Reducing Cybersecurity Risks in Travel and Expense

Employees are an organization’s biggest security risk: An often-cited 2020 study by Tessian and Stanford University found that 88 percent of data breach incidents are caused by human error. 

Human errors are both common and difficult to avoid, but that doesn’t make preventing them a lost cause. Weaving security into the culture of an organization is paramount to business success, even more so as technology continues its evolution and becomes even further integrated into business processes and day-to-day work.

Cybersecurity in Travel and Expense

The travel and expense software as a service industry has become an ideal case for strong cybersecurity practices.

As employees spend more time outside the physical office, they have embraced virtual payments, digital receipts, mobile devices, and getting work done from planes, hotel lobbies, conference centers, poolside, and more. 

Now, many of the tasks associated with T&E, like submitting an expense report, can even largely be automated. And the digital transformation of T&E is opening the door to swaths of data that make predictive forecasting and budgeting possible.

All this flexibility and change is empowering, but it can also be risky when employees, devices, or the services they are using aren’t up to date from a cybersecurity perspective. 

Top Cybersecurity Vulnerabilities

An SAP Concur survey of IT leaders globally found that 43 percent include phishing and social engineering attacks among their organization’s top three cybersecurity weak spots. Other frequently cited vulnerabilities included inadequate employee security training (29 percent) and insufficient endpoint security (29 percent). 

The common thread that runs through these risks is the role of the employee. Phishing and social engineering attacks have a direct connection to employees, while inadequate security training can make employees more vulnerable to them. Insufficient endpoint security is an interesting challenge, because these frontline security measures help protect the devices that employees use and, in turn, a business’s data and workstreams from malware and other threats.

Investment in all three of these areas is critical to protecting an organization from cybersecurity risks.

Steps to Take for Better Cybersecurity

The first step that organizations can take to help protect themselves from cybersecurity threats can make progress toward addressing all three of their top weak areas. Business leaders should partner with IT and HR to develop up to date, required training courses for employees about cybersecurity risks and best practices. Key areas to cover include how to identify phishing and social engineering attempts, the value of updating devices on a regular basis, and how to create strong passwords. Trainings should be updated on a regular basis to account for any changes to technology and emerging security needs.

The right technology investments can also go a long way toward preventing human errors and protecting a company from security threats. For instance, choosing solutions that incorporate multi-factor authentication can help prevent unauthorized access. Role-based access control features can help limit access to sensitive data. Security should be at the core of any workplace solution, including data encryption measures and secure cloud storage to prevent breaches. VPNs, firewalls, and endpoint detection and response solutions should be adopted to protect company-issued devices.

These actions can help build the foundation for an organizational culture that prioritizes cybersecurity, although how security is handled and discussed by the company matters, too. Encourage employees to report any suspected security incidents, and make sure that everyone takes ownership of cybersecurity measures, including developing risk management strategies by team and department that are relevant to the work at hand.

Growing Budgets and Responsibilities

Cybersecurity budgets are expected to grow, according to 59 percent of finance leaders—underscoring that it is a key priority for organizations this year. Taking the steps outlined above can help a company address the most frequently cited weak points in its approach, in T&E as well as more broadly.

It's also worth considering that as technology continues to evolve, the cybersecurity landscape will shift in some interesting ways. For instance, agentic AI may help reduce the likelihood of human error in certain workstreams and processes—although other risks could be introduced, like those associated with generative AI hallucinations. The human and the machine will likely need to counterbalance each other’s risks in the future of work.

But for now, although human error may be the most common cause of data breaches, organizations and their leaders hold the responsibility—and the power—to reduce the risk.