International Corporate Travel

This article examines issues and problems with foreign business travel including what dangers exist for corporate travelers and the methods for reducing risks during foreign travel. The process of protecting business information is explained along with several techniques that can reduce information compromise. The importance of protecting employees, their families, and their residences while in foreign countries is reviewed and methods to improve personnel security are discussed. What organizations should do to prepare employees for foreign travel is explained, including several points that should be included in training. The need for communications security is examined and security steps that are easy to implement are reviewed.

Keywords: Access; Accountability; Authorized Persons; Communications Security; Compromise; Corporate Travel; Executive Travel; Foreign Interests; Information Security; The Overseas Security Advisory Council (OSAC); Personnel Security; Unathorized Personnel

Overview

As the new millennium opened, so did unprecedented changes in the way that corporations needed to manage foreign travel for their employees and families. After the terrorist attacks on September 11, 2001, and as the war was starting in Iraq, and SARS (Severe Acute Respiratory Syndrome) hit Asia, the travel industry went into a global tail spin ("Business travelers'," 2003). But the travel industry has always had its ups and downs. Weather, civil unrest, disease warnings, and numerous other things have put travelers in danger and the travel industry on alert. Protecting American business travelers and the information they carry and use abroad is an increasing concern for companies.

To help companies and global travelers become better prepared for what might be waiting for them on an overseas journey, The Overseas Security Advisory Council (OSAC) was established by the Department of State in 1985. The OSAC (www.osac.gov) has representatives from over 20 private sector organizations and four representatives from Government departments and agencies. The information and publications assembled by the OSAC is sent out to over 1,400 business organizations.

The overseas locations of American businesses are primary targets for information and trade secret theft and in cases of civil unrest can become symbolic targets to strike a blow against American capitalism. In general building security systems and practices can be considerably lower in many countries than they are in the United States. Depending on the country law enforcement activities are rather lax. Thus, many companies that send employees overseas maintain awareness programs to inform employees who do travel outside the country of practices that can make them safer.

People are Social and Therefore Vulnerable

In general, human beings are social creatures and many do not have experience in foreign travel. Fewer people have travel experience in places where there is social unrest or high crime rates, or where espionage is a daily activity. In the United States people generally travel with a high level of safety, compared to many countries, and where law enforcement actively responds to incidents or fights crime. As a result Americans tend to be social even with casual contacts and too often readily trust people they meet.

In addition, Americans tend to have some feelings of superiority because of money, social status, and their perception that the United States is respected abroad as much as it is at home. These values, attitudes and behaviors can be exploited by criminals as well as spies. The diverse ethnic background of the United States also results in people desiring to travel to places where their ancestors were born and perhaps feel some sense of loyalty to their heritage. Foreign intelligence agents have been known to take advantage of this deep rooted sense of ethnic identity and work to gain competitive information by appealing to persons of similar ethnic or cultural background.

Applications

Identifying What Information to Protect

Competitive intelligence and industrial espionage is not always focused on retrieving or collecting highly sensitive information. Most intelligence gathering activities tend to focus on information that is not generally known outside a given American business or industry. Such information combined with other sources of information can eventually provide the retriever with a salable commodity. The key test on what information to protect is whether or not that information enhances the competitiveness of a company or even a country (Forte & Power, 2007).

Companies can identify what information to protect by conducting an information audit. This requires all business units to review their operations and determine which information helps to create uniqueness and results in a competitive advantage. When the audit is completed corporate security professionals can then determine the cost of a reasonable level of protection and support a business decision as to how much to spend on protection mechanisms including training employees on the importance of protecting specific information (King, 2007). When training is the key protection mechanism or when office procedures need to be modified, information security can be improved for little additional cost (Myler & Broadbent, 2006).

There are many basic procedures that can readily improve information security. For example, keeping unescorted visitors, unauthorized personnel and the general public out of restricted research, production and business areas is a common practice (Berghel, 2007). One of the best ways to accomplish this is through staff training. Once trained, employees can be the first line of defense in information security (Schultz, 2007).

