Though the summer holidays are behind us, business travel is ramping up with employees busy planning for the year ahead. With that in mind, it’s a good time for organisations to remember that travelling employees — executives in particular — can pose an additional cyber risk to businesses all year round. From being careless about online bookings through to disregarding cybersecurity best practices, travellers often have their guards down when they travel, leaving security concerns to the back of their minds.
This can lead to significant exposure for businesses: it only takes one person to fall victim to a scam for a cybercriminal to launch an attack, and attackers often target employees when they are out of the office. That’s why it’s critical for organisations to make clear to employees that cybersecurity best practices are portable, and that they should be applied on work devices and personal devices, during work hours and on personal time. A cybersecurity awareness programme should stress these points and strive to make security-conscious behaviours automatic for end users, rather than just an occasional pursuit.
Here are a few best practice tips to help keep your employees safe whilst out of the office:
Always book travel through trusted sources
In many organisations, employees are tasked with making their own travel arrangements, with reimbursements happening later. Fraudsters certainly know that end users are tempted by hotel, flight, and car rental discounts, and they will pose as travel agents and create seemingly legitimate third-party websites.
Here are ways to protect your organisation and raise awareness among employees:
- Work with HR teams to establish policies and procedures around booking travel, including identifying a list acceptable booking agents and travel sites, and potentially disallowing reimbursements if arrangements are made via unapproved channels.
- Instruct employees to avoid acting on travel discounts they receive via unsolicited emails. Instead of clicking links or calling numbers included in these messages, users should visit trusted websites or call a verified phone number to confirm an offer is legitimate.
- Make employees aware that credit cards are the best option for online payments because they offer a layer of protection and insulation that debit cards and bank transfers do not. Travellers should stick with a credit card when booking trips, even if they are promised a discount for using an alternative payment type.
Stick to the basics
Many travellers think about packing light when it comes to clothes and toiletries. This mindset should also apply to mobile devices and personal data. Advise employees that, when possible, they should leave data-packed business devices at home and limit the number of credit cards and personally identifiable items they take with them. If your organisation regularly supports the travel of high-value targets who hold particularly sensitive data, it may also be worth exploring the possibility of providing access to ‘disposable’ phones and laptops that can be used to limit exposure when these users are on the road.
Stress the importance of physical security to all employees, not just those who travel. Company devices should be kept secure at all times, and this includes securing devices left in hotel rooms for example. A stolen device can lead to sensitive data being disclosed, with costly consequences - both in monetary and reputational terms. Keeping devices – personal or corporate – safe, also keeps data safe. It’s not just about convenience but cyber protection too.
Employees should be very cautious of the details they share about their travel. Remind them that communicating about a trip over social media is akin to announcing on the radio that their house will be empty for a week. Location tracking should also be turned off and ‘check-ins’ kept to a minimum. Travellers who reveal where they are, also reveal where they are not, and this can be lucrative information for cybercriminals who are trying to tap into habits and schedules. Even Bluetooth connections – for example, pairing a smartphone with a rental car – should be avoided as data may be left behind.
Be cautious of open WiFi
We have all done it: connecting to a WiFi network in a hotel lobby or a local café ahead of a meeting to download the latest presentation or Excel file. Make sure your employees are aware of the potential risks related to open-access WiFi. We advise sharing these tips:
- Avoid logging into password-protected accounts or completing financial transactions when connected to open WiFi networks.
- Be sure a WiFi network is legitimate before connecting. Scammers can set up ‘evil twin’ networks with names that sound trustworthy – ‘Airport WiFi’ for example.
- Turn off automatic connections to WiFi networks, as this can make a device more vulnerable to attack.
- Use a virtual private network (VPN) while connected to open WiFi to add a layer of encryption and security.
- When in doubt, opt for mobile data on a smartphone or use a smartphone to create a hotspot for a laptop or other device.
Know your VAPs
High-level employees have access to your organisation’s most sensitive and business-critical data and contacts, which makes them VAPs (very attacked people), or prime targets for cybercriminals.
Human nature is trusting and fraudsters know that all too well: they will trick your workers into opening an unsafe attachment or clicking on a dubious web link. They will impersonate your CEO and order your finance department to wire money. And they con your employees into sharing login credentials. And what better way to catch them than when they are on the road…
There are many publicised examples of fraudsters tricking organisations out of millions of dollars, having capitalise on senior executives being out of band, out of the office or travelling. Organisations should recognise the risks associated with business travel and ensure employees go through security awareness training to help them understand ways they can be more cautious about the cyber risks they face when on the road.
The need to stay connected should not supersede the need for security; after all, it only takes one carefully crafted email to reach a busy executive about to board an 8-hour flight for cybercriminals to land their next victim.
Amy Baker, Vice President of Marketing, Wombat Security, a division of Proofpoint (opens in new tab)
Image Credit: Slon Dot Pics / Pexels