The threat of cybersecurity attacks is not exactly news. There have been cybersecurity threats since the conception of the internet, but within recent years the number and severity of these cybercrimes has increased dramatically. The global costs of cybercrime expected to reach $10.5 trillion in 2025, compared to the $3 trillion in 2015, so it’s also no surprise that many more businesses are, and must, be prepared for more sophisticated security threats.
Though cybercrime can and does impact many sectors and industries, oftentimes it is targeted, and the travel and tourism industry itself is often thought of as low-hanging fruit. The travel and hospitality industry handles vast quantities of secure and personal data – whether that’s in the case of sensitive data belonging to hotels, or unique identification data for travelers themselves. So, it remains especially important for travel advisors to be aware of cybersecurity in the travel industry, and what top cybersecurity threats to look out for.
What’s more, as the digital ecosystems of the travel and tourism industry keep growing, these will naturally become more vulnerable to cybercrimes. Therefore, data is at its most secure when all companies across the travel and tourism chain invest in cybersecurity awareness, strategies, and safeguarding.
Why is the travel industry susceptible to cybercrime?
As a global industry with many – literal – moving parts, the travel industry is often targeted by cybercriminals. Analysis of data breaches and cyberattacks have identified numerous reasons for this, such as:
- The industry’s huge fragmentation
- The complexity of the travel booking and payment networks/platforms
- The existence of many travel advisors and third-party service providers
- Poor security systems when it comes to IT and point-of-sale (POS)
- Human error
- The millions of travelers all interacting with travel providers within cyberspace
How can travel businesses mitigate cyber-attacks?
Human error was identified as one of the biggest threats to cybersecurity in 2023, so many common cyberthreats may be avoidable with the right education!
It’s estimated that, by 2025, around 99% of data breaches will be caused by a misconfiguration within settings or installation by an end user. So, this suggests that with proper education, and a thorough cybersecurity strategy, travel advisors will be able to mitigate the impact and severity of many common cyberthreats.
So, this suggests that with proper education, and a thorough cybersecurity strategy, travel advisors can mitigate the severity of, and limit the occurrence of, many common cyberthreats.
What a good cybersecurity strategy should involve:
- Contingency planning
- Immediate actions outlined – for varying types of breach or attack once discovered
- Post-breach responses
- An understanding of current cyber risks.
Here is where consolidating your tools and resources, and leveraging third-party expertise to manage complexities and augment capabilities can really give you a leg-up when it comes to protection against those more common threats.
Of course, cyberattacks will continue to evolve and become more sophisticated, but the staggering figures surrounding data breaches suggests that even company-wide training on a regular basis can help prevent those more common threats from occurring.
But for now, let’s look at some of the most common cybersecurity threats and what shape they take, to help you as travel advisors improve your awareness!
Social Engineering
... one of the most prevalent and dangerous techniques employed by cybercriminals, largely because social engineering in its varying forms relies on human error rather than any technical vulnerabilities. Of course, it’s much easier to trick or manipulate people than it is to breach a security system and it’s clear that naturally cybercriminals know this: more than 85% of all data breaches involve human interaction or error of some kind.
During 2023, social engineering techniques were one of the key ways that employee data and credentials were obtained by cybercriminals, to then conduct a cyberattack.
Of all the types of social engineering, phishing is one of the top causes of data breaches (with over 75% of targeted attacks starting with an email) and are constantly evolving to incorporate new trends and technologies.
What can phishing attacks look like?
- Spear phishing – this targets specific individuals or organisations, hence the term ‘spear’, most typically using malicious emails. The goal of these emails is to obtain sensitive data such as login credentials, or to infect the users’ device with malware (which we will explore later).
- Whaling – a type of attack that targets senior or C-level executive employees, with the aim of stealing money or information on the business, or to gain access to their devices to carry out further attacks.
- Vishing – the use of fraudulent phone calls or voice messages, often masquerading as a legitimate business, to convince individuals to share sensitive, private data such as bank details and passwords.