Ideal Security Levels

The following shows an ideal general security level. This security information was extracted from the OSAC website regarding the security of corporate information for private sector companies that have offices outside the United States and for personnel who travel or reside abroad. The information is designed to assist organizations and their personnel abroad in planning security needs. Above all information security should be considered when making decisions to move information to an overseas location (OSAC, 2005).

  • Security staff should control all building perimeter openings employees and non-employees should be issued and wear proper identification in clear view.
  • Areas where sensitive information is stored should be restricted with only specific personnel having access.
  • Removal of sensitive information from a restricted area should be logged and tracked.
  • Nonemployees should be escorted when they are in the facility.
  • Equipment that can be used to reproduce information should not be allowed in sensitive areas.
  • Lockable storage devices should be used to keep sensitive information secured and locks or combinations should be changed on a regular basis.
  • Sensitive information should be inventoried and logged and periodically checked to account for all documents.
  • Sensitive documents should be completely destroyed when they are no longer needed (http://www.osac.gov).

Protecting Key Personnel & Their Families

The methods used to protect office buildings or manufacturing facilities should also be used to protect residential facilities. Any sensitive information taken to a residence needs the same level of protection as it has in corporate buildings (OSAC, 2005).

  • Only authorized persons should be allowed in a residence where sensitive information is stored or used.
  • The residence should also have restricted areas where only people authorized to use sensitive information have access.
  • Sensitive information should not be disposed of through residential waste systems.
  • Background investigations on residential employees should be conducted just as they are for corporate buildings.
  • Personal or laptop computers carried offsite by corporate staff should be protected.
  • Corporate staff should be trained in protecting sensitive information when attending scientific conferences and trade association meetings.
  • Corporate staff should also be trained to not discuss sensitive information in places where unauthorized persons could hear the conversation.
  • All employees should be trained not to discuss sensitive information over the telephone when traveling (http://www.osac.gov).

Those people that have ended up in hostage situations generally regret that they had left their family affairs in less than good order. Evacuations, illness, or death can also leave a family in situations where they need to quickly bring order to finances or property holdings. Several steps should be taken before employees travel abroad or into potentially dangerous areas. Above all, employees should discuss with their family what should be done in the case of any emergency situation. Every member of the family should be aware of what plans are in place.

In addition, family and friends should be provided with emergency contact information all important papers regarding finance or property should be kept up to date. These include wills, guardianship papers, power of attorney, social security numbers, and insurance policy numbers. Corporate employees on international travel should also be informed that they should:

  • Obtain an International Driving Permit.
  • Have medical identification.
  • Not carry unnecessary credit cards or other items.
  • Maintain control of their passport.
  • Properly tag luggage by concealing unnecessary information.
  • Assure that people at home know their itinerary.
  • Have contact information for local offices.
  • Check for any travel advisories for countries they will visit or pass through.

Issues

Training Employees on How to Travel

The number of international business travelers has increased over the past two decades, and many employees are now either making multiple international trips per year or are staying for extended periods of time. In addition, more of these travelers are going to less developed areas, which translates into higher risks of both illness and injury. The business traveler in general may have a different risk profile than adventure travelers, tourists, or expatriates, but individual itineraries and activities may be similar, and employees may add leisure activities to a business trip.

Medical Concerns

Employees who frequently travel internationally can manage their travel-related medical needs in a variety of ways including utilizing corporate medical departments, local health departments, and local clinics under contract. Large multinational corporations, many with full-time medical departments and substantial resources, have long been active in providing preventive travel services to their employees, at least at their larger locations. Smaller companies or facilities often rely on local travel clinics or health departments (Prince, Spengler & Collins, 2001).

Suggestions for Business Traveling

Many of the following practices can be helpful in surviving a terrorist situation while traveling in a country that has recently experienced unrest. First they should register with the United States embassy or consulate and provide a copy of their itinerary. This makes it easier to contact them in case of an emergency or to evacuate them if necessary ("Hotel safety," 2004).

