Recent data from Action Fraud shows a significant 120 per cent jump in holiday and travel-related fraud from consumers – highlighting that as demand for holidays soar, so too does the opportunity for fraud and cybercrime within the sector.
However, despite a significant increase in risk, the number of businesses that think they are likely to fall victim to a cyber-attack has fallen. According to RSM UK’s ‘The Real Economy’ report, over a quarter (27 per cent) of middle market businesses have experienced a cyber-attack in the past year, up from one in five last year. Yet despite the increased risk to middle market businesses, including those in the travel industry, our research found the number of businesses that felt they are ‘very likely’ to fall victim to a ransomware attack has actually fallen significantly, from 34 per cent in 2021 to just 24 per cent this year. In this article we’ll navigate why travel and tourism is a significant target to cyber criminals and how businesses in the sector can navigate the risk.
Why is travel a target for cyber criminals?
- Multichannel: travel and tourism businesses typically take bookings via a number of channels. These could include website booking platforms, apps, and via customer services representatives by telephone or in physical stores. Cyber risk is heavily associated with these types of businesses.
- Rich data: the sector is rich in sensitive data including credit card, passport and driving licence details. Not only this, but travel businesses can rely on third parties for hosting website and booking platforms along with storing credit card data.
- Increased recruitment: the sector is in heavy recruitment mode. New joiners are the most likely to get caught out by phishing emails if they haven’t been previously educated, with 95 per cent of breaches caused by human error.
- Remote working: in the wake of the pandemic implementation of VPNs for remote access and increased capacity management via third party cloud computing software have generated new opportunities to cyber criminals.
- Internet of Things (IoT): added to the risk of home working is IoT. At home smart printers, Alexa devices and wearable technology are all connected to home wireless networks that are not subject to corporate security policies. This allows easy access to an extended network no longer under corporate infrastructure.
Top 6 threats to the travel and tourism industry
| ① | Phishing | Phishing emails appear genuine and can prompt employees to provide hackers with an entry point to an organisation. | ||
| ② | Ransomware | Malware that encrypts files on a network e.g. booking platforms and makes them unusable until the demands of hackers are met. | ||
| ③ | Internal breaches | Nearly 30 per cent of attacks come from employees or other personnel with access to the organisation. | ||
| ④ | Equipment sabotage | Lack of up-to-date security measures for legacy equipment could leave travel businesses open to cyber threats. | ||
| ⑤ | IP theft | Often more overlooked than the theft of customer data, but ramifications can be huge as it’s the intellectual property that makes products or services innovative. |
||
| ⑥ | Supply chain attacks | If a supplier has a cyber-attack how would this stop your company from operating? It’s important to vet suppliers and check their security prevention. |
Preventing a cyber-attack
Cyber security is an ongoing process. Criminals are constantly developing their attack techniques and seeking out new vulnerabilities. To keep one step ahead of cyber criminals, travel businesses must ensure IT systems remain secure and continually review cyber security measures to ensure they are as robust as they possibly can be.
Checklist of considerations for the next 12 months
 |
Governance: policy and procedures should be effectively developed and communicated to all staff and third parties. Ensure these policies are adhered to and regularly reviewed. | |
 |
Frameworks: your cyber controls should be benchmarked against industry standard frameworks. This will help to highlight weaknesses. |
|
 |
Threat modelling: understand your IT assets and what risks those assets face, what is the likelihood of an incident occurring and what would the impact be? |
|
 |
Network Vulnerability & Penetration testing: an effective way to examine the environment and highlight vulnerabilities open on any system. |
|
 |
Phishing and whaling exercises: an effective way to educate senior executives and the workforce and to assess the level of maturity towards cybersecurity. |
|
 |
Incident response and recovery testing: ensure you are testing your recovery plans and incident response procedures regularly. |
For more information you can find our latest cyber security report here.
If you would like to speak to one of experts about this topic, please contact RSM’s Head of Travel and Tourism, Ian Bell or our National Cyber Security Lead, Sheila Pancholi.
