Business travelers using unsecured networks and personal devices while away from the office could be putting their companies at greater risk for cybercrime, new data suggests. According to a World Travel Protection survey, just 36% of American companies require two-factor authentication on employees’ devices, 32% use antivirus software, and 30% have their employees use a virtual private network, or VPN, Property Casualty 360 reported Jan. 4.
In addition, a majority of companies do not ask that their workers avoid unsecured wireless networks while traveling, with less than one-third of firms making the request.
If a company does experience a data breach, their cyberattack-related expenses can be covered by Cyber & Privacy Liability Insurance — yet many companies, particularly smaller firms, do not carry this coverage.
If the business is small enough, they may not see themselves as a potential victim.
“If the business is small enough, they may not see themselves as a potential victim,” said Connor Cahill, Broker, Professional Liability, Burns & Wilcox, Minneapolis, Minnesota. “Smaller companies do not always realize that just because they are not making millions of dollars, they could still be a victim in the situation.”
Business travel back on the rise, potentially increasing cyber risks
As of August 2023, business travel bookings were 25% below pre-pandemic levels on Alaska Air and 20% below pre-pandemic demand for JetBlue Airways, Reuters reported. Although corporate travel has been slower to rebound from the lows of the pandemic than leisure travel, business travel is increasing and could reach 2019 spend volume by late 2024 or early 2025, according to a 2023 corporate travel report from Deloitte. Last summer, the Global Business Travel Association noted that an “accelerated return” to pre-pandemic spending was anticipated, with global spending expected to reach $1.4 trillion this year and $1.8 trillion in 2027.
Potential cybersecurity vulnerabilities for business travelers include the use of personal devices that may not be equipped with antivirus software and other cybersecurity features, logging on to unsecured wireless networks at airports and other busy venues, and more. With the uptick in business travel, a rise in cybercrime would not be surprising, Ascenzo said. “There could be a correlation between cyber events and business travel,” he said.
Remote workers are also increasingly on the move, with Bloomberg reporting in August on the trend of “digital nomads” who travel the world while maintaining their remote jobs. In addition, workers overall are more likely to be using personal devices for work as bring-your-own-device policies become more common among employers, BizTech reported in August.
This is not just an international exposure … It can happen in your own backyard.
“We live in a post-pandemic age where there is a lot of ability to bring your own device to work,” Ascenzo said. “A lot of employees are using their personal phones, tablets and laptops for work, and I know there can be some hesitancy or resistance to download critical safety software on their personal devices. Some employees are OK with it, and some employees are adamant against it.”
Companies that do allow workers to use their personal laptops and phones should ensure “critical security software” is downloaded on those devices first, Ascenzo said.
Many of the same digital safety concerns related to business travel would apply to employees working at their local coffee shop, Cahill pointed out. “This is not just an international exposure; the same can be said locally,” he explained. “Those exposures are still relevant. It can happen in your own backyard.”
Without standalone cyber policy, personal devices may not be covered
As companies assess their cybersecurity preparedness as 2024 begins, they should be aware of the different ways they could be targeted. According to a December report from Forbes, current cyber threats include a rise in ransomware attacks and a heightened risk of AI-powered breaches. Business owners should also know that potential changes to data privacy regulations could impact their protocols for securing user data, the publication noted.
When a company is impacted by a cybercrime incident, its Cyber & Privacy Liability Insurance can help pay for data breach response, investigation, ransomware negotiation and payments, customer notification, loss of business income, and more. Coverage may also include brand rehabilitation services, as well as legal defense and settlements in the event the company is sued over a data breach.
“It is a comprehensive policy, so anything that happened would usually be addressed by the policy, whether it is first-party expenses that the company has to pay to investigate a breach and figure out how it happened or if there is any ransomware involved and restoring any data,” Ascenzo explained. “After that, the resulting liability can all be included under a cyber policy.”
It is a comprehensive policy, so anything that happened [in a cyberattack] would usually be addressed by the policy.
While some companies may have limited cyber-related coverage on their Commercial General Liability (CGL) Insurance policy, these small sublimits are not usually sufficient for today’s cyber risks — and they would not usually cover personal devices being used by business travelers, Cahill pointed out.
“On most standalone Cyber & Privacy Liability Insurance policies, you can have the wording amended to include employee-owned devices,” he explained. “With COVID and everyone working from home in the last few years, most companies do not have laptops for their employees to use. The insurance carriers started broadening their definitions to include employee-owned devices.”
This is important, he said, as even companies that spend millions of dollars to protect their data within their building can be left vulnerable when employees access their systems remotely. “You can secure your building and network with all these antivirus and firewall controls but as soon as you leave that network in the office building, those controls are not there to protect you anymore,” Cahill said. “You are only protected as far as what your personal device has. They should be using a VPN that includes two-step, multi-factor authentication.”
Whether or not VPN use is implemented among employees could come up when purchasing Cyber & Privacy Liability Insurance, Ascenzo added. “Sometimes we will ask what kind of software is installed and what the take-up rate is,” he said. “Expanding coverage to include employee personal devices can sometimes bring on additional underwriting questions.”
Companies should also ensure they have coverage for cybercrime, phishing and social engineering threats. Standalone cyber policies in general, Cahill said, are “tailor-made and more up to date with what is happening in the world.”
Cybersecurity tips for business travelers
Risk mitigation is another common aspect of Cyber & Privacy Liability Insurance and one that companies may overlook. Once a policy is in place, the business will usually have access to a variety of cybersecurity tools including employee training modules and advice on best practices to implement. “If you purchase a standalone policy, you will likely have access to those risk management resources,” Cahill said.
Where is the low-hanging fruit? It is unsecured networks. Free Wi-Fi can be great, but the criminals know that, too.
Beyond those tools, companies and employees can also take a “common sense” look at their potential exposures, Ascenzo suggested. “A lot of our phones auto-join Wi-Fi networks; that could be changed so that it asks you if you want to join a particular network,” he said. “Also, thinking like a criminal: Where is the low-hanging fruit? It is unsecured networks. Free Wi-Fi can be great, but the criminals know that, too. They can sit there with their hacking skills and just look for a way to get into someone’s device.”
Other tips include having separate devices for work and personal use, utilizing a VPN, and providing employees with individual hot spots so that they do not need to rely on public Wi-Fi networks, Cahill said.
Ultimately, it is up to companies to ensure their business travelers are taking the appropriate precautions. It is unfortunate that the recent survey shows many companies may not be taking those steps, Cahill said. “Companies should really put more focus on that,” he said. “The larger Fortune 500 companies invest millions of dollars annually to keep their employees trained on the best practices, but a lot of these smaller companies do not invest in security and best practices. When they do get hit, their company could go under because they do not have adequate insurance coverage for it.”
When seeking coverage or deciding whether existing limits on a CGL Insurance policy are sufficient, “it is good to work with an insurance broker who can review the coverage on that policy,” Ascenzo added. “Sometimes it is only first-party or third-party coverage, and sometimes the limits are woefully low compared to industry data out there for the average size of a cyber event. Working with a broker to understand what they may have and obtaining more comprehensive cyber coverage goes a long way.”