SHIELD

Organization and team

Corporate travel policy: beyond the 40-page document

Building a travel policy that is actually used, with protection level calibrated by destination.

Published 15 min read Exposed

Last reviewed:

This version was translated with AI assistance and reviewed by a human.

Salle de réunion d'entreprise moderne

A multinational hands me its travel policy. 47 pages. Section 12.3: “Employees should avoid using unsecured Wi-Fi networks.” No definition of “unsecured.” No tool provided. No training attached. I ask the CISO what a salesperson does at 6 a.m. when a border officer takes their laptop. Silence. The document exists. So does the risk.

The usual trap

A travel policy that isn’t operational is compliance theater. It exists to answer “yes” to an auditor’s checklist line, not to change anything in the field. It protects the company in the laziest legal sense — “we had a policy” — and protects no one when it actually matters. The useful question isn’t “do you have a travel policy?” It’s “do your employees know what to do when their device is seized at the border at dawn, in a country whose language they don’t speak?” In nine companies out of ten, the answer is no. Including the ones with their 47 signed pages.

The dominant approach treats the policy as a deliverable. You write it, get legal to sign off, hand it out at onboarding, file it in the intranet, and tick the box. Nobody re-reads it. Nobody checks that it’s applicable. Nobody tests it. It ages untouched until the next audit, when you reopen it just to change the date.

This mechanism produces a document that describes an ideal world and ignores the real one. The employee lives in the real world. They have a flight to catch, a client meeting in twelve hours, a phone running hot, a corporate VPNEncrypted tunnel between your device and a server, masking your IP and traffic from your ISP. that won’t connect from the hotel lobby, and no idea which number to call if something goes wrong. The document is useless to them. Worse: it gives them, and their management, the sense that protection exists. That’s the worst of both worlds — the cost of writing it, plus the uncovered risk, plus the false assurance.

Theatrical policy carries a hidden cost no one calculates: it discredits the entire security function. An employee who once read an inapplicable document learns that security, in this company, is paperwork. They carry that judgment over to the next instruction — which might be the one that actually counts.

Real threat model

Travel moves the employee outside your span of control and drops them into an environment where other actors hold home-field advantage. This isn’t abstract. The vectors are concrete, documented, and each maps to a specific phase of the trip.

The border. On entry to certain countries, an officer can demand to inspect, copy, or retain a device. In the United States, electronic device searches at the border require no warrant — a well-established constitutional exception. In other jurisdictions, refusing to unlock a device is a criminal offense punishable by prison. This is the border searchSearch of electronic devices at borders by customs or police., and it’s the first scenario a serious policy must cover, because it’s legal, frequent, and catches the employee off guard. Compelled disclosureLegal obligation to provide passwords or decrypt devices under penalty. of a password puts the traveler in front of a choice no 47-page document prepared them to make.

The local network. Public Wi-FiOpen or shared Wi-Fi (hotel, cafe, conference) — specific threat model. at an airport, a hotel, a conference center is hostile terrain by default. Interception, rogue access points, capture of cleartext traffic. In countries where the telecom operator is under state control, the infrastructure itself is the adversary. An IMSI catcherFake mobile base station forcing nearby phones to connect to intercept communications. in a trade-show hall isn’t a spy-movie fantasy — it’s off-the-shelf equipment.

The SIM and the phone. Buying a local SIM in an unfamiliar country means handing your number and your traffic to an operator you know nothing about. A SIM swapAttack where a fraudster convinces your carrier to port your number to their SIM. targeted at a traveling executive, hijacking their recovery SMS, is within reach of a motivated attacker. The phone left in the hotel room during a meeting is a phone you must treat as potentially compromised on return.

The room and the safe. A device left in a room isn’t secure, even in the safe. Staff have a master key. So do local services, in some contexts. The evil maid attack — physical tampering with a device during an absence — targets precisely the travelers who think locking the laptop away is enough.

The return. A device coming back from a sensitive zone can bring with it whatever it caught. An implant, a malicious configuration profile, an injected certificate. With no return procedure, that payload walks quietly into the corporate network, and the field incident becomes a corporate incident.

