Cybersecurity is undoubtedly a global concern in today’s Internet-driven world, where malicious criminals and state attackers scour target networks for vulnerabilities to exploit as part of the larger cyber-kill-chain. If mitigating such risks is already a full-time process for corporate security teams, various challenges are only amplified when clients are travelling across multiple national borders whilst carrying with them sensitive corporate data. However, when travelling, most seasoned travellers are acutely aware and developed plans to mitigate assorted physical risks in comparison to their personal cybersecurity, which remains a secondary concern, alongside travel insurance and digital backups.
Whilst advanced technologies leveraging off the Internet-of-Things (IoT) have made it easier for travelers to stay connected, it has also increased our exposure to various risks; especially when the broader travel industry is slowly being reshaped by emerging technologies. Thus, what kinds of cybersecurity risks are business travelers exposed to? How can such risks be mitigated? What about cyber-physical risks and other travel security providers? And finally, what business opportunities are there?
Technical cybersecurity risks during transit
With the emergence of advanced communication services keeping employees connected 24/7 across the world, business travellers can remain in close contact with support teams a home. In addition, most of us tend to procure products that can ‘sync-up’, allowing us to stay even more connected to our global networks across devices. However, aside from vulnerabilities on-board various devices, various conventional cybersecurity risks are also amplified when it comes to international travel. These can range from covert network intrusion risks stemming from insecure connections, to more overt threats associated to intrusive security procedures – if you are that unlucky – at immigration checkpoints. Senior corporate and other travelling high-rollers are especially vulnerable to such threats because they are often carrying sensitive personal and corporate data with them, which can be worth a small fortune in illicit markets.
A key case study is the targeted spear-phishing and malware distribution campaign, DarkHotel – an advanced persistent threat (APT) identified by Kaspersky Labs in 2014. The APT selectively targeted senior corporate executives and other key position holders in various defence and technology agencies staying in various hotels. The network intrusions are accomplished through tricking victims to execute malicious downloads uploaded to the establishment’s servers, and falsifying digital certificates used for authentication to remain undetected. Upon entry, attackers would siphon sensitivity data through key-logging and reverse engineering procedures. Subsequently in 2017, Bitdefender published new research indicating that a variation of the DarkHotel malware was discovered. Dubbed Inexsmar, this alternative version appeared to target senior political personnel rather than corporate employees. Indicating the potential for this to be a state-sponsored adaption and a case of cyber-espionage that specifically exploited the weaker cybersecurity practices amongst travellers.
Here are some general cybersecurity tips to protect oneself digitally whilst abroad:
- Do temporarily disable all automated protocols on devices.
- Don’t connect to any public network when in an unfamiliar establishment, as they are often unsecure or possess weaker security protocols.
- Do use a virtual private network (VPN) when using public WiFi services.
- Don’t carry sensitive data on portable storage devices if possible. Most do not possess formidable data protection protocols, and they can easily be lost, stolen or confiscated by state-security services.
- Do encrypt all files on board devices, or consider using a secure cloud storage service empowered with multifactor authentication access protocols.
- Don’t visit websites without a secure HTTPS internet protocol and an updated SSL certificate.
- Do logout of all cloud-based services, clear all relevant browsing data including cookies after use, and disable location services.
- Don’t rely on wireless connectivity between devices as transmissions can be intercepted through “Wiphising”, use a cable if possible.
- Do invest in a secure mobile device or incorporate the use of encrypted messaging apps into business communication chains.
Emergence of Cyber-Physical Risks
These aforementioned tips are but some general practices travellers can use to protect themselves digitally whilst abroad. However, every country provides different security challenges, usually of a more physical nature empowered through cyberspace. The increasing number of such cyber-physical risks brought on by our increased need to stay connected to the Internet has already been noticed by insurance companies, as reflected in the various risk mitigation and underwriting operations currently in practice. However, as we increasingly rely on the Internet-of-Things (IoT) to support our travel plans and business operations when in transit, we must acknowledge that this also bears the potential for more physical travel risks such as kidnapping.
One example is the growing trend in maritime piracy, where pirates exploit the abundance of maritime tracking websites available on the Internet to select, target, track and kidnap (or hijack) vessels within their area of operations. Contextualizing this into land-operations, attackers can utilise a phishing campaign or Wiphishing to accomplishing similar tracking and kidnapping objectives. In addition, with the increased use of biometric securities, resorting to older methods of kidnapping might be a blunter but simpler alternative than attempting to hack an executive’s mobile device. Whilst these cyber-physical risks remain very real, it warrants support from a more conventional security actor – mainly from the Travel Security and Risk Management (TSRM) business area.
Cybersecurity and the TSRM Sector
Travel Security and Risk Management (TSRM) sector represents the community of security providers that focus on ensuring the physical safety and operational security of its client’s employees – or the client him/herself – when travelling overseas. Conventionally, TSRM firms fundamentally provide advisory and intelligence services about any credible risks to travellers in transit in various regions. Only a handful of firms provide more physical security support services, including personal security details and kidnapping response teams – something to keep in mind for later on. Incidents such as natural disasters, large civilian demonstrations, or terrorist attacks are thus subsumed under their incident identification paradigm. Thus, only cyber-physical risks are taken into consideration.
