Too many questions about data security and not enough
definitive answers make for corporate travel managers who are paralyzed in the
face of mobile strategy.
But just because buyers are standing still doesn’t mean
travelers are. In April, research from Phocuswright (which, like BTN, is
owned by Northstar Travel Media) found that two-thirds of business travelers
are comfortable using smartphones to make purchases.
“Pretending that mobile apps don’t exist or trying to assert
policies which ban major … mobile apps just seems unlikely to receive
significant compliance from the average corporate traveler,” said Mike
Koetting, Concur executive vice president of supplier and travel management
company services.
Still, finding the time to devote to the questions at hand
has prevented buyers like Financial Industry Regulatory Authority corporate
travel services manager Carol McDowell from formally introducing mobile into her
program. “What I’m becoming more concerned about … is what data is out there
and how long is it sitting out there? I’m a single-person operation. Technology
… is just changing so fast, and trying to keep up with it—it’s just not on the
top of my triage list.”
She’s not alone, either. According to BTN’s Mobile
Migration survey, 53 percent of corporate travel buyers have mobile travel
policies around itinerary management, but the numbers drop off for other uses:
46 percent for emergency contact, 42 percent for expense filing and 41 percent
for booking or rebooking air travel.
Dart Container travel manager Cheryl Benjamin soon will
implement the first company-endorsed app for expense filing, after having
overcome reluctance from her company’s executive team, which echoed a familiar
refrain that it would “open a can of worms,” she said. Ultimately, though, they
acquiesced, because while company executives may fear mobile, younger travelers
expect it.
Concur’s Darren Koch, who oversees mobile as senior vice president
of global product and platform strategy, added that mobile tech also can
benefit travel programs, such as greater traveler adoption and the ability to
locate and contact travelers during times of emergency. “The flip side of
worrying about the vulnerabilities is sort of endorsing the positive benefits
that you get from having a connected set of users through mobile experiences
and the ability to reach out to them,” he said.
Confronting The Concerns
In the past year, top travel suppliers have experienced data
breaches, including American Airlines, United Airlines, Sabre and Hilton
Worldwide. Ridesharing car service platform Uber has had its own spate of
troubles, disclosing in February that an unauthorized third party had
downloaded the names and driver’s license numbers for 50,000 of its drivers
during the prior year. Though none of these incidents related directly to
mobile security, they’ve nonetheless fueled conversations around data
protection and privacy, and Uber has since created the position of chief
security officer.
“Anybody who says you don’t have to worry about confidential
information in an application that you can access via mobile, either through a
smartphone or a tablet or a laptop, isn’t in touch with reality,” said Alan
Brill, senior managing director of cybersecurity and investigations at Kroll, a
corporate investigations and risk consulting firm. Brill said hackers are
getting smarter “at least as fast as the good guys are.”
However, there are travel managers who’ve succeeded in deploying
mobile in a way they feel protects their travelers and their company.
GoldSpring Consulting partner Will Tate said a number of his clients assuage
security concerns by using technology from well-known and trusted travel
suppliers. They also invite less risk by avoiding multiple single-use apps and
instead going with apps that can do the work of many programs, such as those offered
by travel management companies.
“In all my conversations with the major travel supply
brands, data security and privacy is of the utmost concern,” Koch said, “so
[travel managers] are probably in good hands by trusting the major brands out
there in the travel space.”
Brill said travel managers, when examining an app, should
ask how the information is stored. If stored locally, information can be
accessed without the Internet, but a device could be vulnerable if lost or
hacked. If stored in a cloud system, ask whether information communicated
through the program is encrypted, and ensure users sign on via a virtual
private network.
“The first thing you want to ask is ‘How secure is it, and
how is it secured?’” Brill said. “If you can’t find that in the documentation
that’s available to you before you make a decision to use it, how difficult is
it to send a question and say ‘Look, I know you can’t send me all the details,
but are all the communications encrypted? Are databases encrypted? What do I
need to know about your security?’”
Parexel director of procurement and travel Benjamin Park
said his travelers use a leading expense supplier’s mobile app for expenses in a
bring-your-own-device environment, meaning the company doesn’t provide cellular
devices or regulate the apps employees download. He doesn’t worry about
travelers’ individual devices compromising the company because he knows the supplier uses encryption and doesn’t store its data locally.
Brill said companies concerned about employee-provided
devices often install “sandbox” software around work-specific apps, insulating
company data and sensitive information. He adds that everyone should have anti-malware
software installed on their phones, and apps should be updated frequently for
security fixes, as hackers are targeting mobile devices more.
Finally, Booz Allen Hamilton global travel manager Jack
Lever recommended that travel managers use their TMCs as a resource. “If I see
a new app, I’ll call the TMC and say, ‘Is this something you’re familiar with?’
and, ‘Are you working with this particular app? Can you go back to your
industry relations, your technology folks and give me some feedback about it,
about what your opinions are? Does it meet security concerns? Does it meet
user-friendliness guidelines?’ Those types of things.”
Colleagues within your own company can help, as well. Travel
managers from large companies, in particular, should involve three parties,
Brill said: IT, legal counsel and risk management. IT can assist in asking
those up-front questions when evaluating an app, such as how the information is
stored and whether it’s encrypted. “If IT gives you an answer that’s just a
bunch of letters and numbers that you don’t understand, it’s never your fault
as the travel manager. You have to insist that they explain it to you in a way
that you can understand and is not just a bunch of jargon thrown at you.”
Corporate counsel, for its part, can evaluate contracts with
app suppliers. “The use of apps is so ubiquitous that people come to the
corporate environment with the attitude of ‘I can download whatever I need and
use whatever I need,’” Brill said. “That is not something that you can necessarily
live with in a corporate environment. If you’re a travel manager, your job is
to create the best possible environment for your travelers, but at the same
time, you have an obligation to your company to make sure that what you’re
doing is appropriate in a legal setting.”
The risk manager is key, Brill said, because if the company
has cyber insurance, risk management can ensure that the company is covered if
an incident does occur.
This report originally appeared in the Oct. 26, 2015
edition of Business Travel News.