What makes these vectors dangerous isn’t their sophistication. It’s that they target an employee who is alone, tired, under time pressure, with no one to call. The threat exploits the traveler’s operational solitude. A policy that doesn’t reduce that solitude reduces no risk.

The right approach

The shift fits in one sentence: a travel policy that works fits on one postable A3 page, and it’s wired into the tools, not emailed once a year. Everything else follows from those two principles — concision and integration.

Three country tiers, not a fuzzy gradient

The first decision is to classify destinations into three tiers, and three only. Not a seven-level system no one remembers.

Tier 1 — Standard. Western Europe, North America, low-tension countries with solid rule of law. Normal residual risk. Baseline measures: encrypted device, hardware MFAMulti-factor authentication: combining two independent proofs of identity to log in. on critical accounts, corporate VPNEncrypted tunnel between your device and a server, masking your IP and traffic from your ISP. available, password managerApplication storing and generating unique passwords for each service.. Nothing exceptional — it’s the hygiene these employees should already have at the office.

Tier 2 — Enhanced. Moderate-tension zones, or standard destinations with an exposed traveler: access to sensitive data (HR, finance, client files), media visibility, a sought-after role. Enhanced measures: a dedicated, limited-access travel device, a corporate eSIMIntegrated reprogrammable SIM card supporting multiple carrier profiles. rather than an unknown local SIM, mandatory pre-departure briefing, no connection to sensitive systems from hotel Wi-Fi.

Tier 3 — Maximum. High-surveillance countries, active M&A missions, ongoing litigation, exposed executives. A clean travel device — not the usual laptop stripped down, a device that has never held sensitive data. End-to-end encrypted communications (E2EEEnd-to-end encryption: only sender and recipient can read content.). No direct access to corporate systems; everything goes through a disposable intermediate environment. A documented seizure protocol, rehearsed before departure. A mandatory return procedure with device quarantine.

Country classification isn’t an opinion. It rests on stable sources — ANSSI recommendations, foreign-ministry travel advisories, feedback from your own travelers — and it’s reviewed twice a year. A country can change tier after an election, a crisis, or a legislative shift. The grid is alive.

The postable A3

The output of all this work isn’t a 47-page PDF. It’s one A3 page the traveler can post, photograph, or receive as a per-destination sheet. It holds four blocks: the destination tier, the equipment required for that tier, the departure checklist, and the return process. On the back, the essentials for emergencies: device seized, device stolen, suspected compromise, and a single number to call, available 24/7.

An employee who leaves with a one-page sheet titled “what you do if your laptop is seized in Tier 3” is better prepared than one who signed 47 pages on joining the company and never thought about them again. Concision isn’t a watering-down of the content. It’s the condition for the content to be read and retained.

Integration into the booking tools

The point that separates a living policy from a dead one: integration at the moment of booking. When an employee books a trip to a Tier 2 or Tier 3 destination, the booking system automatically triggers the right process — alert to security, generation of the destination sheet, request to IT for the travel device, scheduling of the pre-departure briefing. No one has to remember to start the procedure. The system starts it.

This is the exact inverse of the annual email. The email assumes the employee, at the right moment, months later, will recall an instruction and apply it unprompted. Integration assumes nothing. It acts at the trigger point — the booking — and places the right tool in the right traveler’s hands before departure.

The kit provided, not described

A policy that requires an encrypted device without providing it transfers the burden onto the employee, who has neither the budget nor the mandate. The rule is simple: if a tool is needed to apply the policy, the company provides it. Travel device, corporate eSIM, password managerApplication storing and generating unique passwords for each service., a charge-only cable with no data transfer for unknown charging points, and for Tier 3, an emergency communication device configured before departure.

The employee must be able to reach someone competent at any hour. A field incident never happens during headquarters business hours. A helpdesk number that closes at 6 p.m. protects no one in Singapore. The person on the line must be able to decide — revoke an access, trigger a remote wipe, activate the crisis cell. If IT can’t provide that availability in-house, a 24/7 incident responseStructured process for managing a security incident: detection, containment, eradication, recovery. provider can.

