Cyber security and business travel

From the August 2019 print edition

Whether you’re a seasoned road warrior, or a once-a year-trip-abroad traveller, business travel poses unique cyber security threats. Business travellers carry sensitive data, both business and personal, on many devices including smartphones, tablets and laptops.

Easily available WiFi networks, cell phone roaming service and the ubiquity of the cloud enable travellers to be connected. But this presents opportunities for cyber threats to target new technologies, which often lack security.

The internet of things, artificial intelligence and voice recognition software have multiple benefits for users, but to provide these services, these technologies use intrusive collection methods to obtain personal and sensitive data, making them targets for cybercriminals.

Control Risks published a Cyber Threat Landscape Report in 2017, in which 46 per cent of respondents believed their organizations’ board-level executives do not take cyber security as seriously as they should. As well, 43 per cent of all respondents reported a compromise or data breach in 2016. Additionally, 37 per cent of IT and business professionals globally said employee education and awareness was their biggest cyber security challenge.

Cybercriminals threaten business travellers and the organizations they represent with reputational damage and financial losses. Control Risks’ research and experience shows that travellers to a wide range of countries face a growing threat from cybercriminal activity, both from sophisticated as well as less capable groups. Cybercriminals use techniques such as drive-by downloads and phishing attacks to facilitate financial fraud and steal credentials (for online banking, for example). They typically also use remote access Trojans (RATs) to install malware, allowing them to monitor victims’ behavior on their devices.

The cost of cyber attacks
Lloyd’s Bank says the global total cost of data breaches for businesses in 2015 was $400 billion and is expected to reach $2.1 trillion in 2019. According to Control Risks’s Cyber Threat Landscape Review 2017, in 2017 deploying malicious updates to software already installed on computers became one of the most dangerous methods. That review noted 264 significant cyber-attacks were recorded between January 1 and September 30, 2017. In the same period, 75 countries were impacted by cyber-attacks. Travellers should take precautionary measures before, during and after travel, especially to high-risk locations.

There are several common cyber-
attack techniques used against business travellers. These include:

DATA BREACH Theft of data due to limited security measures could lead to leaks of sensitive and reputation damaging information;

DDoS – Using infected devices that lead to slow or unresponsive web facing devices and applications;

RANSOMWARE Malware which encrypts data until a ransom is paid. Increasingly used as a smokescreen for deeper network intrusions;

MALICIOUS UPDATES Malicious requests for software or application updates. Hard to detect as installed malware runs in the background;

PHISHING SMS and emails impersonating legitimate actors, involving malicious links or attachments used to install malware;

UNAUTHORIZED ACCESS Using stolen credentials or brute force attacks (guessing username and passwords) for access to a network or device. Has been the highest threat score in the past 2 years due to its potential for privilege escalation and lateral movement;

FINANCIAL FRAUD Usually through phishing emails. Luring victims into making illegitimate payments or redirect legitimate details to criminal accounts.

Several points of cyber-security vulnerability exist for travellers. These include rogue wi-fi, which are wi-fi hotspots in airports, hotels and other public places that can be subject to packet sniffing attacks. These put at risk the confidentiality of communications being sent over that network and may lead to credential theft and network breaches.

Eavesdropping includes snooping, in person or through video, can lead to credential theft or sensitive data disclosures. Device theft can also lead to data breaches and sensitive data leaks. This may be carried out both by criminals and more advanced groups. As well, USB chargers that are supplied at public places for convenience can be used to download and execute malware onto your devices.

Traveller protection
Before travelling, research location-specific cyber threats. Implement security measures to prevent issues while travelling, and avoid advertising online the exact location/purpose of your business trip. As well, ensure all software on your devices is up-to-date. Avoid connecting to non-secure networks (public wi-fi hotspots) and, if possible, disable any wi-fi and Bluetooth capabilities.

In high-threat locations, maintain physical control of your devices and sensitive information. Keep your laptop as carry-on and don’t loan it to anyone. When returning from a trip, or if you have witnessed suspicious activity on your devices, ask your IT service desk to check for signs of cyber-attack. Do not connect your devices to sensitive networks until they have been verified as safe.

There are preventive and protective actions that employees can take while in an office setting as well, including:

  • Back up your data regularly, and make sure your anti-virus software is always up to date;
  • Practice good password management;
  • Adopt simple cautious behaviours;
  • Never leave your devices unattended;
  • Constantly monitor your accounts for any suspicious activity and do not hesitate to report something suspicious;
  • Always be careful when clicking on attachments or links in email
  • Sensitive browsing only on a device that belongs to you and on a network that you trust; and
  • Be careful of what you plug in to your computer.

    Wendy Stachowiak Is VP of global travel partnerships at International SOS and vice-chair of the GBTA Risk Committee.

Cyber-risks are more prevalent than ever. But by using the tips above, travellers can work to ensure their sensitive information is as protected as possible.