How To Improve Cyber Security For Your Travel Business

To ensure that we remain at the forefront of industry insight, the Protected Trust Services team regularly attends travel and related events across the world. One such event in 2017 was the Cyber Security Summit, and we found ourselves particularly absorbed by Don Randall’s lecture on the risks, motivation and prevention of cyber security attacks. As an ICTS consultant and former security adviser to The Bank of England, Don provided some excellent preventative measures that can be put in place by any business, and we hope to share some of these with you today.

Why Should My Travel Business Be Concerned About Cyber Security?

No matter the size of your business, and no matter the industry you work in, everyone can be affected by cyber-attacks and fraud. In 2013, the US DEA found that 13% of all crime was cyber, and by 2015 there were over 30,000 cybercrimes being committed every day. In 2013 in the UK alone, there were 230,000 fraud and cyber crimes reported, and it is estimated that a further 80% of crimes remained unreported. This takes a huge toll on businesses, with fraud costing the UK economy an estimated £193 billion annually as of May 2016. The message here is clear. Fraud and cybercrime are increasingly common and are becoming more prevalent with each passing day.

Cybercrime and fraud can be devastating to your business in a number of ways, the most obvious being the potential financial impact. If a cybercriminal accesses your bank details and acquires funds from your account, this money is no longer available to your company. Even if the money is refunded, this can still cause short term problems with the business’ cash flow. A shortfall in cash can make it difficult to pay regular expenses, such as bills, supplier payments and staff wages – some of which can further incur late payment fees. Additionally, the business may be subject to a fine, which can mean you may lose money after all. By way of example, if a cybercriminal were to acquire a client’s details during a booking, you may find yourself fined as part of the General Data Protection Regulation (GDPR).

Fraud and cybercrime can also damage your reputation and reduce consumer trust in your business. Consumers are understandably less enthusiastic about purchasing from a business that has previously been the target of fraud or cybercrime. Once earned, such a reputation can be very difficult to shift, and this may cause you to be declined for credit, denied entry into trade memberships, and may lead to reduced sales.

This loss of reputation can also be damaging to your company culture, regardless of culpability. For employees, it can be very embarrassing to be associated with a business linked to fraud or cybercrime. Even if an employee finds new employment elsewhere, they may find their reputation permanently marred by their previous employer. Similarly, as an employer, this reputation may make it increasingly difficult to find staff. This may be especially true for highly skilled staff, who often have a range of potential employment opportunities.

Lastly, businesses affected by fraud or cybercrime are often subject to increasing scrutiny by the taxman, and you can expect to find your business under audit at some point in the future. This will make it harder to sign off accounts, can put further constraints on your time, and may incur fees from your accountant should they be required to help deal with the audit.

The Motivations For Cyber Attacks

Despite public opinion, not every cyber-attack is carried out for financial gain. By way of example, the recent “WannaCry” attacks on the British NHS held no financial benefit to the perpetrators. The organised crime group behind this attack would have put a huge amount of time and effort into the attack but did not seek any particular financial gain. This was simply a statement of power. This makes it a very different case to personal credit card details being phished and used.

The major motivations for crime, according to Don Randall, are need, greed and plus. These can be broken down as follows: –

• Need refers to the people who are poverty-stricken and have no choice. This bracket isn’t generally applicable to cybercrime, but it can apply to insiders and employees who fraudulently steal from a company.
• Greed is one of the largest drivers of cybercrime and is exactly as you would expect. Many cyber-attacks and fraudulent crimes are driven by pure greed and the desire for material gain.
• Plus refers to irritants. These are perpetrators who just want to make life difficult and to show they can attack a certain system. The people in this category are often the most difficult to catch and to protect against, as there is no logical reason behind their actions.

Remember Not To Discount Internal Threats

One great oversight when addressing cybercrime is that businesses tend to consider only external attacks as a threat. However, you must also consider internal threats posed by your employees. Employees will often have a greater understanding of your IT system, and may also be an inadvertent accomplice to an attacker, such as through phishing emails.

There are two essential measures to help prevent employees from acting fraudulently. I’m sure this goes without saying, but first and foremost, treat your staff well. Always treat your staff with respect, make them feel appreciated, and make them feel part of the team. A happy and tight-knit workforce will work hard for your business and will be far less inclined to commit crimes against the company. Secondly, make sure to educate your organisation, ensuring that employees are aware of potential threats to your security. Randall estimates that over 80% of cybercrime and fraud can be prevented simply by better educating the workforce.

What Can I Implement Right Now To Improve My Cyber Security?

• Never use public WiFi with mobile banking. Most banks will include a section in their terms and conditions to warn the customer against this, but many people continue to fall foul of this advice. Mobile banking is fine but always access it through a secure, private network.
• Teach your team about how attacks tend to begin. The most common starting points are email attachments from unknown people, slight changes in email addresses, and demands for private or confidential information via email.
• To reiterate and build upon the previous point, never click on an email you don’t know!
• Ensure that your staff speak to one another and communicate as a team. If payments, communication, or a client’s behaviour seem strange, discuss it. This is particularly important before you action any request that has been sent to you via email. It is always better to be cautious and to check, and people often find that their gut instincts are correct.
• Always keep your passwords absolutely private. Don’t even give the password to your most trusted colleague. The password stays with you, and you alone.
• When staff leave the company, make sure that all passwords are changed immediately by the IT team.
• The most sensible thing to do in any company is to separate the IT infrastructure from the security and policing. As Mark Carney, Governor of The Bank of England said, “You don’t mark your own homework.”

Contact Protected Trust Services For Further Cyber Security Advice

Cybercrime and fraud are everyday threats for any business, but any business can put preventative measures in place. It is absolutely imperative to make your personal information and your business completely secure, and Protected Trust Services will happily support any travel or business member with advice on cyber security. If you would like to discuss how your travel business can better protect against cyberattacks, or if you have any further questions for our member support team, please contact us on 0207 190 9988, or via email at ask@protectedtrustservices.com. We look forward to hearing from you.