Cyber security is consistently amongst the top-rated threats when business leaders consider their enterprise risks. Posing material risks to business continuity, data integrity, and the wellbeing of employees and customers, a successful data breach can undermine in hours the confidence that the organization has built with its customers and suppliers over years of service.
Employees who travel for business are exposed to additional risks as they venture beyond the office. With more and more organizations returning to ‘normal’ travel behaviors, it is timely to remind your business travelers where the pitfalls lie and how they can ensure they stay safe while on the road.
In the past year global travel has rebounded from its COVID torpor. In GBTA’s January 2024 poll of travel professionals, 84% of buyers indicated that their travel spending in 2023 surged significantly (33%) compared with 2022. Our analysis of travel across the International SOS client base similarly indicates a 35% increase in international travel in 2023.
Organizations owe a duty to their employees (and their customers) to protect the personal information they hold. Effective cyber-security programs are an important part of managing compliance with data protection regulations such as Europe’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA). Employee awareness training can reduce the risk of cyber incidents, minimising the time and expense of managing an incident and reducing the risk of repercussions such as fines and reputational impact. ISO 31030 advises providing travelers with guidance on information security precautions along with other guidance, such as health and security, to help reduce disruptive events.
In this guide, we will outline practical steps to enhance your company's cyber security posture, to extend the protections you provide to your traveling population.
1. Educate and Train Employees on Cyber Hygiene
Your workforce is your first line of defense. Educate employees about cyber security best practices:
- Phishing Awareness: Train employees to recognize phishing emails and suspicious links.
- Password Hygiene: Encourage strong, unique passwords and multi-factor authentication.
- Social Engineering: Teach employees to be cautious about sharing sensitive information and to be especially wary when traveling.
- Hot-spot Risks: Educate employees on the risks associated with using insecure hotspots and the associated importance of using VPNs.
For more detailed cyber hygiene steps, refer to the United Kingdom Government’s “10 Steps to Cyber Security”.
2. Implement Robust Access Controls
Limit access to critical systems and data. Follow the principle of least privilege:
- Role-Based Access: Assign permissions based on job roles.
- Regular Reviews: Periodically review and revoke unnecessary access rights.
- Two-Factor Authentication (2FA): Implement 2FA for all users if possible but mandate it for privileged accounts.
3. Secure Endpoints and Mobile Devices
Endpoints (laptops, smartphones) are common entry points for cyber-attacks:
- Device Update: Keep your laptop, smartphone and tablets up-to-date.
- Endpoint Protection: Install robust antivirus and anti-malware software.
- Mobile Security: Control and secure mobile devices used for work.
- Encryption: Encrypt data on endpoints to prevent unauthorised access.
4. Regularly Back Up Data
Data loss due to cyber incidents can be devastating. Implement a robust backup strategy:
- Automated Backups: Regularly back up critical data to secure, off-site locations.
- Test Restores: Verify that backups are functional and can be restored.
5. Monitor and Detect Anomalies
Implement continuous monitoring to detect suspicious activities:
- Security Information and Event Management (SIEM): Monitor logs for signs of intrusion.
- User Behavior Analytics (UBA): Detect abnormal user behavior patterns.
- Incident Response Plan: Develop a plan to respond swiftly to incidents. Ipsos reports that only 19% of businesses have a formal incident response plan.
6. Cyber Security While Traveling
Individuals are particularly vulnerable to cyber-attacks while traveling. Typical cyber attack techniques used against travelers include ransomware, malicious updates, phishing, and unauthorised access.
Points of Vulnerability to Consider:
- Insecure Wi-Fi: avoid using public Wi-Fi networks in airports, hotels, and other spaces which are insecure and allow access from cybercriminals.
- Surveillance: be wary of snooping, whether it be in person or through video. This can lead to credential theft or sensitive data disclosures.
- Theft of Devices: Opportunistic or organized theft of devices can lead to data breaches and sensitive data leaks. This may be carried out both by criminals and more advanced groups.
- USB chargers: These are supplied in public places for convenience but can be used to download and execute malware onto your devices.
7. Develop Incident Response and Crisis Management Plans
When denial-of-service attacks or data breaches occur, organizations must be equipped to respond.
Your risk assessments will help identify and mitigate your potential vulnerabilities, but these days we all realize that it’s not “if” but “when”. For this reason you must have rehearsed incident response and crisis management plans.
Key Actions:
- Vulnerability Scanning: Regularly scan your network and systems for vulnerabilities.
- Penetration Testing: Simulate real-world attacks to identify weaknesses.
- Asset Inventory: Maintain an up-to-date inventory of all devices and software.
- Incident monitoring: Develop internal or external SOC capability.
- Incident notification: Inform your IT department promptly, should you lose the device.
- Incident response capabilities: Establish protocols for response to a wide range of incidents.
- Crisis management: rehearse your response.
How International SOS Can Help
By following these steps, your organization can significantly reduce the risk of cyber-attacks and protect both company assets and employee wellbeing. Remember that cyber security is an ongoing process—stay informed, adapt to new threats, and invest in continuous improvement. Proactive cyber security measures are an investment in your organization's resilience and long-term success. International SOS supports organizations with travel risk management, training, mental health resilience programs, crisis management plans and more.