Annex E2 of ISO 31030:2021 Travel risk management: Guidance for organisations provides that training of travellers in respect ‘Personal and proprietary information protection, risk of social engineering and espionage need[s] to be provided if not addressed in other organizational training and awareness programmes.’ GSA Global has been assessing organisations’ TRM arrangements since 2022 and has seen little evidence that this aspect of business travel training is actively addressed, and even less evidence of good practice emerging. Usually, businesses see countering hostile intelligence gathering as an IT/cyber issue best addressed by a ‘clean’ laptop and phone, avoiding open/public Wi-Fi, and only working in the cloud. Whilst relevant and useful, a wholly IT/cyber perspective is not a complete solution to threats, risks and mitigations.
The first threat and risk considerations are whether an organisation holds sensitive proprietary information of its own, or of its clients, and whether this is likely to be in the possession of a business traveller, and then who might be interested in acquiring it? Beyond obvious subjects for hostile interest (e.g. defence), other subjects of geo-political and competitor interest have emerged like:
- banking & financial services, including M&A
- pharmacology
- telecoms & computer technologies
- geology & mining and energy
- educational research & examinations
There are a variety of ways in which information is conveyed during business travel – virtually, in written forms, and in travellers’ innate business knowledge. It is no secret that most states’ intelligence services have capability to access travellers’ accommodation where media containing sensitive information might be found, or meeting places where a business traveller might be asked, ‘would you like me to put your coat and bag in the cloakroom?’ Accommodation and meeting places also provide opportunities for eavesdropping. Many private investigation services also have these capabilities, and some unscrupulous individuals are prepared to break the law where there are legal restrictions about commercial espionage.
Then there is the contrived encounter in which a targeted business traveller is asked, ‘and what do you do?’ or ‘what brings you here?’ and, for the unwitting or unwary, risks can escalate towards personal or professional compromise, creating an ongoing insider threat.
If you haven’t given this aspect of business much thought, ask yourself these questions:
- Does my organisation hold or access sensitive information?
- If lost or compromised, would it have a significantly detrimental impact on my organisation or clients?
- Is it likely to be of interest to others capable of trying to acquire it?
- Is this business traveller without training or briefing in ‘social engineering’ tactics, and counter techniques?
If you answered ‘yes’ to these questions, there may be a significant gap in your TRM arrangements. Some TRM teams that we have spoken to candidly admit that they have not considered this threat; neither do they have the capacity to undertake the threat and risk assessment, nor do they possess the skills and experience to do so and devise suitable mitigations. Our counter-intelligence experts have been active in developing training and awareness support to travel risk professionals to help them address this growing problem.
Travel Risk Management Maturity Questionnaire
Our TRM Maturity Model is a framework designed to assist organisations in evaluating and improving their travel risk management practices.