  • Have with them a supply of any regularly taken prescription medicines, an extra pair of eyeglasses, passport, and copies of necessary personal documents.
  • Dress to blend into the international environment and do not wear jewelry.
  • Take as little luggage as possible.
  • Do reveal travel plans to fellow passengers, crew, or even traveling companions.
  • Memorize passport numbers.
  • Always be aware of their surroundings, noting exits and safe areas.
  • Rent only conservative model cars with locking trunk, hood, and gas cap.
  • When driving, lock the doors, keep windows rolled up, and valuables out of sight.
  • Always check for suspicious individuals before getting out of the car.
  • Stay alert for pickpockets and petty thieves while in a bus/train terminal or at a taxi stop.
  • Use only licensed taxis and do not exit the taxi alone in deserted areas.
  • When using public transit systems sit in an aisle seat near the driver.
  • Stay alert in the hotel, put the "do not disturb" sign on the door, and carry the room key instead of leaving it at front desk. Don't answer the door unless you know who it is. Be aware of emergency exits in event of fire or other incidents.
  • When walking, know where you are going and stay on wide, well-lit streets.
  • In the event of civil unrest or violence stay in the hotel and contact the U.S. Embassy, consulate or other friendly embassy and stay in contact with local office representatives ("Hotel safety," 2004).

Assuring Communications are Secure

Economic espionage is a serious concern and will probably increase as the global economy grows and competition becomes even fiercer. Communications security is essential because electronic communications are very easy to intercept. They are especially easy to intercept in many countries because the telecommunications companies are government-owned and many business managers feel that they provide their national intelligence services liberal access (OSAC, 2005). There are several threats and vulnerabilities involved with electronic transmission.

  • Equipment required for intercepting electronic communications can be easily obtained by almost anyone.
  • Electronic equipment, such as fax machines, telephones, and desktop computers, can be hacked or otherwise altered to make electronic monitoring easier.
  • Telecommunications monitoring may be virtually undetectable.
  • Employees of U.S. companies are not always aware of the vulnerability of their transmissions.
  • Electronic transmissions are often searched by computers looking for key words that help determine if the transmission has value for a third party.
  • Encryption can be a good defense but is not completely safe.

There are several steps that can be taken in order to improve the security of telecommunications transmissions. First and foremost it is important to assure that internal equipment is as secure as possible and that security settings are appropriate and security software is updated. This means that it is important to locate overseas corporate offices in facilities that are completely controlled by the company. In addition it is important to train all employees on communications security.

Most large corporations are dependent on their computer and communications systems and the integrity and confidentiality of the data being stored and processed on computers. Access control security software and procedures must be implemented for any computer interfacing with a network or telephone system. It is advisable that corporate security and network and computer security staff work together to secure telecommunications and computer technology. The Internet provides for electronic access to almost any system in the world from anywhere in the world.

Computer System Hacking Intrusion

Corporate spies and economic espionage agents have no hesitation what-so-ever in hacking into corporate systems or hiring young unemployed computer savvy technicians to do the hacking for them. Hacking into computers is now a standard tool for those involved in espionage and computer crime. If an intruder gains entry into a system they may be able to view, change, or destroy valuable company data and information. Information system terrorism, or compromising a company's information systems, is also not uncommon. All organizations should consider the following mitigation methods to reduce the possibility of unauthorized access through their networks or through systems connected to the Internet:

  • Implement strong access control software and procedures on all computer systems and networks.
  • Assure that all user passwords are changed on a regular basis and at least once every 60 days. Lock user accounts if there are three consecutive invalid passwords on a user ID, and insure that all passwords are strong and have at least six characters with lower case, upper case, numbers, and special characters contained in the password. In addition, restrict employees from using passwords relate to their lives (names of family, pets, sports teams, etc.). Hackers, crackers, and spies often gain entry into systems by guessing passwords.
  • Make sure that internal corporate phone numbers that provide access to the corporation's networks and computer systems are treated as sensitive information. Establish policies that minimize the distribution of these phone numbers and train all corporate employees that the numbers should be treated as sensitive information and guarded closely.
  • Periodically test all corporate networks to identify unauthorized modems which could provide access to eavesdroppers and to determine if intrusions have been attempted.
  • Encrypt sensitive electronic transmissions including e-mail.
  • Require all personnel to sign appropriate use statements before they are allowed to access corporate computer systems or networks. Also assure that they understand that it is their responsibility to help keep competitive information confidential and that they will abide by information protection standards and procedures set by the company.
  • Implement strong video conferencing security to prevent monitoring of sessions.

