Companies requiring that employees travel to other countries must have strong travel security programs to protect both personnel and corporate information.
Sending employees to foreign countries on behalf of business can result in lucrative outcomes and new and exciting experiences for the traveler. But management can imperil employees by not properly preparing them for conditions on the ground, and corporate assets can also be endangered if employees haven’t been taught to properly secure proprietary information.
Jeffrey J. Gruber, CPP, is a U.S. Department of Defense operations officer who has lived outside the United States for much of his career and is an expert in business travel safety. He agreed to talk to Security Management with the understanding that he was speaking on his own behalf. Gruber says that a strong business case needs to be made to senior management about the risks that employees are facing abroad. They need to understand that unprepared employees make themselves vulnerable to various criminal activities ranging from petty theft to identity theft and kidnapping. They also put corporate information at risk. And apart from the human toll, that’s a liability for the company.
“I was working with one company with quite a few employees, and I was really surprised that it wasn’t even using a [vetted, designated] travel agency,” states Gruber. Using one of the major ones, such as American Express, isn’t costly. In fact, it can save a lot of money by reducing fraud and getting the best prices from hotels and air carriers. And such companies also can provide a travel security management program as part of their services, Gruber notes.
Travel security planning is critical, but even companies that think they’ve taken care of it may not be addressing it properly. “One of the key things that I see as lacking within the private sector is true planning within an organization,” Gruber says. He notes that many businesses use the services of companies such as iJET and International SOS. These are well respected providers of business travel information, planning, and assistance, he says, but management should not think that contracting with this type of third-party service is analogous to having a security plan. That third party isn’t actually going to follow through and make sure that employees take certain actions before they leave or while traveling, for example.
Planning for security as a part of travel is definitely not a priority at many companies, says David Nicastro, CPP, CFE, president of Secure Source International LLC of Seattle. His company provides a range of services, from foreign due diligence to mergers and acquisitions to helping businesses with travel security. “For a lot of companies, security is almost an afterthought to doing the deal and starting to work in foreign countries,” he says.
That’s particularly disconcerting given that “many of our clients are traveling to places they never thought that they would, chasing business in emerging markets in places that can be very dangerous,” says Nicastro. He adds that even large companies, which may have good travel security policies and procedures in place for areas of the world that they frequent, tend to overlook the places they don’t travel to as much or where they are exploring future business potential. “They don’t know the environment and as a result they’re putting their people in harm’s way,” he says.
Nicastro says that companies interested in bolstering their travel security policies and processes need to be sure they are operating on current risk assessments of the nations their employees travel to. For example, he states, “In Brazil in the 1990s, ransom kidnappings were a very big concern in São Paulo or Rio de Janeiro. Today, it is property crime.” So, to mitigate risk in Brazil, “the muscle and the guns are no longer as important as a program that is based on intellect and planning.”
When on business overseas, employees need to identify a safe, licensed method of airport transport and of transit around the locale. It is not uncommon for incognizant international travelers to walk out of airports and into unlicensed taxis or other vehicles, says Gruber. In the United States, taking unlicensed transport is unlikely to lead to any problems, but in some nations, these travelers become robbery or kidnap victims. In Mexico in 2011, for example, a criminal gang posing as taxi drivers picked up passengers and drove them to a secure location to rob them of their money, credit cards, and other valuables. Some of the abductees were sexually assaulted. The abductors only released the victims after they had maxed out the credit cards.
For companies that regularly send employees to certain locations, Nicastro recommends that a simple video be created that shows what the employees will see when they exit customs and seek licensed transportation. “It’s very easy,” he explains. “You can do it with a smartphone.”
For example, at some airports, newly arrived passengers can go to an official desk and request a taxi. “You tell them the location, you pay right there, you get a slip of paper, and it shows where you’re going and directs you to the right line,” Nicastro says. This video, and others from different airports, can be placed on the company’s secure travel Web site or Intranet.
For executives who are being met by drivers outside of customs, Nicastro suggests that the signage these drivers are displaying should not show the executive’s correct name or company name, but something else agreed on beforehand. “Be more discreet,” Nicastro urges.
Working with vetted travel agencies, as noted, should be the first step toward ensuring that lodging accommodations are selected not only with an eye toward price but also with an eye toward security. Nicastro advises that once travelers have arrived at the hotel, they should request a room below the eighth floor, because fire ladders only reach that high. They should also make sure that the smoke detectors in the room work properly, and walk the emergency exit routes down stairwells and out of the building to make sure that clear paths exist. Travelers should also check in with the embassy or consulate and register their presence in the country. In their day-to-day activities, they should stay as anonymous as possible and remain unpredictable in their movements.
One Company’s Approach
W. W. Grainger is a Fortune 500 industrial-supply company based in Lake Forest, Illinois, with offices in Central and South America, China, Canada, India, Japan, and Puerto Rico. Grainger has about 21,000 employees, out of which about 1,500 may travel internationally on business in a given year. Keith Blakemore, CPP, its director of security and loss prevention, says that in the last decade, the company has pursued a robust international growth strategy. It became quickly obvious that “[w]e needed to develop a travel security program.” At that time, the company was using multiple travel agencies to book employee travel, and it had no processes by which to track employees on the ground overseas. The company now maintains select vetted travel agencies for each of the company’s international business locations. Employees must use these agencies to book their flights, hotels, and any other travel.
All itineraries and hotel information are provided to the security group, and the travelers must provide business and personal contact information so that “we have a means to communicate with them if they have a travel emergency or there is a crisis somewhere—whether that would be a terrorist incident or civil unrest or a weather-related disaster,” says Blakemore.
