Risky business: Are mobile employees compromising business info?
Americans logged 457.4 million trips for business in 2016, and there is no sign of business travel slowing down, with global business travel spend expected to rise 5.8 percent to $1.6 trillion in 2020.
With the rise of business travel comes an increased threat to businesses’ information security. From business plans, to budget scopes, to employee contact information and more, employees travel with a range of confidential information that, if not handled properly, could significantly impact a company’s reputation – not to mention compromise the information of clients and other employees.
While many businesses are increasingly investing in digital security strategies in light of heightened cyber attacks, physical data is often overlooked. The paper trail of sensitive information that employees generate when traveling is not always considered to be as risky as devices containing digital data. As a result, many businesses do not have a physical information security plan in place to prevent and protect from the threat of employee negligence – especially while traveling.
To create a secure business travel plan for your employees, there are several aspects that businesses need to consider (and likely aren’t). Here are three things to keep in mind.
Prevention (and knowledge) is power – have a secure travel policy in place
It’s helpful to outline an all-encompassing travel security policy that can be used as a reference for all employees prior to business travel. This plan should point out all physical data that could likely be needed on a business trip and the risks associated with each type of document, such as receipts, boarding passes, meeting documents, etc. For example, many people are not aware that the barcode on a boarding pass contains travel itinerary and frequent flyer information. Alerting employees of these unassuming locations where confidential information can be accessed is critical to avoiding a breach or theft while traveling.
According to Trustwave, up to 25 percent of information breaches are caused by employee error or negligence, which is why it’s necessary for businesses to offer ongoing training opportunities to ensure that employees are adequately prepared to protect the information they bring with them while traveling and avoid making common mistakes. This means understanding how to treat the physical data they carry with them at every stage of the trip. As an extra step, training sessions and travel handbooks should be held and updated frequently to ensure employees are up to speed on data security best practices when it comes to traveling.
Cell phone? Check. Laptop? Check. But where are your notes and travel documents?
Employees have become more conscious of how they use their phones and laptops when they travel, making sure they are not connecting to unverified Wi-Fi networks or updating mobile device logins with stronger passwords. While it is important to take these steps to safeguard digital devices, it is equally important that employees diligently keep tabs on the physical information they’re traveling with. From passports to rental receipts to travel itineraries, business travelers have a lot of physical data to keep track of. So, while the first instinct might be to check for cell phones or laptops before hopping out of the taxi and into the next meeting, remind employees that it’s imperative to check for any paper trails they may be inadvertently leaving behind.
The seemingly harmless mistake of forgetting a notebook or leaving behind meeting documents has been made plenty of times before. Take the Department of Homeland Security’s breach in February when an employee left behind Super Bowl security plans in the backseat pocket of a commercial plane. Business travelers who are negligent with physical documents can create serious risk and even legal issues for a business. It’s helpful to continually remind employees about how to handle physical documents during business travel – whether that means simply encouraging employees to double-check that they have all notes and paperwork in their possession at each stage of travel, or purchasing a locked briefcase specifically designed to hold all confidential information for employees while they’re traveling, or designing an information log in / out system so your security team can keep track of what documents leave the office and what documents come back after they travel, and more.
Keep in mind that passports and personal identification are popular physical data breach targets too, with millions reported lost or stolen around the world every year. Prior to business travel, employees should always scan a copy of their passports or photo ID and have it on hand in a secure place – such as the lock box provided in the hotel room. One popular travel scam is to steal a traveler’s ID at the front desk when they are distracted during hotel check-in. If choosing to leave your passport, ID or credit card behind in the hotel, it’s critical that it remains locked in the hotel safe.
Think twice before tossing
While discarding airline tickets post-flight might seem harmless, we’ve already determined that confidential information is often located in unassuming places. To avoid making a misstep, it’s best to secure all documents throughout the course of travel – yes, receipts too! – in one safe space. Once employees return, they should be reminded to securely shred all documents that are no longer needed post-travel.
Implementing a document management process that identifies a lifespan for physical documents could help employees quickly and efficiently determine which documents should be stored or securely discarded upon their return. Materials that need to be kept after business travel should be stored and locked in secure filing cabinets while all other items should be properly shredded before they’re discarded. If receipts need to be kept for expense reports, they should be submitted to accounts payable and shredded immediately thereafter.
From lost luggage to flight delays, there a lot of factors that cannot be controlled while employees are traveling. By implementing an information security travel policy, businesses can at least ensure that employees are prepared for the elements they can control, like taking the necessary steps to protect their private information over the course of their travels.