As COVID-19 continues to affect business travel operations globally, BCD Travel’s technology and security experts have been keeping close watch on malware, system viruses, fraudsters and opportunistic hackers looking to breach the travel management company’s cyber defenses.
BCD Travel’s Executive Vice President of Technology, Products & Innovation Russell Howell and Chief Information Security Officer Sherron Burgess explain how the travel management company safeguards BCD’s proprietary data and that of its clients.
With remote work now a reality for many, how important is data protection?
HOWELL: Data protection continues to be an important topic and continued area of focus at BCD Travel. Our customers expect that the data entrusted to us remains secure even in times of discontinuity. Travel managers should know that BCD’s commitment to data protection and security protocols is not just related to normal operation and is constantly being monitored and managed 24×7 globally. Our control environments, certification programs and security framework are still required, enforced and subject to external validation.
We’ve made strategic investments in our people, processes and technology that equip us to execute our business continuity plans and enable us to securely service our customers.
What kind of attacks is the team proactively working against?
BURGESS: Social engineering, where fraudsters use confidence schemes—even low-tech ones—to gain information, is a problem for all TMCs and corporate travel programs. We also constantly monitor against phishing and payroll-related schemes. Bad guys target travel because we have a lot of processes and our operations are complex. That’s why we are so dedicated to consistency and methodology. When you have a set way of doing things, it’s much easier to spot inconsistencies and outliers.
We talked about this earlier, but our proactive strategic investment in security awareness training and rapid phishing reporting and analysis tools enable us to stay on top of these types of events, alert our users and block any related attempts. Our users are on high alert, our teams are actively monitoring and response processes are on standby should any attempts occur.
How do you manage data security amid so much change?
BURGESS: We are strategic, consistent and methodical. We know our rationale—we understand why we’re taking action or making an investment.
What does being ‘strategic, consistent and methodical’ look like?
BURGESS: Our data security strategy follows four tenets: The first is prioritization, which means we invest resources in areas likely to have the greatest positive impact on our business direction and needs. We are data people, so we use a prioritization metric to calculate the potential impact. Second, we do the basics well. That means we approach policies, compliance, training and technological controls in a consistent way time after time.
Our third tenet is what we call ‘smart enhancement.’ We use findings from our regular and comprehensive audits to guide where we need to improve. Finally, our fourth tenet is to manage potential threats by focusing on governance, risk and compliance [GRC], a structured approach that aligns information technology with business goals to mitigate risk.
HOWELL: We use our four-tenet methodology to help customers assess their technology and data security priorities, too. When we see risks trending in particular markets, we share that information with clients and explain why they may want to beef up their protections.
So, BCD is well prepared to safeguard client data privacy interests?
BURGESS: Absolutely. BCD processes personal data in accordance with its Global Privacy Policy, available at https://www.bcdtravel.com/privacy-policy/. We take very seriously our responsibility to protect the client, traveler and employee data that we hold. We see to that protection through an interdisciplinary approach to data privacy that includes a global data protection officer, IT security specialists and legal and privacy experts.
How do ISO certifications and audits factor into your approach to data security?
HOWELL: We use independent auditors and assessors to validate that we are using best practices and continually improving. We meet ongoing standards. These are not point-in-time assessments.
What are some of BCD’s key audits and certifications?
BURGESS: ISO 27001:2013 Information Security Management System [ISMS] certification demonstrates that BCD follows information security best practices. Our data centers are ISO 9001:2015 and ISO 27001:2013 certified for security, redundancy and disaster recovery controls.
The SSAE18 SOC 1 Type 2 Audit primarily applies to our U.S. financial operations, but it covers information security as part of control activities.
Our Payment Card Industry Data Security Standard [PCI DSS] certificate validates that we have complied with requirements for protecting cardholder data and includes vulnerability scans of our networks. ISO 14001:2015 Environmental Management System [EMS] validates progress on our sustainability commitments.
ISO 9001:2015 Quality Management System [QMS] certifies that BCD has some of the highest-quality data in the industry. The certification covers bookings and reservations, as well as the customer data we collect, including from third parties. We have a proprietary, standalone Global Data Quality Tool that does a check on all data coming in before it goes to the database. If the data does not pass quality standards set by ourselves and our clients, it gets sent back to the data provider to correct. Our quality control ensures we input clean data so reliable reports come out the other side.
Check out BCD’s Travel Risk Survival Kit to learn more about cyber threats and how to safeguard your corporate travel program.