Travel Risk Management

How safe is it to travel to Russia for the 2018 FIFA World Cup?

Darren Aldrich is the Chief Operating Officer of ETS Risk Management, Inc., a global provider of travel security, Travel Risk Management, executive protection, threat intelligence and major event security. Frank is the former FBI Assistant Director of Counterintelligence, and recent head of Investigations, Special Event Security and Workplace Violence Prevention for General Electric.

How safe is it to visit Russia?

Virtually no travel to Russia is without risk.  Russia travel risk assessment is driven by three factors:

  1. Location specific inherent risks;
  2. The nature of the travel;
  3. And, the individual traveller.

For example, hate crimes against foreigners, minorities, and the LGBT community occur in Russia because of an apparent tolerance for such conduct as reflected in weak legislative prohibitions and an unwillingness to prosecute. Deadly terror attacks happen in Moscow, the north Caucasus and, most recently, St. Petersburg because of long-standing organic ethnic, religious and regional strife such as the Chechen/Russian conflict including possible sympathies for ISIS within the Chechen region.

Travel in connection with special events or sporting matches raises the already well documented daily risk of tourists targeted by pickpockets and muggers, often by organized gangs in major cities. Individual travellers of Asian or Afro-Caribbean descent or who simply “don’t look like they belong” in the eyes of certain locals should exercise particularly enhanced vigilance.

Business travellers should understand that electronic devices are frequently targeted for intrusion via malware and other means in an attempt by the Russian intelligence services to access proprietary corporate information for a competitive edge.

Despite the inherent risks, travellers who make the effort to seek the “ground truth” of their destination through their own government alerts, reading current country risk profiles offered by established security firms, and who maintain vigilance and a low-profile, can easily mitigate the risks and enjoy a memorable trip to a vast and proud nation.

How safe will it be to go to the World Cup?

Travelers to the World Cup are advised of the significant risk posed by organized hooligans who seek to engage in brutal fights with opposing fans from countries like Britain, France and other nations.

Russian hooliganism is marked by elements distinct from traditional hooliganism in the UK and Europe. Law enforcement agencies with decades of experience in securing soccer competitions have documented observations of Russian thugs who are highly trained and prepared to fight. These hooligans physically train in body-building and fight techniques and they make a point of not drinking alcohol during matches to maintain an advantage over their UK or European counterparts.

Disturbingly, Russian government leaders seemingly encourage such behaviour with Russian Ministers quoted saying “Keep up the good work”, and Putin himself observing how Russian fans had quite literally beaten the English fans.

However, a major world event such as the World Cup is likely to be secured by the highest level of Russian national security agencies who understand the negative impact globally of any major incident during the World Cup.  The largely incident-free Winter Olympics in Sochi, even under threat of terrorism, is evidence that Russian can secure a major event when it chooses.

What are the biggest risks?

Opportunistic crimes such as pick-pocketing and other thefts are common in major Russian cities. This risk includes theft from hotel rooms and theft from vehicles. Cases are well-documented of visitors whose drinks were spiked at bars for the purpose of robbery, rape or other violence. Unconscious victims are often left outside sometimes with life-threatening implications especially in the cold winter months. Further reports exist of criminals impersonating police officers for the purpose of harassing and robbing tourists.

Travel Risk Management

What are the overlooked risks?

Travellers to Russia often overlook or dismiss the reality that the Russian government is in near total control of infrastructure which facilitates intelligence service targeting of western business and government travellers to include remote intrusion into their devices, or, even outright theft of their laptops, smart phones and other devices.

Similarly, hotel frequented by western travellers are particularly notorious for intelligence collection, entrapment and attempts to compromise western business and government visitors. This fact poses a dilemma for travellers seeking to avoid such targeting by possibly choosing a local, non-westernized hotel.

However, such a choice often increases the odds of opportunistic crimes such as theft or assault and can antagonize the intelligence services who may become perturbed by your diversion from the usual hotel chains.

How should people mitigate this?

Risk mitigation remains similar to advice given for most international travel.