The return isn’t optional for Tiers 2 and 3. The device goes back to IT for inspection — systematically, not “if you think there’s a problem.” The employee reports any attempted incident, including the ones that came to nothing. For Tier 3, the device stays in quarantine pending examination, and the traveler goes through a debrief. This is the link that turns a potential field incident into a non-event, before it enters the network.

What this means concretely

Angle de lecture

For you, as a person

You’re the employee on the receiving end of the travel policy. You want to leave with your personal laptop, your personal phone, and work in peace from the Marriott. The policy asks the opposite, and you experience it as punishment. Let’s look at what it actually asks, and why it isn’t a slap on the wrist.

It asks you to travel with a provided device rather than your own. Not to keep tabs on you. Because if your personal laptop is seized at the border or compromised on the hotel Wi-Fi, your entire life goes with it — your photos, your bank accounts, your personal email, not just the client file. The travel device protects you as much as it protects the company.

It asks you not to connect to sensitive systems from the hotel network. Because that network isn’t yours, and you have no way of knowing who’s listening. Use the connection provided, the eSIM, the tunnel handed to you. It’s slower sometimes. It’s also what keeps anyone from reading over your shoulder.

It asks you to report any incident on return, even the one that “came to nothing.” Not to blame you. Because a device that spent a week in a risk zone can bring something back without you seeing it, and a fifteen-minute check keeps you from being, unknowingly, the front door to an incident.

The policy isn’t there to make your trip harder. It’s there so that, on return, the only thing you remember of it is the jet lag.

For you, CISO / CIO / executive

The shift from theatrical policy to operational policy changes your framing on five points. None is an implementation detail — each moves a governance decision.

1. The policy is a product, not a document. You stop measuring success by the quality of the writing or the thickness of the deliverable. You measure it by usage: rate of briefings completed before departure, rate of returned devices put through inspection, response time on the emergency number. A product has usage metrics. A document has none. Direct consequence: these metrics belong in the quarterly security reporting, alongside open vulnerabilities. What isn’t measured isn’t applied.

2. NIS 2EU Directive (2022/2555) extending cybersecurity obligations to essential and important entities. compliance demands risk management, not a binder. The directive requires essential and important entities to run cybersecurity risk management covering operational security, which mobility is part of. An unapplied travel policy is an untreated risk, and the management body’s accountability is now explicit and personal. Direct consequence: the travel policy enters the scope of documented, auditable risk managementMapping of actors, motivations, capabilities and potential impacts against a target., not a forgotten HR folder. Leadership signs off on the accepted risk level per tier.

3. Tool integration is an architecture decision, not a comfort option. Wiring the procedure trigger into the booking system requires work across IT, travel procurement, and security. It’s the most structural and the most neglected point. Without it, you fall back to the annual email. Direct consequence: scope this work as an integration project, with a budget and an owner, not as a procedure update. The return on investment is measured in incidents that didn’t happen.

4. The employer’s duty of care is engaged, civilly and criminally. Sending an employee into a Tier 3 zone without preparation, without tools, without an emergency procedure, exposes the employer. In case of an incident — seizure, compromise, physical harm — the judge’s or insurer’s question won’t be “did you have a policy?” but “did your employees have the means to apply it?” An un-equipped document is unenforceable. Direct consequence: the traceability of preparation (dated briefing, kit issued, sheet delivered) becomes a piece of legal protection, to be retained. It protects the company and the executive personally.

5. Sensitive-data governance doesn’t stop at the IT perimeter. DLPSolution detecting and blocking sensitive data leaks (emails, files, clipboard)., CASBIntermediary between users and cloud apps enforcing security policies., SIEMPlatform aggregating security logs, correlating, alerting, enabling investigation. protect the organization inside the perimeter. They don’t cover the head of legal alone in a Shanghai hotel room. Protecting exposed roles in transit is a distinct stream, with its own measures and its own owner. Direct consequence: budget a “sensitive traveler protection” line in the security plan, separate from generic IS security.

