CISOs, what’s in your travel security program?

The past two years have provided CISOs a bit of a reprieve with respect to protecting company data while employees are in travel mode. While the gulp of fresh air may have felt great, upon exhaling we realize that many of those working from home are in fact traveling for pleasure and to distance themselves from the pandemic to continue working. Now, with the ubiquitous COVID testing and vaccine protocols, business travel is on the uptick. The travel industry opines it will return to pre-pandemic levels in mid- to late-2022.

For this reason, every CISO should ensure their entity is prepared for this influx, which arguably adds a layer of risk. The CISO should be asking questions of C-suite and of their own teams regarding what’s inside the corporate travel program and what needs to be inside the program.

For multinational companies and those where employees traveling with regularity, Steve Tcherchian, CISO and chief product officer at XYPRO, notes how his company includes awareness and procedures with respect to devices and traveling with data across borders, with differentiation between the risk presented by different locales. That said, he adds how separate travel devices are not prepared for each trip.  

Abnormal Security’s CISO, Mike Britton, notes how loaner laptops are the norm when employees are traveling to higher-risk countries. In addition, he explains, “When employees travel outside of their normal working region (e.g., traveling from the U.S. to Europe or China), we evaluate any risks and restrictions to ensure our employees are safe and protect our company assets and information appropriately.”

So how does one determine if a country is higher risk than another? A good first stop, would be the U.S. Department of State and its travel alert program. Canada, Australia and the United Kingdom also have publicly available travel alert programs readily accessible. For U.S. entities membership in the of the State Department’s Overseas Security Advisory Council, which is managed by the Bureau of Diplomatic Security, is a must. OSAC analysts collate, distill and present their findings on global events in an easily digestible manner. A true value given it costs nothing other than the time necessary to absorb. (Full disclosure: I am an OSAC member.)

Not everyone is on board about the need for travel devices. Venn CEO David Matalon, not surprisingly, pushed back on the idea of travel devices being required and noted that his firm’s SaaS technology enables teams to access their work apps and data from any device on any network. His solution, “offers seamless app compatibility. It works on every operating system and its zero-trust model constantly monitors the device to ensure compliance at all times.” He did note that his entity does not provide travel briefings to employee’s traveling abroad.

Don’t know if you have a travel program?

The following questions are drawn from my own work, “Secrets Stolen, Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress 2008), which were as valid in 2008 as they are now in 2021.

• Does this program include a list of countries posed as high risk or extreme risk to those employees or executives who travel or work outside the country of origin?
• Does your travel security program require these risk countries to be communicated to the executive team and the personnel responsible for travel?
• Does your travel security program identify expatriates working in high-risk countries?
• Do you have a traveler briefing program required before every trip to a high-risk environment?
• Do your employees understand never to leave confidential material unattended and to keep devices with them while traveling?
• Does your travel program monitor and debrief personnel having traveled to high-risk environments?
• Does the company’s security awareness and education program include a segment on travel?
• Does your travel program brief on the data aggregation capabilities of social networks? What about how the sharing of an itinerary can permit an adversary to document and collate travel plans?
• Does your travel program implement a sterile device program for high- or extreme-risk locales (e.g., throwaway mobile phones, sterile laptops)?
• Are these sterile devices reviewed for compromise upon the traveler’s return?
• Are all travelers issued cable locks and laptop privacy screens for their devices?
• If key executives are traveling, are checks put in place concerning any expenditures they authorize be double-checked for authenticity, to avoid CEO/CFO business email compromise.
• Does the program include the need for travelers to file itineraries with the company, sharing passport data page and have a daily “all safe” call into the company while employees travel?

Don’t have a travel program?

Give some thought to putting at least a rudimentary program together Here are a list of actions which this author has and continues to advise travelers to any area be it perceived as low or high risk.  

• Review and train on the remote use of company email systems to avoid compromise. This may include adopting the use of a virtual private network (VPN), virtual desktop infrastructure (VDI) or restricting yourself to secure email.
• If the company has an operations center, then consideration of a daily wellness check call from an employee in travel status may make sense. If no operations center exists, a call to the employee’s supervisor should be substituted.
• Contact your credit and debit card-issuing institution and inform their fraud department that you will be traveling to a given locale. Provide the dates and specific locations. This allows the fraud department to monitor for unusual activity and activity outside the window of your travel.
• Make copies of all your travel documents and credit cards to leave with a trusted individual. Should you need to replace any or all these resources, the copies will be instrumental in accomplishing the task.
• Review the precise circumstances in which wire transfers and the like can take place with your enterprise’s finance personnel. Check what authentication protocols are in place to avoid spoofing.
• TMI (too much information) is a malady you can control, especially with respect to social networks. Each time you post where you are, you are also posting where you aren’t.
• Register with your country’s official travel program. For U.S. citizens that is the State Department’s Smart Traveler Enrollment Program (STEP).
• Assume your lodging affords you no privacy.

Every entity should have a form of a travel security program. Socialization of the program should take place during the annual security awareness program. For those who wish a shortcut, here is a two-pager from the National Counterintelligence Security Center.