Specifically, avoid open display of wealth, including expensive jewellery, and anything that may identify you as a tourist. Avoid walking alone at night. Be vigilant for pickpockets in main tourist areas and around the main railway stations, and keep your passport tightly secured. Always buy your own drinks at the bar and keep them in sight at all times.

To mitigate the risk of being victimized by “fake” police officers, always insist on seeing identification if you are stopped.

What duty of care provisions should employers sending staff to Russia have in place? What should employees ask for?

Business leaders sending employees to Russia are advised to include professional risk management measures into the travel plan.

These measures should include physical security guidance, protection of intellectual property, and potential medical consultation and even evacuation. The addition of enhanced security enables your team to focus on business objectives within minimal constraints or distractions.  Employees should ask for loaner devices to take that contain only the data needed for that trip and bring a reliable communication device.

Employees traveling for lengthy periods, particularly to more remote areas of Russia, should understand that the local hospital blood supply may not be screened for HIV and other diseases as is the standard in the US, UK and other nations. Therefore, employees should ask about medical evacuation plans in the event of an unexpected need for surgery.

What Are Intellectual Property Rights London?

What your company spent years to develop can be lost in an instant at the hands of one bad intentioned employee. The statistics on employee theft of intellectual property (IP) paint a dark portrait of what employees do when disgruntled, moving on, or stockpiling for a rainy day. William Evanina, the U.S. government’s National Counterintelligence Executive in the Office of the Director of National Intelligence says, “As a corporate leader, the single most important investment in protecting your proprietary information and sensitive trade secrets is developing a viable and enterprise-wide insider threat program”.

To paraphrase the well-worn mantra on hacking and apply it to the pandemic of Insider Threat: There are two types of companies, those whose employees have already stolen IP, and those who simply don’t know it yet.  No matter where your company is along its journey toward an effective insider threat program, success or failure is measured by the last harmful egress of research, formulas, algorithms,  strategies, service manuals, or other critical business information (CBI). Whether your effort to detect, deter, and prevent CBI loss has become an industry model or is still a nascent vision, three common components can help build a new plan or help review and adopt a mature program.

Security professionals exploring insider threat fundamentals can take a lesson from first-year journalism students. Budding reporters are trained to instinctively repeat basic questions designed to get to the truth, and three of those questions drive the formation of all Insider Threat programs: “What?”; “Where?”; and, “Who?” Security leaders should make it their practice to ask these three questions of their staff, key partners, and operational components of their companies. What is it that most merits protection? Where is this most critical information located, physically and in cyberspace? Who amongst us requires regular access to CBI?

As the past head of counterintelligence for the FBI, a former corporate security executive for one of the world’s largest companies, and now a risk management consultant, it no longer surprises me to hear new security professionals struggle to answer these basic questions. Security practitioners sometimes perpetuate the long-standing C-suite myth that “security’s got this” when it comes to everything from a missing gym bag to a missing gyroscope. The perception that someone, somewhere, must have already addressed, planned for, or is in the process of resolving the concern of the moment, provides comfort to our senior executives and job assurance for those of us in the profession. But the comfort is dangerous and the assurance is hollow. Rather, we should work to dispel the notion that security can or should protect everything. To do that, the savvy security executive endeavors to first identify and then deeply understand exactly what represents the future of the company, where it resides, and which employees have stewardship of this lifeblood. Done correctly, in partnership with key stakeholders including Human Resources (HR), Legal, IT Risk, and Engineering, Science or Business leaders, this approach provides laser-like focus on what really matters, shares ownership across components, and generates  confidence in a process designed to protect against existential threats to jobs and share price.

gsoc-interior-2-768x410

Build Your Team

Successful implementation of insider threat programs hinges on assembling the right team. IP protection is a team sport and should not be carried out by one component alone. The team requires willful senior level participants who are convinced the time is right to defend the company against the threat from within. Leadership is often motivated to take this step by a crisis sparked by the loss or near loss of a trade secret at the hands of a departing or onboard employee or contractor. But waiting for such a crisis is not advisable. Gather data on losses suffered within your industry, supply chain, or customers. Talk to FBI corporate outreach contacts and ask for examples of economic espionage targeting your technologies. Talk to HR about where employees go when they depart and ask those employee’s former managers whether cumulative losses pose a concern.

