#he could do so much good in developing cybersecurity. internationally. | Explore Tumblr posts and blogs

nedsvallesny · 6 years ago

Text

Supply Chain Security 101: An Expert’s View

Earlier this month I spoke at a cybersecurity conference in Albany, N.Y. alongside Tony Sager, senior vice president and chief evangelist at the Center for Internet Security and a former bug hunter at the U.S. National Security Agency. We talked at length about many issues, including supply chain security, and I asked Sager whether he’d heard anything about rumors that Supermicro — a high tech firm in San Jose, Calif. — had allegedly inserted hardware backdoors in technology sold to a number of American companies.

Tony Sager, senior vice president and chief evangelist at the Center for Internet Security.

The event Sager and I spoke at was prior to the publication of Bloomberg Businessweek‘s controversial story alleging that Supermicro had duped almost 30 companies into buying backdoored hardware. Sager said he hadn’t heard anything about Supermicro specifically, but we chatted at length about the challenges of policing the technology supply chain.

Below are some excerpts from our conversation. I learned quite bit, and I hope you will, too.

Brian Krebs (BK): Do you think Uncle Sam spends enough time focusing on the supply chain security problem? It seems like a pretty big threat, but also one that is really hard to counter.

Tony Sager (TS): The federal government has been worrying about this kind of problem for decades. In the 70s and 80s, the government was more dominant in the technology industry and didn’t have this massive internationalization of the technology supply chain.

But even then there were people who saw where this was all going, and there were some pretty big government programs to look into it.

BK: Right, the Trusted Foundry program I guess is a good example.

TS: Exactly. That was an attempt to help support a U.S.-based technology industry so that we had an indigenous place to work with, and where we have only cleared people and total control over the processes and parts.

BK: Why do you think more companies aren’t insisting on producing stuff through code and hardware foundries here in the U.S.?

TS: Like a lot of things in security, the economics always win. And eventually the cost differential for offshoring parts and labor overwhelmed attempts at managing that challenge.

BK: But certainly there are some areas of computer hardware and network design where you absolutely must have far greater integrity assurance?

TS: Right, and this is how they approach things at Sandia National Laboratories [one of three national nuclear security research and development laboratories]. One of the things they’ve looked at is this whole business of whether someone might sneak something into the design of a nuclear weapon.

The basic design principle has been to assume that one person in the process may have been subverted somehow, and the whole design philosophy is built around making sure that no one person gets to sign off on what goes into a particular process, and that there is never unobserved control over any one aspect of the system. So, there are a lot of technical and procedural controls there.

But the bottom line is that doing this is really much harder [for non-nuclear electronic components] because of all the offshoring now of electronic parts, as well as the software that runs on top of that hardware.

BK: So is the government basically only interested in supply chain security so long as it affects stuff they want to buy and use?

TS: The government still has regular meetings on supply chain risk management, but there are no easy answers to this problem. The technical ability to detect something wrong has been outpaced by the ability to do something about it.

BK: Wait…what?

TS: Suppose a nation state dominates a piece of technology and in theory could plant something inside of it. The attacker in this case has a risk model, too. Yes, he could put something in the circuitry or design, but his risk of exposure also goes up.

Could I as an attacker control components that go into certain designs or products? Sure, but it’s often not very clear what the target is for that product, or how you will guarantee it gets used by your target. And there are still a limited set of bad guys who can pull that stuff off. In the past, it’s been much more lucrative for the attacker to attack the supply chain on the distribution side, to go after targeted machines in targeted markets to lessen the exposure of this activity.

BK: So targeting your attack becomes problematic if you’re not really limiting the scope of targets that get hit with compromised hardware.

TS: Yes, you can put something into everything, but all of a sudden you have this massive big data collection problem on the back end where you as the attacker have created a different kind of analysis problem. Of course, some nations have more capability than others to sift through huge amounts of data they’re collecting.

BK: Can you talk about some of the things the government has typically done to figure out whether a given technology supplier might be trying to slip in a few compromised devices among an order of many?

