The Return of Travel: Why CISOs Must be Extra Vigilant
Travel is making a comeback. Progress on the vaccination front means executives and board members are hitting the road for business meetings and trade shows, visiting exotic vacation destinations, and catching up with family.
But while your company’s executives are making up for lost time, are you sure they’re traveling safely?
It’s not enough to remind them to wear a mask. Many executives have long since forgotten travel habits and protocols and may need a refresher, especially regarding cybersecurity. Because their professional lives are inextricably intertwined with their personal lives, executives and board members are a high-risk target for cyber attacks, particularly when they travel.
After all, people are people, and business leaders habitually use their personal devices – phone, tablet, or laptops – to stay connected and productive when they’re on the road. To do this, they might sneak a file or two onto their Gmail so that they can review it from their tablet anywhere, without thinking about how unprotected that device and email account is and what the broader security ramifications might be.
If you’re a CISO, this should be of deep concern. Let me explain why:
1. Foreign networks make executives vulnerable
Public Wi-Fi and third-party networks – at airports, hotels, restaurants, and vacation homes – are known attack vectors for data thieves looking to propagate malware, conduct man-in-the-middle attacks, or launch other network-based strikes.
If your executives are using a work device, they are somewhat protected thanks to encryption and other security protocols. Unfortunately, personal devices don’t have this protection – and that’s a problem.
Despite the appearance of robust security thanks to modern biometric and facial recognition access controls, personal devices are among the most breached by bad actors. Our research uncovered that nine in 10 mobile and tablets lack security software, three in five have no anti-virus software, and one in four devices are already infected with malware.
And, when a hack does occur, it’s not just personal data that’s at risk. Bad actors can access confidential and proprietary company information that may have been forwarded or stored on the device.
What you can do:
Because these vulnerabilities exist outside the corporate perimeter, it’s tough to implement traditional policies or technology solutions that mitigate risk. But there are some measures that can protect the digital lives of your executives when they’re traveling.
Remind the C-suite and board members of basic security hygiene best practices, such as not connecting to public Wi-Fi from their personal devices. This is a tough one, admittedly. And not always enforceable.
For this reason, it’s wise to also explore technologies that automatically analyze and assess the security posture of wireless networks before a connection is made. Then consider adding an extra layer of protection using honeypots. Honeypots are a decoy-based intrusion detection technology that lure attackers who have already hacked a device away from their intended target. For instance, BlackCloak’s Deception feature can quickly detect malicious activity on personal devices and alert our SOC for quick intervention – stopping hackers in the act.
2. Physical theft on the road is a leading cause of data breaches
Hacks and sophisticated cyberattacks aren’t the only avenues available to hackers. A failure to physically secure laptops, tablets, and smartphones is a leading cause of data loss.
Studies show that a laptop is stolen every 53 seconds and, in 56% of cases, a breach of confidential company data will ensue. Again, travel is a big factor. Most phone theft victims say they accidentally left their device behind in a public setting or lost it at a trade show. Worryingly, executives are also surprisingly lax about trusting their devices to strangers. During business trips, 52% of managers say they often leave their laptop with a concierge, restaurant employee, or airplane seatmate.
What you can do:
Brief executives and board members on the risks of letting their guard down and basic measures they can take to prevent physical theft such as keeping their devices secure while at airports, hotels, parking lots, trade shows, and restaurants.
If they are traveling overseas, encourage them to be extra vigilant. Pickpocketing is much more common abroad than in America (for example, there is a versus 11% in the U.S.)
3. Executives’ public profiles put them at greater risk
Executives and board members are high-profile individuals, attracting a darker element – malicious cyber actors. This risk is compounded when travel is involved.
It’s a known fact that companies experience an increase in phishing emails when executives are on the road. Opportunistic hackers will often pose as members of the C-suite (notably CFOs, since they have authority over financial matters) and then scam employees into parting with sensitive data or transferring company funds to fraudulent accounts. And, because the CFO is out of the office, there is no guardrail in place to verify that the request is genuine.
What you can do:
Start by lessening the amount of information about your executive team available in the public domain and on the dark web. Email addresses, cell phone numbers, and home addresses are readily available. Hackers can exploit them to execute impersonation attacks against company employees, family members, and other unsuspecting targets while the executive is not present.
In addition, encourage executives to minimize their profiles while they are traveling. Warn them about posting to social media in drips and drabs – whether it’s insights from a conference on LinkedIn or photos from their African safari on Facebook – and instead save those shares until they head home. Anything that minimizes the risk of a nefarious actor knowing that they are out of town or off the grid is a good thing.
As travel opens, never drop your guard
Executives are highly mobile professionals. And with the travel opening and the holiday season fast approaching, your SOC has a challenge on its hands. It’s no longer enough to implement policies and protocols that secure corporate devices. Travel and all its permutations must be factored into the company’s cybersecurity strategy. Now is not the time for executives, board members, and the SOC to let their guard down.
Learn more about how we can help you , so they, their families, and your organization are protected 24×7.