The threat of cybersecurity attacks is not exactly news. There have been cybersecurity threats since the conception of the internet, but within recent years the number and severity of these cybercrimes has increased dramatically. The global costs of cybercrime expected to reach $10.5 trillion in 2025, compared to the $3 trillion in 2015, so it’s also no surprise that many more businesses are, and must, be prepared for more sophisticated security threats.
Though cybercrime can and does impact many sectors and industries, oftentimes it is targeted, and the travel and tourism industry itself is often thought of as low-hanging fruit. The travel and hospitality industry handles vast quantities of secure and personal data – whether that’s in the case of sensitive data belonging to hotels, or unique identification data for travelers themselves. So, it remains especially important for travel providers to be aware of cybersecurity in the travel industry, and what top cybersecurity threats to look out for.
What’s more, as the digital ecosystems of the travel and tourism industry keep growing, these will naturally become more vulnerable to cybercrimes. Therefore, data is at its most secure when all companies across the travel and tourism chain invest in cybersecurity awareness, strategies, and safeguarding.
As a global industry with many – literal – moving parts, the travel industry is often targeted by cybercriminals. Analysis of data breaches and cyberattacks have identified numerous reasons for this, such as:
Human error was identified as one of the biggest threats to cybersecurity in 2023, so many common cyberthreats may be avoidable with the right education!
It’s estimated that, by 2025, around 99% of data breaches will be caused by a misconfiguration within settings or installation by an end user. So, this suggests that with proper education, and a thorough cybersecurity strategy, travel providers will be able to mitigate the impact and severity of many common cyberthreats.
So, this suggests that with proper education, and a thorough cybersecurity strategy, travel providers can mitigate the severity of, and limit the occurrence of, many common cyberthreats.
What a good cybersecurity strategy should involve:
Here is where consolidating your tools and resources, and leveraging third-party expertise to manage complexities and augment capabilities can really give you a leg-up when it comes to protection against those more common threats.
Of course, cyberattacks will continue to evolve and become more sophisticated, but the staggering figures surrounding data breaches suggests that even company-wide training on a regular basis can help prevent those more common threats from occurring.
But for now, let’s look at some of the most common cybersecurity threats and what shape they take, to help you as travel providers improve your awareness!
... one of the most prevalent and dangerous techniques employed by cybercriminals, largely because social engineering in its varying forms relies on human error rather than any technical vulnerabilities. Of course, it’s much easier to trick or manipulate people than it is to breach a security system and it’s clear that naturally cybercriminals know this: more than 85% of all data breaches involve human interaction or error of some kind.
During 2023, social engineering techniques were one of the key ways that employee data and credentials were obtained by cybercriminals, to then conduct a cyberattack.
Of all the types of social engineering, phishing is one of the top causes of data breaches (with over 75% of targeted attacks starting with an email) and are constantly evolving to incorporate new trends and technologies.
What can phishing attacks look like?
Other social engineering techniques can involve:
Of these, for travel providers, the most likely techniques to encounter are business email compromise attacks due to the large chains of internal communication. What do attackers do once they’re in? Often they send phishing emails to employees or clients of the business, to secure more sensitive data or encourage financial transactions; or use the account to launch attacks against other employees or the businesses systems.
Business email compromise attacks can be carried out in multiple ways, including:
Phishing – as explained above, this type of attack often using emails to trick employees into sharing sensitive data and are usually from a ‘trusted’ source. Social engineering techniques are then used to prompt the recipient into action.
Malware – this is the use of malware – malicious software - to infect a user’s computer and therefore gain access to their email accounts. Once installed, this malware can steal other sensitive data from this computer.
Social engineering – often, this type of attack (closely linked to phishing), tricks employees into divulging sensitive information or grant access to their email accounts. Usually, this involves impersonation to gain trust.
Manipulation of weak passwords – if employees use ‘weak’, reused, or easily guessable passwords, cybercriminals can obtain access to internal email systems by guessing these passwords.
During 2023, third-party breaches became even more common as many companies worldwide turned to independent contractors to fulfil work once handled by full-time employees. Therefore, this increased the number of less-protected networks which have access to the primary target, and which belong to these third parties. These are exploitable by hackers, as seen in the memorable attack on the U.S’s Colonial Pipeline in 2021, by obtaining compromised credentials, accessing a VPN without multi-factor authentication, and demanding a $5 million Bitcoin payment to regain access.