TS: There’s this concept of the “blind buy,” where if you think the threat vector is someone gets into my supply chain and subverts the security of individual machines or groups of machines, the government figures out a way to purchase specific systems so that no one can target them. In other words, the seller doesn’t know it’s the government who’s buying it. This is a pretty standard technique to get past this, but it’s an ongoing cat and mouse game to be sure.

BK: I know you said before this interview that you weren’t prepared to comment on the specific claims in the recent Bloomberg article, but it does seem that supply chain attacks targeting cloud providers could be very attractive for an attacker. Can you talk about how the big cloud providers could mitigate the threat of incorporating factory-compromised hardware into their operations?

TS: It’s certainly a natural place to attack, but it’s also a complicated place to attack — particularly the very nature of the cloud, which is many tenants on one machine. If you’re attacking a target with on-premise technology, that’s pretty simple. But the purpose of the cloud is to abstract machines and make more efficient use of the same resources, so that there could be many users on a given machine. So how do you target that in a supply chain attack?

BK: Is there anything about the way these cloud-based companies operate….maybe just sheer scale…that makes them perhaps uniquely more resilient to supply chain attacks vis-a-vis companies in other industries?

TS: That’s a great question. The counter positive trend is that in order to get the kind of speed and scale that the Googles and Amazons and Microsofts of the world want and need, these companies are far less inclined now to just take off-the-shelf hardware and they’re actually now more inclined to build their own.

BK: Can you give some examples?

TS: There’s a fair amount of discussion among these cloud providers about commonalities — what parts of design could they cooperate on so there’s a marketplace for all of them to draw upon. And so we’re starting to see a real shift from off-the-shelf components to things that the service provider is either designing or pretty closely involved in the design, and so they can also build in security controls for that hardware. Now, if you’re counting on people to exactly implement designs, you have a different problem. But these are really complex technologies, so it’s non-trivial to insert backdoors. It gets harder and harder to hide those kinds of things.

BK: That’s interesting, given how much each of us have tied up in various cloud platforms. Are there other examples of how the cloud providers can make it harder for attackers who might seek to subvert their services through supply chain shenanigans?

TS: One factor is they’re rolling this technology out fairly regularly, and on top of that the shelf life of technology for these cloud providers is now a very small number of years. They all want faster, more efficient, powerful hardware, and a dynamic environment is much harder to attack. This actually turns out to be a very expensive problem for the attacker because it might have taken them a year to get that foothold, but in a lot of cases the short shelf life of this technology [with the cloud providers] is really raising the costs for the attackers.

When I looked at what Amazon and Google and Microsoft are pushing for it’s really a lot of horsepower going into the architecture and designs that support that service model, including the building in of more and more security right up front. Yes, they’re still making lots of use of non-U.S. made parts, but they’re really aware of that when they do. That doesn’t mean these kinds of supply chain attacks are impossible to pull off, but by the same token they don’t get easier with time.

BK: It seems to me that the majority of the government’s efforts to help secure the tech supply chain come in the form of looking for counterfeit products that might somehow wind up in tanks and ships and planes and cause problems there — as opposed to using that microscope to look at commercial technology. Do you think that’s accurate?

TS: I think that’s a fair characterization. It’s a logistical issue. This problem of counterfeits is a related problem. Transparency is one general design philosophy. Another is accountability and traceability back to a source. There’s this buzzphrase that if you can’t build in security then build in accountability. Basically the notion there was you often can’t build in the best or perfect security, but if you can build in accountability and traceability, that’s a pretty powerful deterrent as well as a necessary aid.

BK: For example….?

TS: Well, there’s this emphasis on high quality and unchangeable logging. If you can build strong accountability that if something goes wrong I can trace it back to who caused that, I can trace it back far enough to make the problem more technically difficult for the attacker. Once I know I can trace back the construction of a computer board to a certain place, you’ve built a different kind of security challenge for the attacker. So the notion there is while you may not be able to prevent every attack, this causes the attacker different kinds of difficulties, which is good news for the defense.

BK: So is supply chain security more of a physical security or cybersecurity problem?

TS: We like to think of this as we’re fighting in cyber all the time, but often that’s not true. If you can force attackers to subvert your supply chain, they you first off take away the mid-level criminal elements and you force the attackers to do things that are outside the cyber domain, such as set up front companies, bribe humans, etc. And in those domains — particularly the human dimension — we have other mechanisms that are detectors of activity there.

