We live in a hyper-connected world, which gives businesses many opportunities to become more productive and effective at generating value. Our ability to connect to the wider world through mobile devices also creates additional risk in the forms of data theft and malware.
Cybersecurity threats can take many forms
Organizations with formalized travel programs need to understand how modern cybersecurity threats impact their overall level of risk. In addition to companies' duty of care to their employees, they must also maintain vigilance against costly digital threats. Unfortunately, many of these risks come from within the organization itself. According to a 2018 report from Ponemon Institute, negligent employees cause 64 percent of all insider threat incidents. The majority of these incidents are not purposefully malicious in nature, but are often the result of a failure to adequately communicate policy.
In addition to defending organizations against outside threats, your organization’s stakeholders must also develop strategies for educating travelling employees about the common pitfalls they could encounter on the road. Ponemon found that 49 percent of surveyed employees say they are unaware of any organization-wide cybersecurity policies related to travel.
Cybersecurity threats can take many forms, and they aren't always easy to spot. Criminals can steal private login data, spoof device ownership, force their way into private servers and infect devices with spyware and ransomware.
Threats can also come from third-party vendors and suppliers. For example, hotel Wi-Fi networks may be compromised for hours, days or weeks before anyone notices. Another Ponemon survey of North American and U.K. firms found that 59 percent had experienced a data breach caused by a vendor. As organizations utilize more third-party relationships, the risk of data theft increases exponentially.
Travelling employees are especially at risk of being exposed to cybercrimes when they enter foreign jurisdictions lacking privacy laws for foreigners. Countries known for corruption may offer little protection against data theft, especially at border crossings. Confiscated devices could be compromised before being returned to their owner.
Canadian citizens travelling abroad should also note that they may not be protected by the same data privacy rights they enjoy at home. Companies must be vigilant about protecting their data, as they may not have legal recourse in foreign jurisdictions.
Data protection begins with employee education
Education is one of the most important steps toward policy compliance. When travellers are aware of the risks they face on the road, they'll be more likely to stay alert. Your stakeholders should consider allocating resources toward developing training collateral that speaks to the unique security needs of their organizations. For example, if many travellers are flying to the same country or city, stakeholders can develop materials that list tips and best practices specific to those destinations.
More generally, travel leaders should look for ways to bake data security directly into their policies. Transparent rules not only tell travellers how to protect themselves, but also explain why doing so is important.
Potential actions for reducing the threat of data theft include:
- Using a virtual private network when accessing public Wi-Fi networks.
- Locking devices when not in use.
- Adopting remote-access collaboration software to limit the amount of data stored locally on the user's device.
- Disabling device connectivity features such as Bluetooth.
- Learning about the privacy rights of non-citizens in foreign jurisdictions.
- Reviewing entry and exit procedures before crossing international borders.
A comprehensive threat assessment should precede any significant policy changes.