With the shift to remote or hybrid work – over 50% of business are more willing to hire freelancers – a higher percentage of remote or dispersed workforces means that third-party security threats continue to present challenges for travel business both large and small.
With many more businesses adopting cloud-based systems, the growth of cloud-based cyberattacks likewise grows. It’s estimated that cloud security is the fastest growing cybersecurity market, growing around 41% from 2020 to 2021.
Nowadays, as a result of new developments in cloud security to ensure that protection keeps up with cloud-based systems and applications increasingly shouldering much of the corporate workload – especially within the travel industry! - many businesses adopt ‘zero trust cloud architecture’. Designed to operate as though the system has already been compromised, these systems require additional verification, rather than granting sustained access to recognised devices, or any device within the perimeter of the network.
Keeping on top of cloud security practices is critical, and can include:
Commonly referred to as the ‘egregious eleven’ by security professionals, these are the most ‘popular’ access points:
A relatively new innovation, supply chain attacks involve the infiltration of supply chain technology – such as Application Programming Interfaces (API systems) – which are prevalent in the travel industry – to access source codes, build codes and other components of software. These legitimate platforms and applications are then used as springboards for the distribution of malware into these supply chain systems.
Considering how often supply chain systems are used within the travel and tourism industry – particularly through API integration – it’s important to know how to reduce the risk of this kind of attack!
Many modern travel businesses leverage travel APIs, as they enable different systems to communicate seamlessly, creating a unified platform where customers can find all travel products in one place. These API systems are incredibly effective at offering travel agents multi-functional, user-friendly systems that keep ahead of hospitality tech trends. It also means that travel agencies can enhance their business success either by offering additional services and products to the end customer, including flights, hotels, car rental services and experiences, through API integration.
However, these systems are also vulnerable to attacks. But hope is not lost! There are many ways to protect against supply chain threats, including:
While certainly not a new threat, ransomware attacks have become significantly more expensive in the last few years – with costs expected to reach $265 billion by 2031 - and so continue to present considerable challenges to businesses of all sizes.
What is ransomware? Simply put, ransomware is a type of malicious software which blocks access to a computer system of any kind, until a sum of money is paid. This involves using malware to take control of computer systems, extract data, files or sensitive information, and then demand payment for access to be returned to the primary user.
Of course, before the ransomware attack can take place, hackers must obtain access to their targets’ systems. The most common methods of infiltration include:
Modern endpoint detection and response (EDR) technology can often protect against ransomware attacks, by stopping the execution of malicious software in the first place. Many businesses also benefit from the setting of cybersecurity parameters, to keep employees from straying too far from safe browsing locations on their corporate devices.
Physical objects – the Things in this instance – are increasingly becoming ‘smarter’, embedded with sensors, software and other tech. The more that we rely on these Things to connect and share data with other devices or systems over the internet, the more susceptible they are to attack.
How can this be done?
Default passwords: Hackers can exploit default passwords often supplied for smart devices, or easily guess reused and weak passwords or access codes for individual or business devices. These are then used to gain access to the device, its data, and facilitate further attacks.
Unsecured Wi-Fi networks: public Wi-Fi networks are often unsecured or use weak encryption, and these can be exploited to intercept data.
Fortunately, there are ways to protect your devices, including:
The consequences of a cybersecurity attack can be far-reaching and incredibly damaging for businesses of any size. Some small businesses may not recover from an attack, while large businesses can find themselves facing fines, lawsuits, the loss of customers or employees and an impacted reputation.
For many travel providers, one of the key consequences will be the loss of reputation, which – should the business recover – will involve a long and detailed strategy to recover this reputation both for existing and potential customers. After all, how many people are going to choose a company that, from an external perspective, hasn’t protected its customers?
Another main consequence is the disruption to operations following a breach or attack, the consequence investigation that must take place, and the change to business practices after the resolution of the attack.
Getting your cybersecurity protection and awareness right across all levels of your business is crucial when it comes to the common attacks which we expanded upon above. But of course, it’s also important to seek expert training and advice from security professionals, to ensure that your business practices, cybersecurity strategies and company-wide understanding of cyber threats are up to date!
Discover our Booking Engine today and see how it offers every tool you need as an agent in one platform!
- Explore its time-saving features - such as smart search and self-service booking mangement tools
- Easily add administration supplements for improved revenue options
- Compare hotels and cross-sell in just a few clicks
- Access our search and recommendation tool, Insights
And much more!
Subscribe to Travel Advisor
our newsletter with tips for travel agents
