As if business travel isn't stressful enough, some security
experts now recommend that road warriors assume they're being watched when they
walk around airports, hotels and convention centers. That way, they can take
measures to prevent their smartphones and laptops from becoming weapons of
economic warfare and avoid being taken advantage of by a growing army of
operatives working on behalf of foreign governments and competitors.
Sounds paranoid, right? Luke Bencie, author of a new book
called "Among Enemies: Counter Espionage For The Business Traveler,"
acknowledges as much. But he argues that it's not.
A May report issued by the Commission On The Theft Of
American Intellectual Property indicated the value of annual losses of trade
secrets and intellectual property probably totals more than $300 billion. "If
IP were to receive the same protection overseas that it does here, the American
economy would add millions of jobs," according to the report. "Better
protection of IP would encourage significantly more R&D investment and
economic growth.
"The exact figure is unknowable, but private and
governmental studies tend to understate the impacts due to inadequacies in data
or scope," the Commission noted.
Also acknowledging data collection problems, McAfee and the
Center for Strategic and International Studies last month published an
estimated range of $24 billion to $120 billion in impact to the United States
economy from "malicious cyber activity." Losses of $100 billion would
equal more than half a million jobs, according to their report.
Bencie in an interview with BTN said that even if they find out, and many do not, most
corporations do not acknowledge they have been ripped off, for obvious reasons.
"We get this all the time: Someone says, 'I've been
traveling for 10 or 15 years and I've never had a problem,' " said Bencie,
who is managing director at Security Management International and a former
security consultant at Raytheon and the U.S. State Department. "The people
doing these kinds of operations against the business traveler are doing so
clandestinely. That way they can do repeated attacks. A successful IP theft is
one where the traveler is a victim and has no idea."
The book takes readers through thrilling and apparently true stories of travelers seduced
into having their files copied and their comments recorded—sometimes more than once
on a given trip—as part of a widespread but mostly unseen game of economic
espionage.
Even seemingly benign interactions might be a concern. Think
those information cards you fill out when checking in to hotels are for the
property's eyes only? Depends on the country. According to Bencie, "In
many countries, a representative from the 'Ministry of the Interior' or a
bureaucratic equivalent will drop by the desk each night to collect the
information so the local intelligence service can track who is in the country."
Governments may, in turn, be in cahoots with your firm's local partners or
competitors.
But one need not even go so far as to suggest that nations
are stealing business secrets for their private sectors in order to validate
worries about travel and corporate data security. A report last month in The Telegraph indicated that
counterterrorism laws in the United Kingdom allow airport officials to take
possession of mobile devices and search through "call history, contact
books, photos and who the person is texting or emailing, although not the
contents of messages."
In the United States, Bencie notes, the Transportation
Security Administration is "notorious for theft," so mobile devices
should never be kept in checked luggage.
Bencie's top two travel tips: "Learn to think and act like a counterintelligence officer"
and "assume at all times you are being surveilled by someone who wants
your information."
As a government contractor that frequently does business in
high-risk areas, Charlotte, N.C.-based The Babcock & Wilcox Company faces
these issues more than most firms.
"With spearphishing and other cybersecurity threats
being issues of concern to all businesses, we as a company have made our
travelers and our employees very aware to look out for those types of things
because people can infiltrate all your systems if you're not very careful,"
said global travel manager Pamela Martin. "That's part of our protocol."
Pamela Martin and Babcock & Wilcox manager of
information security Tony Martin (no relation) last year worked together on a
Six Sigma-driven project to build training programs and better integrate travel
processes with IP protection measures. They ultimately forged integration that
alerts the IT department to prepare "clean" smartphones and laptops
to provide to employees as soon as they book a trip.
But clean equipment is just one aspect, said Tony Martin. "We
looked at which employees would have access to the most sensitive information
and treat them as higher-risk," he explained. "The first step is to
minimize the amount of data, but understanding there are people who will take
information with them, the next is to put controls around that information. It's
about encryption of data, requiring users to enter a PIN on all mobile devices
to access the user interface, remote device-wipe capabilities, multi-factor
authentication ... Most devices support the capabilities that we need, but that
space changes constantly so it's something we try to monitor, but it's
difficult to create any sort of standard."
"We have strict regulations governing travel to some
overseas destinations, and before the traveler can make a reservation, they
have to go through this workflow protocol," said Pamela Martin. "I've
participated in many safety and security discussions, and I really am surprised
that so few companies are really doing a thorough job of this. A lot of the big
companies I talked to allow the traveler to make a reservation, then the
security group gets involved, but they're allowed to make a reservation without
even knowing anything about the risk involved in travel."
FCm Travel Solutions senior director for global travel risk
management Charles Brossman agreed. "At the moment, I think not enough
emphasis is put on intellectual property," he said. "As with general
travel risk management, which has taken a while to rise to the level to where
all sizes of companies are paying really close attention to it, in this
situation I believe more companies are taking note that this is really
important, so I think it's emerging."
It would seem that traveling with such suspicions can
increase stress for employees. Carlson Wagonlit Travel, for one, has identified stress as a major problem for many business travelers and their employers.
"I would be concerned about that," said Brossman, "but
the way to approach this is training. There are some basic things like turning
off Bluetooth, because if you walk around with Bluetooth turned on, your device
is hackable. You can delete any critical data and put it on a PIN-protected
flash drive. It's hard to avoid using public Wi-Fi, but I would use only a
service that I subscribe to"
Wi-Fi is like crack to a business traveler, but it's an
addiction that should be sidelined according to Bencie's book: "Don't use
public or purportedly free Wi-Fi hotspots anywhere. Ever. Period."
He also suggests eschewing alcohol, which could be a
challenge for those obsessing about being watched. But travelers need not be
stressed if they have taken the right measures, Bencie told BTN. "There are simple solutions to
a lot of this. The U.S. government follows the same rules: When you do travel,
it's with a sanitized laptop and phone. When on the road, you use a secure virtual
private network. You don't use Gmail. You're careful of Wi-Fi spots—a physical
line for Internet access is better. If you're separated from your laptop or
phone for five minutes, you're compromised. Invest in a smaller device, and if
you go to the gym, bring it in your backpack. Or have a separate hard drive, so
the brains are with you."
The Federal Bureau of Investigation and the State Department's
Overseas Security Advisory Council offer corporations resources and advice on
IP protection. Federal employees, of course, are prized targets. The Canadian
Security Intelligence Service has warned traveling government officials about
so-called "honeytraps," according to a July report in The Globe And Mail. These are attractive
women, also referenced in Bencie's book along with the synonym "honeypots,"
who might drug, kidnap or blackmail travelers. (Male perpetrators are "Romeos.")
But one does not have to be a high-ranking government
official or defense contractor with security clearance to become a target, or,
in spy parlance, a mark. Personal information like passwords can be useful for
identity theft, reminded Brossman. Companies don't need to be housing
top-secret data to want to prevent criminals from hacking into their systems
via a compromised laptop accessed in an airport lounge.
Another tip from Bencie: "Never be so naive as to think
your presence or the information you carry is of no interest to others."
— Holly Leber contributed to this report.
This report originally
appeared in the Aug. 5, 2013, edition of Business
Travel News.