- SMiShing – the use of fraudulent text messages, in much the same way as ‘Vishing’, to steal sensitive, private data. This can often take the shape of your bank, or a shipping service.
Other social engineering techniques can involve:
- Business email compromize (BEC) - a prominent technique in which attackers assume the identities of trusted email addresses – often internal business users – to trick other employees or clients of the business into sharing data that could compromize the business, or make payments, amongst other goals.
- Pretexting – here cybercriminals gain access to a system or a user account using a false scenario that gains the victims trust through manipulation. Attackers could pose as a HR employee, or an IT specialist, for example.
- Disinformation campaign - these spread false information, usually with the goal of amplifying fake narratives using bots and fake accounts on social media networks.
Of these, for travel advisors, the most likely techniques to encounter are business email compromize attacks due to the large chains of internal communication. What do attackers do once they’re in? Often they send phishing emails to employees or clients of the business, to secure more sensitive data or encourage financial transactions; or use the account to launch attacks against other employees or the businesses systems.
Business email compromize attacks can be carried out in multiple ways, including:
Phishing – as explained above, this type of attack often using emails to trick employees into sharing sensitive data and are usually from a ‘trusted’ source. Social engineering techniques are then used to prompt the recipient into action.
Malware – this is the use of malware – malicious software - to infect a user’s computer and therefore gain access to their email accounts. Once installed, this malware can steal other sensitive data from this computer.
Social engineering – often, this type of attack (closely linked to phishing), tricks employees into divulging sensitive information or grant access to their email accounts. Usually, this involves impersonation to gain trust.
Manipulation of weak passwords – if employees use ‘weak’, reused, or easily guessable passwords, cybercriminals can obtain access to internal email systems by guessing these passwords.
How can travel advisors protect against business email compromize?
- Train employees on how to identify and avoid phishing emails
- Insist employees use strong passwords and two-factor authentication
- Keep software and cybersecurity systems up to date
- Implement email cybersecurity measures, such as spam filters
Third-Party Security Threats
During 2023, third-party breaches became even more common as many companies worldwide turned to independent contractors to fulfil work once handled by full-time employees. Therefore, this increased the number of less-protected networks which have access to the primary target, and which belong to these third parties. These are exploitable by hackers, as seen in the memorable attack on the U.S’s Colonial Pipeline in 2021, by obtaining compromized credentials, accessing a VPN without multi-factor authentication, and demanding a $5 million Bitcoin payment to regain access.
With the shift to remote or hybrid work – over 50% of business are more willing to hire freelancers – a higher percentage of remote or dispersed workforces means that third-party security threats continue to present challenges for travel business both large and small.
Cloud Vulnerabilities
With many more businesses adopting cloud-based systems, the growth of cloud-based cyberattacks likewise grows. It’s estimated that cloud security is the fastest growing cybersecurity market, growing around 41% from 2020 to 2021.
Nowadays, as a result of new developments in cloud security to ensure that protection keeps up with cloud-based systems and applications increasingly shouldering much of the corporate workload – especially within the travel industry! - many businesses adopt ‘zero trust cloud architecture’. Designed to operate as though the system has already been compromized, these systems require additional verification, rather than granting sustained access to recognized devices, or any device within the perimeter of the network.
Keeping on top of cloud security practices is critical, and can include:
- Monitoring access to sensitive resources
- Enforcing strict password requirements
- Implementing a sound data backup plan
- Leveraging data encryption
What are the most common cloud-based threats?
Commonly referred to as the ‘egregious eleven’ by security professionals, these are the most ‘popular’ access points:
- Data breaches
- Misconfiguration and inadequate change control
- Lack of cloud security architecture and strategy
- Insufficient identity, credential, access and key management
- Account hijacking
- Insider threat
- Insecure interfaces and APIs
- Weak control plane
- Metastructure and applistructure failures
- Limited cloud usage visibility
- Abuse and malicious use of cloud services
Supply Chain Attacks
A relatively new innovation, supply chain attacks involve the infiltration of supply chain technology – such as Application Programming Interfaces (API systems) – which are prevalent in the travel industry – to access source codes, build codes and other components of software. These legitimate platforms and applications are then used as springboards for the distribution of malware into these supply chain systems.