BK: What role does network monitoring play here? I’m hearing a lot right now from tech experts who say organizations should be able to detect supply chain compromises because at some point they should be able to see truckloads of data leaving their networks if they’re doing network monitoring right. What do you think about the role of effective network monitoring in fighting potential supply chain attacks.

TS: I’m not so optimistic about that. It’s too easy to hide. Monitoring is about finding anomalies, either in the volume or type of traffic you’d expect to see. It’s a hard problem category. For the US government, with perimeter monitoring there’s always a trade off in the ability to monitor traffic and the natural movement of the entire Internet towards encryption by default. So a lot of things we don’t get to touch because of tunneling and encryption, and the Department of Defense in particular has really struggled with this.

Now obviously what you can do is man-in-the-middle traffic with proxies and inspect everything there, and the perimeter of the network is ideally where you’d like to do that, but the speed and volume of the traffic is often just too great.

BK: Isn’t the government already doing this with the “trusted internet connections” or Einstein program, where they consolidate all this traffic at the gateways and try to inspect what’s going in and out?

TS: Yes, so they’re creating a highest volume, highest speed problem. To monitor that and to not interrupt traffic you have to have bleeding edge technology to do that, and then handle a ton of it which is already encrypted. If you’re going to try to proxy that, break it out, do the inspection and then re-encrypt the data, a lot of times that’s hard to keep up with technically and speed-wise.

BK: Does that mean it’s a waste of time to do this monitoring at the perimeter?

TS: No. The initial foothold by the attacker could have easily been via a legitimate tunnel and someone took over an account inside the enterprise. The real meaning of a particular stream of packets coming through the perimeter you may not know until that thing gets through and executes. So you can’t solve every problem at the perimeter. Some things only because obvious and make sense to catch them when they open up at the desktop.

BK: Do you see any parallels between the challenges of securing the supply chain and the challenges of getting companies to secure Internet of Things (IoT) devices so that they don’t continue to become a national security threat for just about any critical infrastructure, such as with DDoS attacks like we’ve seen over the past few years?

TS: Absolutely, and again the economics of security are so compelling. With IoT we have the cheapest possible parts, devices with a relatively short life span and it’s interesting to hear people talking about regulation around IoT. But a lot of the discussion I’ve heard recently does not revolve around top-down solutions but more like how do we learn from places like the Food and Drug Administration about certification of medical devices. In other words, are there known characteristics that we would like to see these devices put through before they become in some generic sense safe.

BK: How much of addressing the IoT and supply chain problems is about being able to look at the code that powers the hardware and finding the vulnerabilities there? Where does accountability come in?

TS: I used to look at other peoples’ software for a living and find zero-day bugs. What I realized was that our ability to find things as human beings with limited technology was never going to solve the problem. The deterrent effect that people believed someone was inspecting their software usually got more positive results than the actual looking. If they were going to make a mistake – deliberately or otherwise — they would have to work hard at it and if there was some method of transparency, us finding the one or two and making a big deal of it when we did was often enough of a deterrent.

BK: Sounds like an approach that would work well to help us feel better about the security and code inside of these election machines that have become the subject of so much intense scrutiny of late.

TS: We’re definitely going through this now in thinking about the election devices. We’re kind of going through this classic argument where hackers are carrying the noble flag of truth and vendors are hunkering down on liability. So some of the vendors seem willing to do something different, but at the same time they’re kind of trapped now by the good intentions of open vulnerability community.

The question is, how do we bring some level of transparency to the process, but probably short of vendors exposing their trade secrets and the code to the world? What is it that they can demonstrate in terms of cost effectiveness of development practices to scrub out some of the problems before they get out there. This is important, because elections need one outcome: Public confidence in the outcome. And of course, one way to do that is through greater transparency.

BK: What, if anything, are the takeaways for the average user here? With the proliferation of IoT devices in consumer homes, is there any hope that we’ll see more tools that help people gain more control over how these systems are behaving on the local network?

