Leisure and travel companies are among the most targeted by cyber criminals. Firstly, companies offering these services routinely manage financial transactions with their customers, some of which may involve substantial amounts of money. As well as this, leisure and travel companies also have access to substantial amounts of personally identifiable data, from names and addresses to passport details and financial details. These assets are valuable to cyber criminals, who can either profit directly by stealing money, or can use company data to craft further, more sophisticated cyber-attacks. As an industry that increasingly conducts much of its business online, it is important that cybersecurity is being considered, for the sake of both the company and the client.
The main forms of cyber crime facing those working in the travel sector include phishing, DDoS, malware and ransomware. These are common threats that face companies of all sizes and specialities. Below is a brief outline of each threat.
Phishing:
The most common form of cyber-attack, phishing involves sending emails, phone calls or texts to victims, attempting to trick them into revealing sensitive information, or unintentionally installing malware via a suspicious link or attachment. Phishing attempts range from being simple and mistake-ridden to highly believable, targeted, and sophisticated. These attacks can allow criminals access to systems and networks, enabling them to cause huge damage to the company and its customers and supply chain.
Distributed Denial of Service (DDOS):
DDoS attacks work by flooding a company’s systems, websites, and servers with traffic, attempting to slow down its service or take it offline. By bringing so much online traffic to a company, it can shut down a company’s ability to operate, costing the victim through a loss of service. DDOs attacks are usually not financially motivated, as the criminal does not stand to gain any money, but the victim does lose revenue. These attacks are often ideologically or politically motivated or used as a distraction.
Malware/Ransomware:
Malware is malicious software that infects and corrupts computers. It can allow criminals access to systems and data, giving them opportunities to destroy, steal or spy on data. Ransomware is a specific type of malware that encrypts a company’s systems or data and holds it to ransom. This sort of attack is extremely disruptive, often demanding vast sums of money. Paying the ransom also provides no reassurance to the victim that the data has not been stolen anyway. Many ransomware victims become repeat targets and the disruption these attacks cause can be devastating to a business’s reputation.
How Would Cyber Essentials Help?
Whilst the threat landscape for businesses appears very bleak, there are simple things that an organisation can do to significantly reduce their risk profile. For small businesses, pursuing a Cyber Essentials qualification is an affordable option to ensure you have implemented the fundamentals of good cyber hygiene.
Cyber Essentials is a government-backed scheme that supports organisations with putting technical controls in place to help protect them from cybercrime. It comes in two levels, Cyber Essentials and Cyber Essentials Plus, and requires completing a checklist of actions and protocols that help to reduce your risk against the most common cyber threats.
Pursuing Cyber Essentials simplifies the process of becoming more cyber resilient, and leaves your business, customers and client base assured in the knowledge that you have actively considered your cyber security position and worked to rectify any outstanding vulnerabilities. It is a fractional cost in comparison with a potential cyber attack and is guaranteed to reduce your risk of becoming a victim, as criminals tend to pursue organisations that are lacking in the technical controls that Cyber Essentials requires you to have.
Where Does the ECRC Fit Into This?
Becoming a free member of the ECRC ensures that you are supported in making small changes to improve your cyber resilience. Our regular emails alongside our website, signpost you towards the free policing and NCSC resources that exist to support you, and the actions that we encourage you to take help you become compliant with the Cyber Essentials criteria. Resources such as the NCSC’s Cyber Action Plan and Exercise in a Box can be found on our website and are a fantastic way to take stock of your current cybersecurity position.
If you decide to go ahead with pursuing a Cyber Essentials qualification, the ECRC partners with several commercial cybersecurity companies that can accredit this for you. Our Cyber Essentials Partners can be found on our website and are all companies that operate in the counties covered by the ECRC.
Additionally, the ECRC also offers several cybersecurity services, which are designed to help SMEs assess their online networks. Delivered by university students working for Cyber PATH, these services can help those who feel unaware of their potential vulnerabilities online and assist with developing the right strategies to respond to potential incidents in the future. Through Cyber PATH, students are trained and overseen by senior ethical hackers to deliver these services, which supports the industry talent pipeline and keeps the cost to an absolute minimum.
Companies working in the travel sector remain to be a target for cybercriminals, regardless of the business size. All organisations should be aware of how and why they might be targeted and take steps to improve their cyber resilience wherever possible. Cyber Essentials is one tool that can help to simplify this process; but taking the first step and becoming a member of the ECRC today is a completely free way to begin engaging with this topic and learning about the basic things you can do to build your cyber resilience.
If you have any questions about Cyber Essentials or wish to know more about the ECRC and how we can support you, please visit our website or book a chat with us today.
For more information about our Cyber Essentials Partners, please click here.
Reporting a live cyber-attack 24/7:
If you are a business, charity or other organisation which is currently suffering a live cyber-attack (in progress) please call Action Fraud on 0300 123 2040 immediately. This service is available 24 hours a day 7 days a week.
Reporting a cyber-attack which is not ongoing:
Please report online to Action Fraud, the UK’s national reporting centre for fraud and cybercrime. You can report cybercrime online at any time using the online reporting tool, which will guide you through simple questions to identify what has happened. Action Fraud advisors can also provide the help, support, and advice you need.
Alternatively, you can call Action Fraud on 0300 123 2040 (textphone 0300 123 2050)
Comments