Travel Risk Management vs. Duty of Care
Within the topic of corporate travel safety there are a lot of similar terms thrown around, often the two are used interchangeably, which is incorrect.
Duty of care is a company’s moral and legal obligation to keep its employees safe. It obliges companies to take responsibility for the health, safety, and security of their employees, whether they’re in the office or away on a business trip. On the other hand, travel risk management is the strategy that fulfils that obligation. It’s the action plan that provides the care that companies have a duty to give.
In short, the difference lies in what companies need to do to ensure the safety of their employees versus how they’re going to do it.
What are some safety risks to consider while traveling for work?
Political Instability
Political instability can affect travel plans and put travellers in jeopardy. Business travel to and within areas that are politically unstable needs careful planning, based on up-to-date advice and information.
Sanitation & Health
While you often can’t predict health issues, you can plan how to manage them in advance. There are several health-related considerations to be aware of while traveling, including:
Healthcare Providers; make sure your travellers know where they can get medical support ‘’before’’ they need it.
Food and Water Safety; whilst working abroad is a great way to gain new experiences and taste new food and drink, it’s worth remembering that some parts of the world might not have the same hygiene standards as at home. Traveler’s can reduce their risk of stomach upsets by sticking to safe eating and drinking habits. Although tempting, travellers should avoid street food. Similarly, opt for bottled water instead of tap water.
Health Threats and Diseases; travellers will need to complete any necessary vaccination courses for the country prior to traveling.
Accommodation Security
After a long day of traveling, you may feel tired and dirty, so the first thing on your mind is likely to be freshening up or getting some sleep at your hotel. However, this is not the time to let your guard down.
Research where you are staying; know what the security measures are, such as whether the front desk is staffed 24 hours a day. Use Google Street View to survey the surrounding area.
Do not book a room on the ground floor; these rooms are more susceptible to break-ins. When you’re out, place the ''do not disturb'' sign on your door. This way, it looks like you’re still in the room. By doing this, you’re decreasing the likelihood of an opportunistic theft.
Know your emergency exit plan; this might be one of the most important tips. As soon as you arrive at your room, spend a few minutes getting to grips with the emergency exit map and determine where they are located.
Keep accommodation details to yourself; Information like your accommodation address, room number, room key codes, travel documents, and additional security information should be kept confidential. Try not to speak loudly when discussing this type of information and never share it with strangers or people outside of your work cohort.
Avoid being followed to your room; As an extra safety precaution, when your team is heading to their individual rooms, especially female business travellers, be sure to not let anyone follow. If someone is waiting for the elevator with you, let them go ahead and wait for an empty elevator. You can check your phone or ruffle through documents to signify you’re not ready to head up yet, simply gesture to them to go ahead.
Use all locks on hotel doors and windows; Whenever you are in your room, use the deadbolt and swing lock once you close the door. Lock all windows and access areas, especially if the room is on the ground level or second floor, and while sleeping or away from the room. A door wedge is also a good preventative measure; ensure you pack one before leaving home.
The Difference Between PII & Sensitive PII
For most organisations, the threats to their information assets are greater than the threats to their physical assets in terms of likelihood, impact, and vulnerability. There are two primary reasons why the risk is underestimated, especially whilst travelling.
Information theft is invisible. It is happening but it is invisible to the defender unless it is being specifically looked for.
Even when compromised and obtained by an adversary, there is no apparent loss to the owner. There is no crime scene, and the asset is still visible, accessible, and intact.
Personal information as “Personally Identifiable Information” or PII, which is any information that permits the identity of an individual to be directly or indirectly inferred, including any information that is linked or linkable to that individual.
Sensitive PII is Personally Identifiable Information, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.
Sensitive PII requires stricter handling guidelines because of the increased risk to an individual if the data are compromised.
Some categories of PII are sensitive as stand-alone data elements. Examples include driver’s license or national identification number, passport number, or financial account number. Other data elements such as citizenship or immigration status, medical information, ethnic, religious, sexual orientation, or lifestyle information, and account passwords, in conjunction with the identity of an individual (directly or indirectly inferred), are also Sensitive PII.
You or your organisation may be a target of a foreign country’s efforts to obtain information or technologies to increase its market share, build its economy, or to be used as a form of leverage (Bribery).
Targeting methods include luggage searches, extensive questioning, and unnecessary inspection and downloading of information from laptop computers, either by way of interrogation, or when left in a hotel room, where the adversary obtains access to the device.
Before You Travel
Obtain specific pre-travel country risk assessments from your company.
Obtain a briefing by your organization’s security point of contact, and or travel management team.
Clear personal data or information from your computer, smart phone, or other digital device.
If you don’t need the device, don’t take it.
Fortify passwords and encrypt files, folders, and devices.
Make copies of your passport, airplane ticket, driver’s license, and credit cards that you take with you. Leave one copy at home.
Establish points of contact for emergencies, your company should provide you with both internal and external contact details.
Register your trip with your company, your company should already be fully aware, especially the security point of contact, and or, travel management team.
Obtain the phone number and address for your Embassy or Consulate in the country(s) you plan to visit.
Clean out your voice mail.
Familiarize yourself with local laws and customs in the areas you plan to travel.
Plan your wardrobe so that it does not offend residents or draw unwanted attention to yourself.
Do not take unnecessary identification or credit cards.
During Your Trip
Protect your passport.
Use a VPN and do not use public WIFI networks.
Use authorized taxis.
Eat and drink wisely.
Know where you need to go.
Be covert, not overt.
Encrypt, shut down, and secure your laptop and devices when left in the hotel room.