TS: Most of [the supply chain problem] is outside the individual’s ability to do anything about, and beyond ability of small businesses to grapple with this. It’s in fact outside of the autonomy of the average company to figure it out. We do need more national focus on the problem.

It’s now almost impossible to for consumers to buy electronics stuff that isn’t Internet-connected. The chipsets are so cheap and the ability for every device to have its own Wi-Fi chip built in means that [manufacturers] are adding them whether it makes sense to or not. I think we’ll see more security coming into the marketplace to manage devices. So for example you might define rules that say appliances can talk to the manufacturer only.

We’re going to see more easy-to-use tools available to consumers to help manage all these devices. We’re starting to see the fight for dominance in this space already at the home gateway and network management level. As these devices get more numerous and complicated, there will be more consumer oriented ways to manage them. Some of the broadband providers already offer services that will tell what devices are operating in your home and let users control when those various devices are allowed to talk to the Internet.

Since Bloomberg’s story broke, The U.S. Department of Homeland Security and the National Cyber Security Centre, a unit of Britain’s eavesdropping agency, GCHQ, both came out with statements saying they had no reason to doubt vehement denials by Amazon and Apple that they were affected by any incidents involving Supermicro’s supply chain security. Apple also penned a strongly-worded letter to lawmakers denying claims in the story.

Meanwhile, Bloomberg reporters published a follow-up story citing new, on-the-record evidence to back up claims made in their original story.

from Technology News https://krebsonsecurity.com/2018/10/supply-chain-security-101-an-experts-view/

0 notes

itsnelkabelka · 7 years ago

Text

Speech: 'Technology has enabled young people to grasp the global world'

Good morning and Namaskar from me as well.

I was just listening very carefully – when you sit on a platform it’s always good to know what you have in common. Yes we have in common by the fact that we are all on the same platform. But with certain speakers, with one I share a similar country of origin, which is India – the country of my parents, which of course I share with Minister Ravi Prasad. I share the same continent with another speaker. And indeed in the announcements I’m sure you’ve heard, I share the same first name with another – and that was put there just to confuse people.

But I hope through our dialogue this morning and during the course of the next two days, not only are we hear to listen but we are here to learn from each other. I was listening very carefully to what Minister Prasad was saying and before that Prime Minister Modi. And it’s perhaps entirely appropriate that we find ourselves here, as we’ve heard already the largest democracy in the world, India.

But it also gives me particular pride to represent the oldest democracy in the world, the United Kingdom. And when we look back at the history of this conference, again it’s a recent history, but back in 2011 this conference took its roots, its origin, in London.

But here in India it is entirely appropriate that we meet. Why? To take up those four mantra that the minister talked about:

aspiration

delivery

accountability

engagement

This morning I’m sure as we saw the prizes being given out by the Prime Minister, we’ve aspired I know, I turned around to a fellow Minister, the minister from South Korea, and I whispered to him ‘My God, they’re getting younger every time they go up on the stage’. And that reflects what technology does. It is an enabler of the most incredible kind.

And right here when we see the bold ambitions of ‘Digital India’ – we see economic growth, we see financial inclusion. And of course the world breaking uptake of Jan Dhan bank accounts, which over time will help formalise a huge swathe of its economy. India – I’m sure we all not just acknowledge, but celebrate – has kick-started a digital and societal revolution through its ID, personal finance and technology infrastructure.

And as I said already, as we come here today and tomorrow this conference is about sharing ideas. It’s about how we stimulate global economies with new technologies and how we share the lessons that we have all learned. And in this regard I want to talk briefly about what we are doing in the United Kingdom.

The task of growing and protecting our digital economy and our digital infrastructure is something that we in the UK have made a priority. Indeed we are already seeing the fruits of that decision.

In the UK our own Silicon Valley has blossomed, around typically in a London way, a traffic interchange in London.

Tech City, as it is known affectionately – and with true British understatement - as Silicon Roundabout, is the heart of the technology start-up revolution that has spread right across the country.

London remains the tech start-up capital of Europe. It is attracting more investment in the first half of this year than any other European city.

The sector encompasses pioneering start-ups with a global profile, and small online businesses set up on dining room tables right across the country.