Considering how often supply chain systems are used within the travel and tourism industry – particularly through API integration – it’s important to know how to reduce the risk of this kind of attack!
Many modern travel businesses leverage travel APIs, as they enable different systems to communicate seamlessly, creating a unified platform where customers can find all travel products in one place. These API systems are incredibly effective at offering travel advisors multi-functional, user-friendly systems that keep ahead of hospitality tech trends. It also means that travel agencies can enhance their business success either by offering additional services and products to the end customer, including flights, hotels, car rental services and experiences, through API integration.
However, these systems are also vulnerable to attacks. But hope is not lost! There are many ways to protect against supply chain threats, including:
- Use endpoint monitoring tools to spot and stop suspicious activity
- Stay current with all system patches and updates
- Implement integrity controls to ensure users are only running tools from trusted sources
- Require admins and other users to use two-factor authentication
Ransomware
While certainly not a new threat, ransomware attacks have become significantly more expensive in the last few years – with costs expected to reach $265 billion by 2031 - and so continue to present considerable challenges to businesses of all sizes.
What is ransomware? Simply put, ransomware is a type of malicious software which blocks access to a computer system of any kind, until a sum of money is paid. This involves using malware to take control of computer systems, extract data, files or sensitive information, and then demand payment for access to be returned to the primary user.
Of course, before the ransomware attack can take place, hackers must obtain access to their targets’ systems. The most common methods of infiltration include:
- Phishing
- Remote Desktop Protocol (RDP) and credential abuse - wherein hackers use ‘brute-force’ or purchase credentials with the goal of logging into systems to distribute malware.
- Exploitable software – such as unpatched or out-of-date software.
Modern endpoint detection and response (EDR) technology can often protect against ransomware attacks, by stopping the execution of malicious software in the first place. Many businesses also benefit from the setting of cybersecurity parameters, to keep employees from straying too far from safe browsing locations on their corporate devices.
The Internet of Things
Physical objects – the Things in this instance – are increasingly becoming ‘smarter’, embedded with sensors, software and other tech. The more that we rely on these Things to connect and share data with other devices or systems over the internet, the more susceptible they are to attack.
How can this be done?
Default passwords: Hackers can exploit default passwords often supplied for smart devices, or easily guess reused and weak passwords or access codes for individual or business devices. These are then used to gain access to the device, its data, and facilitate further attacks.
Unsecured Wi-Fi networks: public Wi-Fi networks are often unsecured or use weak encryption, and these can be exploited to intercept data.
Fortunately, there are ways to protect your devices, including:
- Having users select secure passwords
- Staying current with Operating System (OS) and software updates
- Encouraging clients to encrypt their data
- Installing antivirus or anti-malware protection
- Changing default passwords
- Avoiding unsecured Wi-Fi networks
- Being cautious of suspicious emails or links
Financial loss and reputational damage
The consequences of a cybersecurity attack can be far-reaching and incredibly damaging for businesses of any size. Some small businesses may not recover from an attack, while large businesses can find themselves facing fines, lawsuits, the loss of customers or employees and an impacted reputation.
For many travel advisors, one of the key consequences will be the loss of reputation, which – should the business recover – will involve a long and detailed strategy to recover this reputation both for existing and potential customers. After all, how many people are going to choose a company that, from an external perspective, hasn’t protected its customers?
Another main consequence is the disruption to operations following a breach or attack, the consequence investigation that must take place, and the change to business practices after the resolution of the attack.
Getting your cybersecurity protection and awareness right across all levels of your business is crucial when it comes to the common attacks which we expanded upon above. But of course, it’s also important to seek expert training and advice from security professionals, to ensure that your business practices, cybersecurity strategies and company-wide understanding of cyber threats are up to date!