ASIS Security Management magazine has a recent article regarding the security aspects of business travel. The article offers information security advice highlighting some of the concerns addressed by the security department at industrial supply company W.W. Grainger, offering advice to their employees who travel internationally. Even though they are not in research and development or other high-tech field, they recognize the value in their confidential information. They did not mention eavesdropping countermeasures, but that is also a key element in information security plans, often overlooked by security departments. 

By Ann Longmore-Etheridge  

[Full article available here]

… W. W. Grainger is a Fortune 500 industrial-supply company based in Lake Forest, Illinois, with offices in Central and South America, China, Canada, India, Japan, and Puerto Rico. Grainger has about 21,000 employees, out of which about 1,500 may travel internationally on business in a given year. Keith Blakemore, CPP, its director of security and loss prevention, says that in the last decade, the company has pursued a robust international growth strategy. It became quickly obvious that “[w]e needed to develop a travel security program.” At that time, the company was using multiple travel agencies to book employee travel, and it had no processes by which to track employees on the ground overseas. The company now maintains select vetted travel agencies for each of the company’s international business locations. Employees must use these agencies to book their flights, hotels, and any other travel.

All itineraries and hotel information are provided to the security group, and the travelers must provide business and personal contact information so that “we have a means to communicate with them if they have a travel emergency or there is a crisis somewhere—whether that would be a terrorist incident or civil unrest or a weather-related disaster,” says Blakemore.

Security compiles a list of high-risk destinations identified by outside intelligence sources. Trips to these locations must pass a special approval process wherein the travel is deemed business essential or critical by a functional vice president and a local country general manager who must both sign off on it. While all aspects of the travel are coordinated through one of the vetted travel agencies, secure ground logistics are coordinated with the security group either by the corporate office or by the company’s security team in that nation.

W. W. Grainger has also established a travel security Web site. Its contents include corporate emergency contacts and travel policies specific to each nation. It also includes education and awareness material, such as what to expect once the employee is at the destination as well as protocols and guidelines to follow if an incident occurs, such as a personal injury or illness, theft, or other act of violence.

For example, the Web site includes information on crime trends in São Paulo, Brazil. One of these is robberies of upscale restaurants by arrastao gangs (Portuguese for “trawling”). These armed intruders perform what could be called “flash robs” of upscale eateries to take patrons’ wallets, cell phones, credit cards, and jewelry. The incidents are usually over in a matter of minutes. Because of the arrastao gangs, “One of the things we recommend is for our travelers to use the hotel restaurants. We don’t say they must, but we strongly encourage it,” Blakemore says.

W. W. Grainger has offices in Mexico, making it a destination for many of its international travelers. “In Mexico, one of the things we do not allow is for anyone to rent vehicles, and all of the ground transport is orchestrated,” Blakemore states. But in Mexico even vetted transports can sometimes be accidently caught in a criminal circumstance. “In one case, the cartels blocked some of the major thoroughfares with vehicles and everything was basically frozen,” he says. The intent was not to rob or abduct travelers, but anyone within the vehicles was in danger of being accidently caught in the gang-against-gang violence that was then taking place there.

Blakemore adds that a tactic used by the company when executives travel to Mexico is to keep their stays short. “Our executives will be in and out in a day, if that is possible,” he states.

Training. Blakemore says that at W. W. Grainger, his department does provide “face-to-face training on a somewhat regular basis to groups or departments that regularly travel abroad.” The company’s medical group also provides pre-trip information on avoiding infectious diseases, needed vaccinations, and other health-related issues as part of the employees’ travel planning. Once employees have arrived, if they fall sick or are injured, W. W. Grainger contracts with both International SOS and iJET to provide information on medical assistance. International SOS, for example, runs a worldwide network of assistance centers, clinics, and health and logistics providers to offer local assistance.

Employees are coached to have situational awareness while in a foreign country. “We try to educate our travelers to maintain a low profile. We have not had an incident where U.S. nationals have been abducted but there are companies that have,” he states. “We give our employees educational material on kidnap avoidance, and for our in-country employees—because they are at a greater risk, being down there every day—we do kidnap-avoidance training, as well as defensive-driver training for the ones who drive between their home and office.”

Information

Just as companies develop plans and policies for their international travelers, they must have plans and policies for information protection. “Employees don’t realize that…there are always people trying to collect the information they’re carrying,” Gruber says.

While executives are normally the recipients of travel protection services, Nicastro says that usually it is “the employees who are there to support the meetings or other business functions who have the most vulnerable information.”
Gruber notes that many companies do have IT policies in place regarding work computers, “But what we see routinely is people traveling with their personal computer with some files from work on it, with their cell phone with text messages [regarding the trip or the business], and with files on the thumb drives we carry,” he says. “Now here is a major point to consider: the snowball effect. There are three or four people traveling, and each person releases a little bit of information about their actions within a business event.” Independently, a rival company or foreign intelligence agency can’t get a full enough picture, but with multiple business travelers, each providing a piece of the puzzle, the full picture can come into view.

Gruber recommends that prior to travel, employees should comply with a company policy to “lock down their electronic items, their cell phones, their Wi-Fi ports, and their Bluetooth as they move through airports so that no one can pick up their information. Ensure that everything is PIN or password protected, and make sure everything on the computer is encrypted.”
Some countries screen passengers’ electronic information as part of the customs process. “They’re going to turn the device on, try to access it, and potentially download information, he states. One place where this is the case is Russia. “There will be a hands-on review of your equipment. Some of that equipment may pass through areas that you have no observation of. This may be a legitimate search, but if your computer is booted and your Wi-Fi port is open, someone can still download from another area or location. There are software tools that can be attached that can capture the last data files or packets that you’ve been accessing. That can happen within a few minutes while you think there is just a cursory inspection.”

Blakemore, whose company has operations in China, where proprietary-information theft is a concern, says “We’re not in research and development; we don’t make any products, but we still have company confidential information, and we do provide our travelers with guidelines on information security” in China.

[Full article available here]