programs include travel-related content?
  • Does the travel program detail the data-gathering capabilities of social networks? Are you also detailing that sharing your itinerary is tantamount to giving other users permission to document, collect, and analyze travel plans?
  • Does the travel program implement a single-use device program for high-risk areas?
  • Are single-use devices checked for breaches as soon as the traveler returns?
  • Do all travelers get a privacy laptop shield and cable lock for their disposable devices?
  • When senior management is on a business trip, is there a mechanism in place to double-check that the expenses approved by the management are correct in case the CEO and CFO work emails are hacked?
  • Does the program require travelers to submit travel itineraries, share passport information pages, and notify the company ‘no problem’ during business trips?

If you do not have a travel program

Businesses need to prepare even a basic travel program. Here are my continuing recommendations for business travelers from all locations, high-risk or not.
  • To prevent hacking of the company’s email system, review remote use and conduct relevant training. For example, we recommend that you use a Virtual Private Network (VPN) and Virtual Desktop Infrastructure (VDI), or use only secure email.
  • If your company has an operations center, you might consider checking the employee daily for any abnormalities by phone during business trips. If there is no operation center, the business traveler’s supervisor must confirm by phone instead.
  • Contact the issuer of your credit or debit card and tell the Fraud Response Department that you will be traveling to a specific location, as well as the date and specific location. The department then monitors for suspicious or off-the-shelf travel dates or locations.
  • Make copies of all your travel documents and credit cards and give them to a trusted employee. If you need to replace some or all of your travel documents or credit cards, a copy is a great help.
  • Together with the finance staff, work with the finance staff to review the specific circumstances under which money transfers, etc. could occur. Also check what authentication procedures are in place to prevent spoofing.
  • Too much information related to social networks is a ‘serious problem’ that users can control. If you post a post every time you visit a place, you will also be notified of places you are not sure of.
  • Enroll in the official travel program of your country of origin. U.S. citizens can enroll in the U.S. Department of State’s Smart Traveler Enrollment Program (STEP).
  • Accommodation should assume no privacy guarantees at all.

All businesses should have a travel security program in place. This travel program should be socialized during the annual Security Awareness Program. [email protected]

Source: ITWorld Korea by www.itworld.co.kr.

*The article has been translated based on the content of ITWorld Korea by www.itworld.co.kr. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!