Travel, tourism and leisure are among the most impacted industries globally by cyber security, with digital fraud attempts rising 155.9% in the last 12 months.
We're urging North West businesses within the travel and tourism sectors to strengthen their cyber security infrastructures following concerns of heightened vulnerabilities during the busy summer season.
In July 2022, Marriott International suffered its third security breach in four years, which affected up to 400 customers. Attackers used social engineering to access systems through an employee's computer, but they did not gain access to Marriott's core systems.
During the busy summer period, you're vulnerable to cyber attacks
Could an overwhelming summer tourist demand disrupt the good cyber practices within your business? With such a drastic change to how companies work, such as working from home and taking bookings and payments online. Is your business more vulnerable to attacks and cyber fraud from hackers?
Concerns about the safety of corporate devices running on employee home networks or employees using their devices while working from home have been heightened recently. These concerns include businesses and their employees running the risk of letting their good practices in cyber-security become too relaxed due to the notion of being outside an office environment.
To help businesses prepare, we have created a Cyber Incident Response Pack containing documents to help support your business plan its response to a cyber incident. These documents are designed to complement any existing plans or assist you in creating one.
Remember to backup your data
Back up your data either in the cloud or on an external drive that isn't connected to the network. Recovering your data should you become the victim of a ransomware attack is imperative to keep your business running.
Having backups stored securely and disconnected from your network ensures there is an air gap between your live data and the backup. If you can, encrypt that data backup; If the worst happens and you are the victim of a ransomware attack, having your data encrypted will make it almost useless to attackers as they will have to spend considerable time and resources trying to decrypt it to make it worthwhile.
Make sure your staff can identify phishing emails
Phishing remains the most common type of cyber-attack - affecting 79% of businesses in 2023 - and results in the largest financial losses for companies.
Phishing is a tactic used by criminals who try and trick you into clicking a bad link that can download malware or try to encourage you to hand over passwords or account details.
No legitimate company will send emails using ‘@gmail.com' or ‘@hotmail.com'.
Look at the email address, not just the sender. Do they match?
Check the spelling and grammar, are the domain, name, sender's name and signature spelt correctly?
Did you expect to receive the email or attachment? Don't open an attachment unless you are fully confident that the message is from a legitimate contact or company.
Test your staff's resilience to phishing attacks through a Simulated Phishing Exercise.
Make sure you use different passwords for different accounts; make life easier by using three random words when creating a new password. For example, 'greenfiredbuttercup'.
It is best practice to change passwords every 30 days. Doing so will limit a password's value to an attacker should you become a data breach or Phishing attack victim. Ideally, this policy should be enforced on all business accounts, with new passwords securely stored in a password manager.
You must prevent malware from infecting your devices
Ensure that you have an up-to-date antivirus installed on your computers. With devices like tablets and mobile phones, make sure you are updating the phone's OS (operating system) and any applications you are using as antivirus & security updates are often bundled in with other feature updates.
Keep your devices safe, encourage your staff to have pin codes enabled and use strong passwords for account logins. If staff work on the go, beware of using public Wi-Fi networks. Don't connect to unknown Wi-Fi Hotspots (for example, in a hotel lobby or service station); there is no way to find out who controls that Wi-Fi hotspot easily. If you connect your devices to these hotspots, somebody else could gain access to the following:
Anything you're working on whilst connected to the Wi-Fi
Accounts and login details that many apps and web services maintain whilst you're logged on.
Don't forget to check for any USB devices which are connected that you are unaware of; they could be found unseen at the back or side of the device. This could be running any malware, but it likely is a keylogger that could capture all information guests enter. This is done by the USB device recording every keyboard press and can steal information such as logins and passwords to online banking or credit cards for purchases.
Data Theft / Data Exfiltration
If you are using payment terminals, the best practice is to lock them away when they aren't being used. In addition, make sure you regularly check they haven't been tampered with or damaged. For example, look for overlays on the keypad, a broken security seal or additional cable(s) you don't recognise, or scratches where the device has been opened.
For any devices you make available for public or guest use, you must ensure personal information from the previous user is not left behind. The easiest way to do this is to use a managed kiosk software package that automatically cleanses the PC of all data after each use. If you don't use this software, you must manually clear caches, web history, print queues and any files created.
Remember, as a business, you should continually review your security and the processes with your suppliers, requiring ISO certification and Cyber Essentials and documented standards as a minimum. In addition, watermarking your data can help you to identify third-party breaches faster and enable them to take action sooner.
Is your business ready for a Cyber Health Check?
We've designed a Cyber Health Check in collaboration with Police and ISO accredited Risk Managers; the outcome of this Cyber Health Check will provide your business with a summary of your Cyber Risks and an action plan to help protect you against the latest cyber threats.
How can the Cyber Resilience Centre help businesses in the travel and tourism sector?
We have covered a varied but high-level approach to cybersecurity in the travel and tourism sector. Still, if you need any other guidance or need some help with your cybersecurity, we are here to help.
In the last 12 months, one in three businesses (32%) have reported cyber security breaches or attacks, so there has never been a better time to improve your business resilience.
Keep your business safe by making your staff aware of the latest cyber security threats with our Business Premium Membership which supports you for 12 months.
This membership includes Cyber Security Policy and Procedures Templates, a Simulated Phishing Exercise, Cyber Risk Exposure Assessment and a bespoke Cyber Awareness Training program tailored to your organisation and delivered to your staff in-person or online.