For example, TSRM firms are more likely to have relayed the notice about the distributed denial of service attack on Ukraine’s Kiev airport in 2017, rather than the nationwide phishing campaign on the United States aviation network in 2014. The Ukraine incident would have presented more immediate impact on travellers and affected various clients with employees transiting through Kiev. However, the American incident, while also being a cybersecurity attack involving aviation travel, had a lesser immediate or direct impact on travellers, thus apparently not warranting an alert.
Subsequently, the only other context where cybersecurity is emphasised in the TSRM sector is applicable to how its baseline intelligence service are digitally provided. Like all other businesses today, TSRM firms critically rely on technology to disseminate intelligence and support the security of their clients. Clients trust TSRM firms with highly sensitive information in return for timely security updates and risk analyses. Thus, TSRM firms consistently work with sensitive client data reflecting their corporate operations and geographical whereabouts. Therefore, their digital operations would also be subjected to various cybersecurity regulations and laws. As their operations are often globally orientated, incoming data protection standards such as the General Data Protection Regulation (GDPR) in Europe and new penalties associated to Federal Data Privacy and Cybersecurity Laws in the United States will come to guide how data is stored and disseminated by TSRM firms.
As mentioned earlier, we are seeing the progressive development and implementation of new technologies reshaping the travel industry. Having previously outlined some digital and cyber-physical risks facing the modern traveler today, what combined solutions can be available now or, at least, in the near future to help travelers mitigate these risks?
Innovations, security and business opportunities
According to the 2017 Radar Report from travel technology firm Saber Labs, nine scalable innovations are set to reshape the entire travel industry. Improved artificial intelligence platforms, enabling the development of larger driverless vehicles, ships and aircraft while immersive virtual reality rigs can allow us to travel and visit places otherwise left to our imaginations. While such innovations undoubtedly have already begun making waves across industries, TSRMs that provide more physical services (i.e. close protection and asset tracking) might be highly interested in the emergence of biometric suites enabling seamless and secure travel across borders. Despite such implementations still being in their infant stages, firms can engage government representatives in Singapore, Australia or France. These countries have made ambitious strides and also possess the skill and technical infrastructure to support private-government ventures from larger TSRMs capable of holding government contracts.
TSRM and various cybersecurity firms can establish collaborative partnerships to provide travellers with specific cybersecurity intelligence relevant to their destination and residential establishments. This can also include various internet regulations and access restrictions that might be prevalent at various destinations. For example, TSRMs can provide pre-travel intelligence that can be generated for executives heading to China with its heightened levels digital surveillance and data protection standards under China’s new Cybersecurity Law. Subsequently, their partnered cybersecurity firms can provide optimal VPN selections – or their own – and other intelligence support for secure transmissions when coordinating various digital activities whilst in-country. Supported by cybersecurity firms, the security of TSRM firm’s own mobile applications/products for clients can be greatly empowered. With the abundance of readily available security applications for personal devices, existing mobile applications could expand its capabilities. Not only just providing clients with updated intelligence about relevant physical threats in country, but also protecting them from digital risks as well.
Given many travelling executives are often journeying with a smartphone, laptop and other devices. Cross-platform capabilities and applicability should also be taken into consideration, thus presenting business opportunities for bespoke hardware to be developed specifically for frequent travellers. Since the Snowden revelations, there have already been an abundance of devices designed with encryption and security as a key in-built feature. This range from mobile phones developed primarily around encryption and security; to petitions for DLSR cameras to be designed with encryption capabilities to support war-photographers operating in hazardous environments from malicious IMGINT operations. Translating such demands into business potentials, TSRM and cybersecurity firms can establish closer relationships with key computer and mobile developers. Together they can develop new hardware specifically for the traveller, exploiting innovative concepts such as modularity. Despite the pre-existent BYOD (Bring-Your-Own-Device) and Remote-Workforce trends – which carry their own security risks – becoming increasingly prevalent within contemporary business domains, such security-by-design avenues presents almost endless opportunities for collaborative ventures.
Innovations, security and business opportunities
To summarise, TSRM firms and many businesses critically rely on technology to support their security services. As more innovative solutions that rely upon the Internet-of-Things come to reshape the travel industry, TSRM firms will undoubtedly be affected by and must also adapt to this landscape shift. As the saying goes ‘Nothing Ventured, Nothing Gained’. There is no doubt that for many TSRM companies, this is walking into unknown or unfamiliar territory. However, they cannot escape the increasing corporate dependency on digital solutions. Rather than purely outsourcing the cybersecurity of their products, TSRM firms can also use this opportunity to grow before the new innovations take root. Through establishing a collaborative partnership with cybersecurity firms, depending on their speciality, TSRM firms can bring a series of new products or update older ones. Collectively providing better cyber-travel security to travellers.