Cyber security is consistently amongst the top-rated threats when business leaders consider their enterprise risks. Posing material risks to business continuity, data integrity, and the wellbeing of employees and customers, a successful data breach can undermine in hours the confidence that the organisation has built with its customers and suppliers over years of service.
Employees who travel for business are exposed to additional risks as they venture beyond the office. With more and more organisations returning to ‘normal’ travel behaviours, it is timely to remind your business travellers where the pitfalls lie and how they can ensure they stay safe while on the road.
In the past year global travel has rebounded from its COVID torpor. In GBTA’s January 2024 poll of travel professionals, 84% of buyers indicated that their travel spending in 2023 surged significantly (33%) compared with 2022. Our analysis of travel across the International SOS client base similarly indicates a 35% increase in international travel in 2023.
Organisations owe a duty to their employees (and their customers) to protect the personal information they hold. Effective cyber-security programmes are an important part of managing compliance with data protection regulations such as Europe’s General Data Protection Regulation (GDPR) and the California Consumer Protection Act (CCPA). Employee awareness training can reduce the risk of cyber incidents, minimising the time and expense of managing an incident and reducing the risk of repercussions such as fines and reputational impact. ISO 31030 advises providing travellers with guidance on information security precautions along with other guidance, such as health and security, to help reduce disruptive events.
In this guide, we will outline practical steps to enhance your company's cyber security posture, to extend the protections you provide to your travelling population.
1. Educate and Train Employees on Cyber Hygiene
Your workforce is your first line of defence. Educate employees about cyber security best practices:
- Phishing Awareness: Train employees to recognise phishing emails and suspicious links.
- Password Hygiene: Encourage strong, unique passwords and multi-factor authentication.
- Social Engineering: Teach employees to be cautious about sharing sensitive information and to be especially wary when travelling.
- Hot-spot Risks: Educate employees on the risks associated with using insecure hotspots and the associated importance of using VPNs.
For more detailed cyber hygiene steps, refer to the United Kingdom Government’s “10 Steps to Cyber Security”.
2. Implement Robust Access Controls
Limit access to critical systems and data. Follow the principle of least privilege:
- Role-Based Access: Assign permissions based on job roles.
- Regular Reviews: Periodically review and revoke unnecessary access rights.
- Two-Factor Authentication (2FA): Implement 2FA for all users if possible but mandate it for privileged accounts.
3. Secure Endpoints and Mobile Devices
Endpoints (laptops, smartphones) are common entry points for cyber-attacks:
- Device Update: Keep your laptop, smartphone and tablets up-to-date.
- Endpoint Protection: Install robust antivirus and anti-malware software.
- Mobile Security: Control and secure mobile devices used for work.
- Encryption: Encrypt data on endpoints to prevent unauthorised access.
4. Regularly Back Up Data
Data loss due to cyber incidents can be devastating. Implement a robust backup strategy:
- Automated Backups: Regularly back up critical data to secure, off-site locations.
- Test Restores: Verify that backups are functional and can be restored.
5. Monitor and Detect Anomalies
Implement continuous monitoring to detect suspicious activities:
- Security Information and Event Management (SIEM): Monitor logs for signs of intrusion.
- User Behaviour Analytics (UBA): Detect abnormal user behaviour patterns.
- Incident Response Plan: Develop a plan to respond swiftly to incidents. Ipsos reports that only 19% of businesses have a formal incident response plan.
6. Cyber Security While Travelling
Individuals are particularly vulnerable to cyber-attacks while travelling. Typical cyber attack techniques used against travellers include ransomware, malicious updates, phishing, and unauthorised access.
Points of Vulnerability to Consider:
- Insecure Wi-Fi: avoid using public Wi-Fi networks in airports, hotels, and other spaces which are insecure and allow access from cybercriminals.
- Surveillance: be wary of snooping, whether it be in person or through video. This can lead to credential theft or sensitive data disclosures.
- Theft of Devices: Opportunistic or organised theft of devices can lead to data breaches and sensitive data leaks. This may be carried out both by criminals and more advanced groups.
- USB chargers: These are supplied in public places for convenience but can be used to download and execute malware onto your devices.
7. Develop Incident Response and Crisis Management Plans
When denial-of-service attacks or data breaches occur, organisations must be equipped to respond.
Your risk assessments will help identify and mitigate your potential vulnerabilities, but these days we all realise that it’s not “if” but “when”. For this reason you must have rehearsed incident response and crisis management plans.
Key Actions:
- Vulnerability Scanning: Regularly scan your network and systems for vulnerabilities.
- Penetration Testing: Simulate real-world attacks to identify weaknesses.
- Asset Inventory: Maintain an up-to-date inventory of all devices and software.
- Incident monitoring: Develop internal or external SOC capability.
- Incident notification: Inform your IT department promptly, should you lose the device.
- Incident response capabilities: Establish protocols for response to a wide range of incidents.
- Crisis management: rehearse your response.
How International SOS Can Help
By following these steps, your organisation can significantly reduce the risk of cyber-attacks and protect both company assets and employee wellbeing. Remember that cyber security is an ongoing process—stay informed, adapt to new threats, and invest in continuous improvement. Proactive cyber security measures are an investment in your organisation's resilience and long-term success. International SOS supports organisations with travel risk management, training, mental health resilience programmes, crisis management plans and more.