Do not invite strangers in your room.
Do not carry large amounts of cash.
Do not leave drinks unattended.
Avoid long waits in lobbies and terminals.
Be aware of new acquaintances who probe for information.
Avoid civil disturbances and obey local laws.
Be always aware of your surroundings.
Be aware that your conversations may not be private or secure.
Do not leave electronic devices unattended.
Clear your internet browser after each use.
Do not wear expensive-looking jewellery and avoid wearing team sports shirts or baseball caps that might indicate you are from a specific country.
When You Return
Review your system access with your security point of contact and or travel management team.
Report any unusual circumstances, including contact by foreigners, to your security point of contact, travel management team.
Awareness Training
In respect of information security, creating awareness is fundamental to the development of a positive culture. Employees are more inclined to buy in to the culture if they understand the reasons behind the expected norms.
In this regard, OSAC notes that a strong awareness programme may well be necessary before attempting to initiate security standards required by information protection. In fact, attempting to establish the security standards without an awareness programme will doom the effort to failure, as employees are reluctant to support any effort without fully understanding why it is necessary and how it will benefit them and their company.
Information security awareness has three components:
Awareness of the Risks (threat sources and tactics, potential impacts, vulnerabilities).
Awareness of the Countermeasures.
Measurement of Compliance.
A key reason studies are so consistently scathing towards employee attitudes to information security is because of lack of awareness on the part of employees.
It’s always better to be proactive rather than reactive, and a business travel safety and security policy is one of the best ways to fulfil your duty of care to employees while they’re traveling. This document should include all training, procedures, and resources required for your business to keep employees safe.
General Conduct Whilst Overseas
Overseas travel provides a fertile ground for economic espionage. An exacerbating factor is that employees often behave differently away from the office. SABRE Risk has some general considerations that could be passed on to travelling employees, these might include, but are not limited to;
-- Personal sociability, status display and ambition are all reasons why some travellers are identified as targets. Advise travellers to maintain a low profile and not to stand out as targets. They should also avoid clothing that identifies them with a particular company.
-- Be always very aware of surroundings. Business travellers are susceptible to a wide range of invisible threats.
-- Try to limit consumption of alcohol. This causes people to speak louder, become less guarded about what they say, and conversations can easily be overheard on planes, in hotel bars etc. Specific business travellers, especially if two are travelling together, could have their plane seats bugged by some national carriers. And it is not unusual for adversaries to loiter around the bars of some hotels frequented by business travellers.
-- Use privacy screens on laptops. This inhibits those sitting nearby from reading the traveller’s computer screen.
-- Never lose sight of laptops. Airports, restaurants, bars, and hotels are amongst the most frequently targeted areas by laptop thieves. Security devices provide limited protection, but the most important considerations are vigilance and care. If possible, at airports, carry a laptop in a backpack so it hardly needs to be placed down on the ground. But beware that on public transport you then have the risk of thieves cutting backpacks to remove contents.
-- Always have boot level encryption on laptops. A laptop without encryption locked up in a hotel safe is not secure against adversaries. Consider taking a clean, sterile laptop to certain countries.
-- Consider the possibility that adversaries may bug hotel rooms, intercept telephone calls, break into computer folders etc. while connected to a public Wi-Fi network.
-- Use VPN when connecting via public (airports, hotels etc.) Wi-Fi, as other users of the network may be able to access your device or intercept your communications to steal your data. The best way to protect your data from interception by other network users is to encrypt it while it is in transit between your computer and your office network, using a company VPN. If you don't have access to a company VPN. This ensures your data is encrypted and protected from other users of the public local network.
-- Sometimes it can prove difficult to get a VPN connection working, so it's prudent to ensure that any email program, webmail system or Cloud-based email service that you use is configured to use transport layer security (TLS). This ensures that both your username and password, and the contents of your emails, are encrypted as they travel across the Internet. Webmail services like Gmail and Cloud-based services like Microsoft's Office 365 are configured in this way by default, but email offered by many internet service providers is not.
-- Be wary of adversaries amongst the hotel or conference centre staff.
-- Assigned drivers or assistants/translators etc. may be informants or agents, so there should be no sensitive mobile phone calls in their presence.
-- Be aware of the possibility that border officials can seize laptops and other digital media, such as smartphones, for inspection. Ensure that the traveller is given instructions on how to respond if officials demand passwords. This can also happen in transit, even when the traveller has no intention of entering the country being transited.
-- Be wary about unsolicited approaches in public areas, or unexpected calls to the hotel room asking to meet.
-- Be aware that adversaries, insiders, or coerced employees may search travellers’ hotel rooms, browsing through any hardcopy they can find, or have hotel staff working on their behalf, such as room service attendants and cleaning staff.
-- Treat this area of advice giving with delicacy. No travelling employee wants to be accused of indiscretion or negligence and they have more experience at overseas travel than you do.
How can SABRE Risk Help?
A detailed corporate travel security plan is necessary in today’s threat landscape. With business travellers exposed to a wide variety of risks, it’s vital for companies to create a culture of safety that extends to employees’ diverse destinations so they can stay safe and perform at their best.
Your travel safety guidelines for employees should not be a static document. Consistently reassess relevant threats and update the plan to account for changes to your travel program or policies. It’s vital to account for all hazards and make sure your employees have the latest information about how to respond.
Are you unsure about where to start? Reach out to SABRE Risk who have significant experience in this challenging topic, we have supported both corporate entities, private family offices, and individuals construct travel management programs, and are well placed to advise you for your next trip.
operations@sabre-risk.com
Comments