And as we’ve heard already, that is the incredible nature of cyberspace, of technology. Gone are the days of bricks and mortar – gone are the days when people needed to be in industry, in a particular sector for many years. Technology as an enabler has enabled young people to grasp the global world and the global opportunities it presents. Taken together, it is transforming everything we do: from the way we eat, to the way we shop, to the way we bank. Indeed the way we educate our children.

As a father of three myself, it’s incredible when I see my three year old pick up an iPad and negotiate his way – and somewhat embarrassingly I have to admit – at times he does it more efficiently and effectively than I can do so myself. But that just shows how technology is an enabler in the field of education. And altogether when you look at the UK economy, they represent seven percent of our economy, with the tech sector growing nearly three times faster than the rest of the economy in 2015.

Let’s look to the retail market. Four in five people in the UK bought something online last year. That’s more than any other country in the world – and technology has helped to create three and a half million new jobs in the UK over the past 15 years.

Earlier this year, we launched a Digital Strategy which aims to make the UK the best place to start and grow a digital business. It also aims to ensure that our digital economy works for everyone.

That strategy, ladies and gentlemen, addresses all the factors that could stimulate or constrain our digital economy. There are opportunities but there are also challenges which lie ahead for all of us.

A successful digital economy needs the right digital infrastructure. It needs people with the right skills and know-how.

And in the UK we are accelerating the development and uptake of full fibre broadband and now, as we know, 5G. We are creating digital skills partnerships between tech companies, businesses, and - importantly - voluntary organisations as well, to make sure people have the skills to participate and succeed in the digital economy. We are investing in a private-sector led productivity council that will help traditional businesses also embrace technology.

Yes, I acknowledge here we are in India, and as compared to India we in the UK may not have numbers to achieve the scale of the aadhaar system. But we do want the UK to be a world leader in digital government to make public services more effective - raising standards and lowering costs for taxpayers as we do so.

This is why we are sharing the source code and implementation techniques of our own government platforms internationally to help other governments launch their own digital programmes with less risk.

However, with those opportunities are the challenges. Perhaps the challenges as a speaker, beyond the loud air-conditioning systems that we sometimes have to deal with as we are this morning. The advantages of doing both public and private sector business online will not be fully realised if our digital assets are vulnerable to hackers, vulnerable to criminals, vulnerable to hostile governments.

Securing the infrastructure, devices and software - the working tools of a vibrant digital economy - is critical. If users and businesses cannot trust the online world, they will not fully embrace its potential. And the biggest losers will be our growth figures and the livelihoods of our people.

On one level, this means ensuring that online services that we use are safe and secure. People and their data need to be properly protected so that they can communicate privately, spend money online with confidence, and know their intellectual property is safe.

This, ladies and gentlemen, places an onus on all of us to build economies able to withstand the sort of crude attacks that have become a daily occurrence. Whether it is protecting ourselves from online fraud or identity theft, the role of governments is to foster an environment where businesses and citizens have the tools and the knowledge to provide secure online services, and make secure online choices.

As governments we must also, importantly, lead by example in protecting the critical assets that could be the subject of attack, and by working within international frameworks to deter and pursue those who threaten us online.

What we have learnt about cyber attacks in the UK, whether from organised criminals, sophisticated state actors, or indeed teenage hackers, is that the vast majority of successful attacks were entirely preventable through basic protective measures. Including this year’s global WannaCry ransomware attack, which affected, yes, the United Kingdom, but it affected India, indeed it affected nearly every country represented at this conference in this room here this morning.

And that is why the UK is investing nearly £2 billion over five years to transform cybersecurity and make the UK the safest place in the world to live and do business online.

We are looking at how to ensure internet-connected consumer products are ‘secure by default’, so that devices are developed with security built-in from the start.

We are also investing more money into training and addressing the systemic challenges of developing the next generation of cybersecurity specialists.

And we also hope that many will end up working at our flagship centre, the National Cyber Security Centre in London. As the UK’s National Technical Authority, it not only manages all our national cybersecurity incidents, but it also carries out real-time threat analysis, and gives expert advice to businesses.

