Cybercrime: How can travel and tourism businesses mitigate the risk?

Recent data from Action Fraud shows a significant 120 per cent jump in holiday and travel-related fraud from consumers – highlighting that as demand for holidays soar, so too does the opportunity for fraud and cybercrime within the sector.

However, despite a significant increase in risk, the number of businesses that think they are likely to fall victim to a cyber-attack has fallen. According to RSM UK’s ‘The Real Economy’ report, over a quarter (27 per cent) of middle market businesses have experienced a cyber-attack in the past year, up from one in five last year. Yet despite the increased risk to middle market businesses, including those in the travel industry, our research found the number of businesses that felt they are ‘very likely’ to fall victim to a ransomware attack has actually fallen significantly, from 34 per cent in 2021 to just 24 per cent this year. In this article we’ll navigate why travel and tourism is a significant target to cyber criminals and how businesses in the sector can navigate the risk.

Why is travel a target for cyber criminals?

  • Multichannel: travel and tourism businesses typically take bookings via a number of channels. These could include website booking platforms, apps, and via customer services representatives by telephone or in physical stores. Cyber risk is heavily associated with these types of businesses.
  • Rich data: the sector is rich in sensitive data including credit card, passport and driving licence details. Not only this, but travel businesses can rely on third parties for hosting website and booking platforms along with storing credit card data.
  • Increased recruitment: the sector is in heavy recruitment mode. New joiners are the most likely to get caught out by phishing emails if they haven’t been previously educated, with 95 per cent of breaches caused by human error.
  • Remote working: in the wake of the pandemic implementation of VPNs for remote access and increased capacity management via third party cloud computing software have generated new opportunities to cyber criminals.
  • Internet of Things (IoT): added to the risk of home working is IoT. At home smart printers, Alexa devices and wearable technology are all connected to home wireless networks that are not subject to corporate security policies. This allows easy access to an extended network no longer under corporate infrastructure.

Top 6 threats to the travel and tourism industry

  Phishing    Phishing emails appear genuine and can prompt employees to provide hackers with an entry point to an organisation.
  Ransomware   Malware that encrypts files on a network e.g. booking platforms and makes them unusable until the demands of hackers are met.
  Internal breaches   Nearly 30 per cent of attacks come from employees or other personnel with access to the organisation.
  Equipment sabotage   Lack of up-to-date security measures for legacy equipment could leave travel businesses open to cyber threats.
  IP theft   Often more overlooked than the theft of customer data, but ramifications can be huge as it’s the intellectual property that makes products or services innovative.
  Supply chain attacks   If a supplier has a cyber-attack how would this stop your company from operating? It’s important to vet suppliers and check their security prevention.

Preventing a cyber-attack

Cyber security is an ongoing process. Criminals are constantly developing their attack techniques and seeking out new vulnerabilities. To keep one step ahead of cyber criminals, travel businesses must ensure IT systems remain secure and continually review cyber security measures to ensure they are as robust as they possibly can be.

Checklist of considerations for the next 12 months

 Governance   Governance: policy and procedures should be effectively developed and communicated to all staff and third parties. Ensure these policies are adhered to and regularly reviewed. 
 Framework icon Image - RSM UK, The Real Economy: Cyber Security Report 2022   Frameworks: your cyber controls should be benchmarked against industry standard frameworks. This will help to highlight weaknesses.
 Threat Modelling  icon Image - RSM UK, The Real Economy: Cyber Security Report 2022   Threat modelling: understand your IT assets and what risks those assets face, what is the likelihood of an incident occurring and what would the impact be?
 Penetration Testing icon Image - RSM UK, The Real Economy: Cyber Security Report 2022   Network Vulnerability & Penetration testing: an effective way to examine the environment and highlight vulnerabilities open on any system.
 Phishing  icon Image - RSM UK, The Real Economy: Cyber Security Report 2022   Phishing and whaling exercises: an effective way to educate senior executives and the workforce and to assess the level of maturity towards cybersecurity.
 Incident Response icon Image - RSM UK, The Real Economy: Cyber Security Report 2022   Incident response and recovery testing: ensure you are testing your recovery plans and incident response procedures regularly.

For more information you can find our latest cyber security report here.

If you would like to speak to one of experts about this topic, please contact RSM’s Head of Travel and Tourism, Ian Bell or our National Cyber Security Lead, Sheila Pancholi.