Among the main ICT measures that every company should have in place, there is first and foremost a security policy and security governance that are responsible for directing and supervising cybersecurity strategies to protect sensitive data. The focal point is obviously the digitalisation systems and software used daily to carry out the various business processes, both as centralized systems and as remote employee access, perhaps through web browsing or email. In these cases the basic security procedures should be border anti-malware, continuous updates of the same software and antivirus, but also the request for authentication for access and data backup solutions. The situation becomes more complex when employees access company systems or process sensitive data during a business trip.
To define the best practices that a business traveler should implement during a trip, we must first clarify an assumption; we must be aware that there are different business traveler profiles which process data of a very different nature and which therefore require equally distinct treatments . For example, the sales force handles company data such as marketing strategies, cost definitions, customer and partnership lists, and so on; while company managers use the company's intellectual property regarding product or service formulations and production techniques, research activities, etc. If, however, we think of HR representatives or technical staff on business trips, they respectively use personal data related to employee privacy and sensitive information relating to architecture, technical and production drawings of products or services. However, there are best practices that every resource dealing with business travel should know and apply automatically.
The main cybersecurity threats for business travellers
Any business traveler could find themselves facing a security threat to their digital devices. From the theft of credentials to malware infections , up to the interception of communications and the theft of the device itself. For expert minds it is not difficult to get hold of the information accessible from a device, especially if all the passwords are saved on it. In fact, even in the case of theft the damage is not linked to the value of the object but to the information it could contain. Furthermore, with adequate antennas, it is possible to intercept communications transmitted via Wi-Fi up to four kilometers by entering via an Access Point that can publish a misleading identifying Wi-Fi name .
The duration of the trip is another relevant factor from a cybersecurity perspective. In fact, a device that cannot promptly perform antivirus updates could make the traveling employee's device particularly vulnerable to attacks. Another threat comes from social media. Sometimes, naively, the business traveler publishes the movements and purposes of their trip on their social profiles. Well, this kind of information, apparently harmless, could actually lend itself to malicious people. But also pay attention to the upper floors. Spear Phishing , an "upgrade" of traditional web phishing, aims to sneak into the web operations of top corporate figures who can manage funds and hold highly sensitive information.
The best practices that every traveling employee must put into practice
The threats, as we have seen, are many and can come from every corner of the web and at every level of confidentiality. However, there are best practices that can prevent each of the malicious interventions listed above.
To reduce the risk of theft of a device, and therefore of access to the information accessible from it, it is first of all essential that the company regulates the use of mobile devices in a policy and provides training and awareness interventions for correct use despotic on the part of the staff. For example, business travelers should be accustomed to paying attention to potential malicious attachments or links; just as it is of fundamental importance to instill discipline on the responsible use of social platforms, including personal ones. At the same time, a security architecture must be provided that minimizes sensitive data remotely and provides device encryption. To avoid stumbling across deceptive Wi-Fi, the user must be wary of networks that do not require authentication ; Even if you connect to company services, it is important to always check that there is a secure protocol that requires user authentication and that provides for the encryption of communications .
In the case of a prolonged trip that keeps you away from company protection for a long time, it is essential to carefully evaluate the risks. On the occasion of the deadline, you should check the possibility of using a VPN connection, a virtual private network that protects the anonymity of communications, to proceed with the device update .
Focusing on the correct rules of use of despotics during business trips must not, however, divert attention from intervention protocols in the event of access to sensitive data by unauthorized persons. In fact, it is important that cases of infringement or "mobile attacks" are foreseen in risk management. At the same time, to prevent or intervene promptly, it is necessary to provide constant audit activity on the digital activities and communications carried out by staff at every level.