For you, as an executive

The travel policy is not a technical document to delegate to the CISO and forget. It’s a trade-off, and a trade-off is an executive decision. On one side, the friction you impose on your teams: dedicated devices, briefings, return checks, slowdowns. On the other, the risk you accept in exchange. No one but you can set the cursor between the two, because no one but you answers for the business.

Three questions settle this file, and they’re yours.

How many country levels do we distinguish? One level, and you over-constrain the salesperson going to Munich while under-protecting the lawyer headed to Shenzhen for due diligence. Too many levels, and no one remembers them. The right number is usually three. But you’re the one who signs off on where the line falls between “standard” and “enhanced.”

Who decides a trip is high-risk? If it’s the employee, at the moment of booking, you don’t have a policy, you have a wish. The decision must fire automatically, on the destination, without depending on the memory or goodwill of whoever’s leaving.

Who pays for the dedicated kit? If the answer is “the employee sorts it out,” your policy is dead before it exists. A travel device costs a few hundred euros. A file that leaks mid-negotiation costs the negotiation. That budget call is yours too.

Your CISO can write the policy, maintain it, measure it. He cannot decide, in your place, the level of friction acceptable to the business. That’s the part you don’t delegate.

Mistakes we see all the time

  • The uniform policy. The same rule for the salesperson at a Munich trade show and the lawyer doing due diligence in Shenzhen. It over-constrains one, under-protects the other, and is followed by no one because it matches no reality.
  • The “what” without the “how.” “Use a VPN on public networks.” Which one? How do you turn it on? What do you do if it’s blocked, as in most setups in China? Obligation without the means produces non-compliance, not security.
  • The annual email. An instruction sent once a year isn’t a policy, it’s a reminder no one re-reads at the moment they’d need it — months later, at 11 p.m., in a foreign airport.
  • The business-hours emergency number. A helpdesk that closes at 6 p.m. Paris time while the employee is in crisis in Tokyo isn’t escalation. It’s an absence of escalation dressed up as a procedure.
  • The ignored return. You brief at departure and forget the return. The device coming back from a sensitive zone re-enters the network unchecked, and the field incident becomes a corporate incident, sometimes weeks later.
  • The kit described but not provided. Requiring an encrypted travel device without supplying it means asking the employee to buy and configure a tool they don’t master. The result: they leave with their usual laptop, unprepared.
  • The frozen tier grid. A country classification set once and never reviewed becomes wrong at the first geopolitical shift. A Tier 1 country can flip to Tier 3 after a crisis.

Actionable checklist

  • N1 Classify destinations into three tiers (standard / enhanced / maximum), no more
  • N1 Cut the policy down to one postable A3 page: tier, equipment, departure, return
  • N1 Provide the kit per tier (travel device, eSIM, password manager, charge-only cable)
  • N2 Set up an emergency number reachable 24/7 by someone able to decide
  • N2 Require a dated pre-departure briefing for every Tier 2 and Tier 3 trip
  • N2 Make device inspection on return mandatory for Tiers 2 and 3
  • N2 Document the border seizure protocol and rehearse it before Tier 3 missions
  • N3 Wire the procedure trigger into the travel booking system
  • N3 Measure the Tier 2/3 preparation rate and include it in quarterly security reporting
  • N3 Have the management body sign off on the accepted risk level per tier (NIS 2)
  • N3 Review the country classification grid twice a year
  • N3 Run a field-incident dry run once a year and measure the actual response time

Further reading

ANSSI’s recommendations on digital security during mobility give the technical baseline for the per-tier kit. IATA’s work on business-travel security rounds out the logistical and geographic side. For the management body’s accountability and the scope of risk management, the NIS 2EU Directive (2022/2555) extending cybersecurity obligations to essential and important entities. directive is the reference to put in legal’s hands.

On the field side, three articles in the manual extend this one directly. Pre-departure preparation details the operational content of the briefing and the destination sheet. Field incident response covers what happens when escalation actually fires. And The exposed executive addresses the Tier 3 profile par excellence — the one whose trip is worth a complete dossier to anyone who knows how to watch.

Sources and further reading

Related articles