We must also be realistic about how much individuals and companies can do to protect themselves from online attacks. We should expect them to get the basics in place, and that is why much of our guidance focuses on exactly that; but government is in a unique position to do more. One common complaint is that governments tell industry they are not doing enough on cyber security without understanding costs.

We have responded to this charge by working directly with industry to reduce costs – an example being using technology to detect and filter out more of those crude high volume attacks that hit the UK.

One example of this is piloting DMARC - an email authentication system that in its first year has blocked over 300 million fraudulent emails falsely claiming to be from government.

Now, instead of having to warn the public not to open dodgy emails, we are preventing those emails from arriving in the first place.

And also, it is important to create a trusted digital environment that drives growth and is more than just about technical security. Disregarding privacy and freedoms will not win the consent and support of our citizens.

Their trust can only be won, and must be won, with transparency and respect for freedoms and fundamental rights - such as the right to freedom of expression that we are all committed to internationally. These rights must be protected online as they are offline.

At the first of these conferences, as I said, in 2011, our then Foreign Secretary, now Lord William Hague, set out seven principles to encourage effective cooperation between governments, businesses and organisations.

These included the need for users to show tolerance and respect for diversity of language, culture and ideas – perhaps no more poignant than right here in India – and also the need to keep cyberspace open to the free flow of information and expression. These principles are every bit as relevant today as they were then in 2011.

And to this end, the UK is working on developing a Digital Charter, with the aim of agreeing how our people and businesses should behave online in order to create an environment for societies and economies to flourish.

I think we all recognise the potential of the internet to transform opportunities for people right across the globe. We saw that in this hall this morning. Secure digital technologies can revolutionise the lives of the poor as we heard from Minister Prasad, unlock development and prosperity, and accelerate progress towards the global goals for sustainable development.

And that is why the UK is investing millions in capacity building projects worldwide that combine inclusive internet access with cyber security policy and skills.

And to date the UK has funded projects in over fifty countries - from helping develop national cyber security strategies in Sri Lanka and providing tailored training on cyber crime investigations in Nigeria.

We have been working with many of you in this room, not least through the global forum for cyber expertise. And I have been pleased and impressed to see the incredible energy and ideas that have gone into forging a new global agenda for cyber security capacity building.

To conclude, if I may, ladies and gentlemen, one clear lesson I have learned from our work at home and abroad is that everyone has a role to play. Everyone has a role to play in sustaining a free, open, peaceful and secure cyberspace. And also that governments cannot do this alone – and nor should anyone want us to.

This is about partnership. It is about collaborative working. And we can all help to roll the pitch, but as we all know, the game will only be won through teamwork - involving businesses, civil society, and citizens. Only through that partnership can we create the right level of ambition, creativity and potential.

Your security, our collective security: it is our security. Your prosperity, our collective prosperity: it is our prosperity. Let us all work together to harness technology and build a future that works for everyone.

I am reminded in closing of the famous words of Mahatma Mohandas Gandhi, who said we must become the change we wish to see. Let’s become that change in cyberspace.

Thank you.

from Announcements on GOV.UK http://ift.tt/2jOeir0 via IFTTT

#IFTTT #Announcements on GOV.UK

0 notes

deniscollins · 8 years ago

Text

Competition in Job Market Lets Professionals Set Their Travel Terms

If you managed a company and employees traveled often, would you hire an outside travel agency to book flights at cheapest cost to firm, or let employees book their own flights and let them book higher cost flights that are more convenient to them? Why? What are the ethics underlying your decision?

With the unemployment rate low and competition for top talent rising, travel perks are increasingly coming into play as a bargaining chip in recruitment.

One of those who benefited was Eleanor Lacey, a Silicon Valley lawyer, who said she HAD initially dismissed a job offer from a cybersecurity company because the position involved frequent travel, nearly all of it overseas.

“I was very secure and happy in my current job, and so I didn’t need the job,” she said.

But other benefits were appealing, like a schedule that would let her be home with her family in the evenings. So Ms. Lacey employed a tactic human resources and executive compensation experts say they see more frequently today.

“As a general counsel, I see C.E.O. agreements all the time. A few years ago, I realized it’s not unusual for C.E.O. or other C-level to negotiate their travel,” she said. “I felt like I could do a real negotiation.”