Conclusion

The number of international business travelers has increased over the past two decades, and many employees are now either making multiple international trips per year or are staying for extended periods of time. In addition, more of the travelers are going to less developed areas, which translates into higher risks from both illness and injury.

Americans are considered to be particularly vulnerable to the tried and true methods of espionage. The stories and ploys of spies are pretty much the same as they were during post World War II period of the Cold War. However, foreign intelligence agencies now often focus their efforts on trying to obtain proprietary or sensitive American business information. Protecting American business travelers and the information they carry and use abroad is an increasing concern of individuals and companies. It is the job of The Overseas Security Advisory Council of the United States Department of State (OSAC) to foster the exchange of information between American companies with overseas operations and the United States government agencies responsible for national and industrial security.

If information is not generally known outside a specific American business or industry then it should be considered confidential and valuable. Access to this information should be restricted and security measures should be appropriate for the value of the information.

Information does not need to be ground braking or revolutionary to warrant protection. Normally accepted security steps and mechanisms can protect a company's employees, facilities, and information. The security of personnel, facilities and information go hand-in-hand.

Many of the methods to protect corporate facilities can and should be applied to maintaining a safe and secure employee residence. These steps will vary depending on the location and associated risk factors. As a minimum the level of protection afforded competitive information in the workplace should be applied equally to information that is removed from corporate property and taken to a residence or any other location.

Since electronic transmissions are so easily accessed and intercepted, corporate telecommunication is now a highly vulnerable and lucrative target for those seeking to obtain trade secrets and competitive information. As the growth of telecommunications links for bulk computer data transmission and electronic mail continues, telecommunications interception efforts have proven to be cost-effective for intelligence collectors worldwide. This makes communications security essential.

Terms & Concepts

Access: The ability to gain entrance into computer systems, computer networks, and telecommunications systems to obtain knowledge of classified information.

Accountability: The obligation and responsibility for keeping an accurate record of sensitive documents, communications, and other classified material.

Authorized Persons: A person(s) that has been deemed trusted and has a need-to-know classified information or a specific or who can enter and use a facility or resource in the performance of official duties.

Communications Security: Measures and methods used to control unauthorized access to electronic communications.

Compromise: The disclosure of classified information to an unauthorized person.

Destruction: Disposal of classified material by prescribed procedures.

Foreign Interest(s): A foreign government, agency of a foreign government, an agent or representative of a foreign government, a business enterprise or nongovernment organization legally organized, chartered or incorporated under the laws of another country.

Intelligence: Information produced by collecting, evaluating, analyzing, integrating, or interpreting available information, that reveals one or more aspects of foreign nations or of the operations of foreign companies or organizations that reveals significant insight to military planning and operations or business strategy and operations.

Unauthorized Personnel: A person or persons not authorized to have access to specific classified information.

Bibliography

Berghel, H. (2007). Better-than-nothing security practices. Communications of the ACM, 50, 15-18. Retrieved December 14, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=26047925&site=ehost-live

Business travaillers. (2003). Economist, 366(8318), 56. Retrieved December 12, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=9462475&site=ehost-live

Dykins, R. (2012). Risky business. Business Traveller (UK/Europe Edition), 28-31. Retrieved November 15, 2013, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=76503933&site=ehost-live

Forte, D., & Power, R. (2007). The state of information security towards the close of the first decade of the 21st century. Computer Fraud & Security, 2007, 15-19. Retrieved December 14, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=27356527&site=ehost-live