Meet one-on-one with a senior thought leader in Legal, IT Risk, HR, Business Development, or Research and ask them to partner with you to assemble a team and form an Insider Threat program. Next, meet unilaterally with each proposed team member to brief them on the threat and risk to proprietary data and seek their support to more strongly defend the company. In some non-defense corporate cultures, using the phrase “Insider Threat” can still generate privacy, trust, and culture concerns. In one large company, a security leader’s proposal to discuss such a program was met with this question from the head of HR, “Do you not think we should trust our employees?” The security leader responded, “I do, and I think we should have mechanisms in place to defend our trust.” Meeting first with each partner will allow you to listen to their concerns. Limit the team to five or six decision-makers from key functions. When the team is assembled start asking the first of the Journalism 101 questions.

What?

Whether a newly appointed security leader or a seasoned veteran, the question at the heart of IP protection is, “What exactly are we protecting?” Responses provided by security and business leaders to this single question help measure the need for an Insider Threat initiative or the maturity of an existing program. Common responses from the security ranks include; “I’m protecting these buildings”, “I’m protecting this campus”, “I’m protecting people”.  Even security professionals in large, sophisticated corporations frequently do not cite, “ideas”, “research”, “technologies”, or “critical employees”, when asked what they protect. Follow up questions on which campuses, buildings, or people are more critical than others are sometimes met with silence or criticism that the question implies some employees are more important than others. One long-tenured security leader responded by displaying his daily automated reports advising him which doors, hallways, and offices were entered, but, he could neither articulate which company functions occurred there nor how his data was relevant.

Importantly, your team should pose the “What” question to key business leaders including the CEO, General Counsel, CFO, Supply Chain leader, Research or Engineering executives, Business Development or Sales heads, and corporate audit manager. Provide context by framing the question as an attempt to identify the small subset of proprietary information that would most damage the company if it fell into the wrong hands. Various formulas and thresholds can be customized to help guide this discussion and quantify the degree of damage to finances, share price and reputational risk.

Where?

Security professionals can only truly protect that which they know is there. Once CBI is identified, the team must learn where it resides, in both physical and cyberspace. In large companies with thousands of employees and facilities, this question is more easily asked than answered. Yet, the answer is vital to learning how your CBI is exposed. One large company locating its CBI discovered a proprietary formula sitting in an open folder accessible by its entire employee population. Audit of the folder revealed that employees in high-risk nations had visited the folder without any valid reason.

When countering the insider threat, the physical and the cyber security of CBI must be viewed as one holistic endeavor. The behavior of data and the behavior of humans are inextricably linked and the partnership between IT Risk and Physical Security should be seamless. Once aware that specific buildings, offices, or laboratories contain CBI, protocols, and checklists for enhanced safeguarding can be drafted. This initiative counters more than just the internal threat. Upon learning the location of a sensitive manufacturing process one company found the process was part of a public tour route.

Who?

The seemingly simple “Who” question can generate more consternation than the previous two questions combined, particularly from your partners in HR and Labor & Employment Law.  While answering the first two questions is often labor intensive, this last query raises issues of policy, organizational culture, and law. Companies may learn that some CBI is assigned to contractors, and the team must wrestle with the issue of whether people with less allegiance and more transient tenure, should be entrusted with the firm’s future. Yet, identifying employees who require access to CBI is easy compared to planning how to relate to them. This discussion should include standards for employees to receive and maintain CBI access; policies on travel and device security; enhanced computer monitoring; and, governance protocols for investigative response to suspicious conduct. Importantly, the approach to such vital and often singularly knowledgeable employees should be an inclusive one that views them as special stewards with more responsibility than the average employee.

If approached carelessly, insider threat plans can breed mistrust, alienate key employees, erode company culture, and even violate labor or privacy laws. But, a quality program can be a leader’s most important legacy, reaping tangible dividends in loss prevented, jobs saved, and relationships forged.

Originally posted in the Security Magazine https://www.securitymagazine.com/articles/88644-insider-threat-programs-a-beginners-guide