Security compiles a list of high-risk destinations identified by outside intelligence sources. Trips to these locations must pass a special approval process wherein the travel is deemed business essential or critical by a functional vice president and a local country general manager who must both sign off on it. While all aspects of the travel are coordinated through one of the vetted travel agencies, secure ground logistics are coordinated with the security group either by the corporate office or by the company’s security team in that nation.
W. W. Grainger has also established a travel security Web site. Its contents include corporate emergency contacts and travel policies specific to each nation. It also includes education and awareness material, such as what to expect once the employee is at the destination as well as protocols and guidelines to follow if an incident occurs, such as a personal injury or illness, theft, or other act of violence.
For example, the Web site includes information on crime trends in São Paulo, Brazil. One of these is robberies of upscale restaurants by arrastao gangs (Portuguese for “trawling”). These armed intruders perform what could be called “flash robs” of upscale eateries to take patrons’ wallets, cell phones, credit cards, and jewelry. The incidents are usually over in a matter of minutes. Because of the arrastao gangs, “One of the things we recommend is for our travelers to use the hotel restaurants. We don’t say they must, but we strongly encourage it,” Blakemore says.
W. W. Grainger has offices in Mexico, making it a destination for many of its international travelers. “In Mexico, one of the things we do not allow is for anyone to rent vehicles, and all of the ground transport is orchestrated,” Blakemore states. But in Mexico even vetted transports can sometimes be accidently caught in a criminal circumstance. “In one case, the cartels blocked some of the major thoroughfares with vehicles and everything was basically frozen,” he says. The intent was not to rob or abduct travelers, but anyone within the vehicles was in danger of being accidently caught in the gang-against-gang violence that was then taking place there.
Blakemore adds that a tactic used by the company when executives travel to Mexico is to keep their stays short. “Our executives will be in and out in a day, if that is possible,” he states.
Training. Blakemore says that at W. W. Grainger, his department does provide “face-to-face training on a somewhat regular basis to groups or departments that regularly travel abroad.” The company’s medical group also provides pre-trip information on avoiding infectious diseases, needed vaccinations, and other health-related issues as part of the employees’ travel planning. Once employees have arrived, if they fall sick or are injured, W. W. Grainger contracts with both International SOS and iJET to provide information on medical assistance. International SOS, for example, runs a worldwide network of assistance centers, clinics, and health and logistics providers to offer local assistance.
Employees are coached to have situational awareness while in a foreign country. “We try to educate our travelers to maintain a low profile. We have not had an incident where U.S. nationals have been abducted but there are companies that have,” he states. “We give our employees educational material on kidnap avoidance, and for our in-country employees—because they are at a greater risk, being down there every day—we do kidnap-avoidance training, as well as defensive-driver training for the ones who drive between their home and office.”
Just as companies develop plans and policies for their international travelers, they must have plans and policies for information protection. “Employees don’t realize that…there are always people trying to collect the information they’re carrying,” Gruber says.
While executives are normally the recipients of travel protection services, Nicastro says that usually it is “the employees who are there to support the meetings or other business functions who have the most vulnerable information.”
Gruber notes that many companies do have IT policies in place regarding work computers, “But what we see routinely is people traveling with their personal computer with some files from work on it, with their cell phone with text messages [regarding the trip or the business], and with files on the thumb drives we carry,” he says. “Now here is a major point to consider: the snowball effect. There are three or four people traveling, and each person releases a little bit of information about their actions within a business event.” Independently, a rival company or foreign intelligence agency can’t get a full enough picture, but with multiple business travelers, each providing a piece of the puzzle, the full picture can come into view.
Gruber recommends that prior to travel, employees should comply with a company policy to “lock down their electronic items, their cell phones, their Wi-Fi ports, and their Bluetooth as they move through airports so that no one can pick up their information. Ensure that everything is PIN or password protected, and make sure everything on the computer is encrypted.”
Some countries screen passengers’ electronic information as part of the customs process. “They’re going to turn the device on, try to access it, and potentially download information, he states. One place where this is the case is Russia. “There will be a hands-on review of your equipment. Some of that equipment may pass through areas that you have no observation of. This may be a legitimate search, but if your computer is booted and your Wi-Fi port is open, someone can still download from another area or location. There are software tools that can be attached that can capture the last data files or packets that you’ve been accessing. That can happen within a few minutes while you think there is just a cursory inspection.”
Blakemore, whose company has operations in China, where proprietary-information theft is a concern, says “We’re not in research and development; we don’t make any products, but we still have company confidential information, and we do provide our travelers with guidelines on information security” in China.
Some companies looking for international business to grow are too small to have the resources for outside travel security vendors and consultants—or even to have dedicated security personnel. But if the business does have international travelers, then someone on the staff should be in charge of maintaining an information Web page with links to the U.S. State Department’s Overseas Security Advisory Council site and its plethora of reports, incident listings, and advisories on conditions in nations around the globe, as well as RSS news feeds on countries being traveled to and emergency contact numbers for the company, the embassies, and the local police (if that group is trusted), suggests Nicastro. “But they also have to ensure that that employee is taking the time to review that info,” he says. And, of course, they should make sure that employees provide their itineraries and have emergency contingency plans for contact if something happens.
Gruber says that employees must certainly be looked after by the organization, but they must also look after themselves. Many fail to do even a minimum of due diligence, he says. He recommends that travelers go to Google Earth to explore the routes they will travel and to identify police stations and the U.S. embassy or consulate offices. Additionally, they should create and carry a hardcopy emergency contact list because it is possible that their cell phones will have limited or no reception at their overseas location. They should also conduct their own open-source research on crimes and scams occurring in the vicinity, he says.
There is an old Moorish proverb that says, “He who does not travel does not know the value of men.” It is certainly true today that those who do not travel cannot reap the potential value of emerging markets. But the company must also take care to have strong travel security policies and procedures lest the dreamt of profits turn into a nightmare of unintended consequences.