Guidelines for protecting U.S. business information overseas. (2005, June). Retrieved December 14, 2007, from Overseas Security Advisory Council (OSAC) https://www.osac.gov/Reports/report.cfm?contentID=30028

Hotel safety: Staying safe in your home away from home. (2004, May). Retrieved December 14, 2007, from Overseas Security Advisory Council (OSAC) https://www.osac.gov/Reports/report.cfm?contentID=32450

Jonas, D. (2011). Globalized travel management 'accelerating'. Business Travel News, 28, 3-33. Retrieved November 15, 2013, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=60780531&site=ehost-live

King, P. (2007). In the new converged world are we secure enough? Information Security Technical Report, 12, 90-97. Retrieved December 14, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=26161079&site=ehost-live

Metrics. (2012). Business Travel News, 29, 8. Retrieved November 15, 2013, from EBSCO Online Database Business Source Complete. http://search.ebscohost.com/login.aspx?direct=true&db=bth&AN=73528545&site=ehost-live

Myler, E., & Broadbent, G. (2006). ISO 17799: Standard for security. Information Management Journal, 40, 43-52. Retrieved December 14, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=24289368&site=ehost-live

Prince, T., Spengler, S., & Collins, T. (2001). Corporate travel medicine: Benefit analysis of on-site services. Journal of Travel Medicine, 8, 163. Retrieved December 12, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=5947643&site=ehost-live

Eugene Schultz, E. (2007). Risks due to convergence of physical security systems and information technology environments. Information Security Technical Report, 12, 80-84.

Security guidelines for American enterprises abroad. (May 2005) Overseas Security Advisory Council (OSAC) (http://www.osac.gov)

Suggested Reading

Anderson, R., Lewis, D., & Parker, M. (1999). Another look at the efficiency of corporate travel management departments. Journal of Travel Research, 37, 267. Retrieved December 12, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=1528492&site=ehost-live

Baker, W., Rees, L., & Tippett, P. (2007). Necessary measures. Communications of the ACM, 50, 101-106. Retrieved December 14, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=26803438&site=ehost-live

Boyd, D. (2007). Communications security. Issues in Science & Technology, 23, 5-6. Retrieved December 14, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=24522955&site=ehost-live

Buckley, C. (1992). Driving through the apocalypse. Forbes, 149, 76-82. Retrieved December 14, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=21137029&site=ehost-live

Communications, security & exterior improvements. (2005). Architectural Record, 193, 241-242. Retrieved December 14, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=19282592&site=ehost-live

Jeffery, S. (1998). False sense of security? Wireless Review, 15, 34. Retrieved December 14, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=478525&site=ehost-live

Kesh, S., & Ratnasingam, P. (2007). A knowledge architecture for IT security. Communications of the ACM, 50, 103-108. Retrieved December 14, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=25690076&site=ehost-live

Kraemer, S., & Carayon, P. (2007). Human errors and violations in computer and information security: The viewpoint of network administrators and security specialists. Applied Ergonomics, 38, 143-154. Retrieved December 14, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=22964921&site=ehost-live

Mason, K. (2002). Future trends in business travel decision making. Journal of Air Transportation, 7, 47. Retrieved December 12, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=6493740&site=ehost-live

Nelson, M. (1998). Security in an uncertain world. InfoWorld, 20, 42. Retrieved December 14, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=1176702&site=ehost-live

Schneiderman, R. (2003). Communications security: Ready and set to take off. Electronic Design, 51, 88. Retrieved December 14, 2007, from EBSCO Online Database Academic Search Premier. http://search.ebscohost.com/login.aspx?direct=true&db=aph&AN=10850401&site=ehost-live

Essay by Michael Erbschloe, M.A.

Michael Erbschloe is an information technology consultant, educator, and author. He has taught graduate level courses and developed technology-related curriculum for several universities and speaks at conferences and industry events around the world. Michael holds a Masters Degree in Sociology from Kent State University. He has authored hundreds of articles and several books on technology.