Cybersecurity for business travellers
Greg McAleer from Global Guardian explains why, as business travellers hit the road again, minimising cyber risk is critical
It matters what you do, where you are, and how you are postured from a security standpoint. Cyberattacks are becoming increasingly common and destructive. The Covid-19 pandemic exacerbated this trend as much of the global workforce moved to remote or hybrid work, often on unsecure networks and devices. Today, as the world continues to reopen and business travel increases, individuals need to be hypervigilant about cybersecurity. Business travellers venturing outside the secure bubble of their offices are particularly vulnerable to cybercriminals or nation-state actors looking to steal intellectual property for financial gain, achieve a competitive advantage, or further national security interests. Ignoring the risk can have serious financial, operational, legal, reputational, and compliance implications for a company.
Business travellers venturing outside the secure bubble of their offices are particularly vulnerable to cybercriminals
An everywhere problem
Every company should take into consideration whether their operations – including their output, the products and services they provide, and their industry – could be exploited by an outside actor, criminal group, or nation state. I would advise companies to carefully consider where they have their crown jewels and how to keep them safe.
Companies and corporate leaders must be cautious about doing business in a country that does not respect privacy or human rights. Additionally, if the host government compels or requires companies to provide access to their systems as a condition for doing business, that raises a red flag. For example, multinational companies should be very concerned about travelling to China and doing business with Chinese companies, because it is often difficult to separate private entities from state-owned enterprises in China.
It would give me pause to conduct business in, and travel to, any country with a totalitarian government. Additionally, while sanctions prevent business relationships with companies in Russia, Iran, and North Korea, these countries are cyber agitators that pose a significant threat. But this is not just limited to these countries. It is an everywhere problem.
The nature of the threat
Many cyberattacks are financially motivated, such as in cases of ransomware. The perpetrators of these attacks are either criminal groups, entities or individuals operating with the material or tacit support of a nation-state, or a nation-state itself. The lines between these actors are often blurred, making it difficult to accurately pin the blame for an attack.
The cyber ecosystem is expansive, and the opportunities to conduct malign cyber activity against individuals, companies, or countries are considerable. It is unrealistic and unwise for a company to operate under the assumption that it is 100-per-cent secure. That’s primarily because human error is the main driver of many cyber threats facing companies.
Intellectual property theft is also prolific among cybercriminals and adversarial nation states because it is profitable from a national security and business standpoint. Every sector can be a target, and no one is immune. Take, for example, minerals and mining. Rare earth metals are critical components in the production of chip technologies. In countries and regions with plentiful sources of rare earth metals and minerals, malicious actors who can get their hands on crucial information regarding those natural resources can shape the economic sectors that depend on it. That creates a competitive advantage for them.
From a nation state’s perspective, it is often easier to steal defense or military technologies than to invest in the research and development needed for next-generation technologies or capabilities. There is a much greater return on investment if the technology can be stolen from a company that has already invested in its development.
Don’t ignore risk
A company that has or is seeking an operational presence in a country where the expectation of privacy does not exist or is fluid should be concerned about travelling, doing business, and conducting negotiations during visits. The last thing a company needs is a permissive cybersecurity posture or one that ignores risk. Imagine the harm an adversary could unleash on a company if they were to gain access to material non-public information.
In particular, companies well positioned in a market or producing cutting-edge or emerging technologies should adopt the proper cybersecurity posture. They should assume that other entities are trying to penetrate their electronic and human networks to obtain information that would help them gain a strategic or competitive advantage. In totalitarian regimes, there is a higher likelihood that you are a target of such attacks.
Ultimately, malicious cyber actors can strike targets anywhere in the world from anywhere in the world. And remaining vigilant and prepared should be a top priority for any company.
Cybercriminals target the soft spots in a company’s network
How to minimize the risk
It is unwise for companies to downplay cyber threats by claiming they are not important enough to become a target. However, in my experience, no company or individual is ever too small or insignificant; every company needs to recognise that it can be a target.
One of the most common points of failure is the fact that companies do not protect their systems at the end user. There is often inadequate investment in security and employee training on how to identify and protect against cyber threats. All it takes is a couple of missteps, bad clicks, or logging into the wrong place to heighten the risk of being breached or infected by malware or ransomware.
Cybercriminals target the soft spots in a company’s network. They will identify the most vulnerable employee or look for the easiest way to breach a company’s network. In fact, most data breaches originate a few rungs down the corporate ladder.
- Everyone who has access to the company’s network is a potential target. Therefore, companies must take cyber threats seriously and employ appropriate measures to secure their systems and safeguard all their employees, especially those travelling or using unsecure networks and devices. I advise clients to take the following steps in order to bolster their cybersecurity and protect against cyber threats:
- Understand the threat: read the risk assessments of the country you are travelling to and explore enhanced security measures. Monitor the news and request briefings from security providers. Be aware of how a country treats its citizens’ human rights and privacy. A government’s disregard for these rights can adversely affect foreign companies operating in that country.
- Secure yourself: avoid unsecure public wi-fi networks and assume that you are being electronically and physically surveilled in certain countries. Electronic devices, particularly cell phones, laptops, and tablets, are portable and can store massive amounts of business intelligence and strategic data; that includes sensitive documents and plans, emails about mergers and acquisitions, and financial data. Use the strongest, most powerful VPN and other technologies to mask who you are, where you are, and what you are doing. Use clean phones and one-use computers. At the end of your trip, examine those devices for malicious infiltration attempts and then wipe them clean.
- Secure everyone: while a senior executive who is travelling may require some level of physical protection, whether that is armed guards or armored cars, every employee should be protected when it comes to their cyber presence. A recent PwC Pulse survey found that 40 per cent of top US executives consider cyberattacks the largest risk companies face.
- Don’t rely solely on insurance policies: cyber insurance policies are becoming more exclusive and expensive as the spike in cybercrime has created a surge in demand. If your plan is to rely solely on cyber insurance, I would strongly suggest you rethink that plan.
- Think like the adversary: if your company were to target itself, what would you attack first, and how would you do it? What are your weak spots? Companies should be actively conducting tabletop exercises to enhance their security.
The gap between the velocity of technology and the velocity of business is closing. Money can be wired in seconds, global events are witnessed in real time, and malign cyber activities and criminal actions can occur just as fast. Now that business travel is resuming, the associated cyber threats are more prevalent than ever. At the end of the day, it matters what you do, where you are, and how you are postured from a cybersecurity standpoint.