Ms. Lacey said she asked to choose flights based on the airline’s safety record rather than making price the sole determinant, and for weekends to remain travel free whenever possible so she could spend more time with her family.

When the company agreed to her terms, she took the job.

According to the Society for Human Resource Management, 17 percent of Amercian companies in 2016 offered first-class or business-class flights for employees traveling internationally, up four percentage points from five years earlier. The number offering the same for domestic travel grew by two percentage points over that same period.

“I do think companies are aware that the best workers are more in the driver’s seat,” said John Challenger, chief executive of Challenger, Gray & Christmas, an executive outplacement firm. “Companies know that if they lose someone they value, it’s harder to go out and replace skilled workers in a low-unemployment environment.”

Greeley Koch, executive director of the Association of Corporate Travel Executives, said nearly half of corporate travel managers in a recent survey said they had fielded employee inquiries about managing work-life balance in regard to travel.

“If a company’s going out to recruit people, some of those people are asking about travel policies,” he said.

Industries where competition for talented employees is fiercest, like technology and financial services, are most likely to be flexible with travel perks to attract and keep the best workers.

As a result, Mr. Koch said, “One thing we’re starting to see is that not all travelers and not all trips are being treated the same.” In one case, he said, a company measured a travel manager’s performance on travelers’ satisfaction rather than on cost savings.

In-demand professionals say they have asked to fly nonstop rather than be forced onto cheaper connecting flights, or stipulated which airlines they will and will not use.

Making business travel a little more pleasant is a tactic companies are using for retention as well as recruitment.

“Travel is one of those sorts of things that makes life hard for people who are on the road all the time,” Mr. Challenger said. “So looking for ways to make that experience easier is something companies are doing to make it more palatable.”

Lacey Van Luven, a consultant at American Express Global Business Travel, said, “About 20 percent of the inquiries I received in the last six months alone were related to senior executive or frequent traveler perks.”

“We focus on the road warriors,” she said. “These are typically the high performers for their companies, willing to look at a better job.”

A report issued jointly last year by the Airlines Reporting Corporation, American Express Global Business Travel and the travel consulting firm tClara found that roughly four-fifths of more than 750 business travelers surveyed would be interested in working for another employer — and traveling just as much — if the travel policy was attractive. Nearly as many said a prospective new employer’s travel policy was as important as or more important than pay and responsibilities.

Companies are eager to keep these workers happy. So paying extra for business-class seats might be the more economical choice, as research has found that the cost of replacing top-level executives can total more than 200 percent of their annual salaries.

“What I’m seeing is many of these clients are willing to loosen up the purse strings a little bit at first just to see if it’s going to facilitate traveler buy-in,” Ms. Van Luven said.

“The cheapest choice is not always the most efficient choice, and that’s something corporate travel policies have trouble articulating,” said Loe Cameron, a bioengineer in research and development who spends about three-quarters of her working time on the road.

Since her company was acquired about a year and a half ago, Ms. Cameron said that she had noticed more restrictions on the hotels and airlines employees were allowed to book, but that inconveniences like overnight layovers, convoluted itineraries (say, a United States-to-Britain trip via Turkey) and routes that require stopovers in cities with political or sectarian tensions were far less common.

“It’s been, on average, an improvement,” she said. “I think we have a lot of autonomy around travel.”

For human resources managers trying to woo candidates, agreeing to offer more flexible or comfortable travel arrangements is often more appealing than paying more in compensation, said Dave Carvajal, chief executive of Dave Partners, a technology recruitment firm.

“A company can win big points making their offer attractive without giving too much,” he said. It is not a fixed budget item that must be justified to investors or shareholders, and it makes the company look good from a corporate culture standpoint.

Mr. Carvajal said it was common for professionals he contacts on behalf of companies with open positions to ask for travel-related perks, along with salaries and other benefits. “Especially at the executive level, it’s all negotiable,” he said.

“The nature of work has really become ‘always on,’ ” he said. “To the degree you can find some creature comforts and make it easier for people to be more productive, it’s a sound investment.”

#Travel

0 notes