Leisure and Travel Sector – do you employ agile or home workers? If so, read on…………………………

Butlin’s, British Airways and Stena Cruises all have something in common; they have all experienced recent and significant data breaches.

How can you make sure you’re as secure as possible and able to respond to a hacking attempt? One of the ways is to ensure that your remote workers are well protected – that they know what a cyber-attack looks like, and they know what to do if they spot one.


A January 2022 survey by Diligent painted a pretty stark picture around the risks posed to organisations that allowed agile or remote workers.

  • One of the top risks identified by boards was around technology associated with working from home, and not keeping pace with emerging technologies

  • 75% say their organization lost money or revenue – a total of £374 million – due to a breach – in the past 18 months

  • 82% of those who reported a breach say it resulted from tech issues or behaviour related to working from home

So, on the one hand, most cyber breaches are now exploiting working from home vulnerabilities and on the other most businesses are not sufficiently prepared to deal with the risk.


Sounds like a recipe for disaster? Maybe but, as in all things there are simple solutions that can be implemented to help to protect your organisation and its network.


Why is the risk so high in the Leisure and Travel?

The sector was one of the first casualties of the pandemic but also one of the first to react to it.

With the changing demand for their services many companies quickly adapted to working from home and then back into the office as the restrictions eased. Consequently, many travel and leisure companies have adapted to the pandemic through allowing a significant number of their staff to work from home ether permanently or as part of an agile approach for their workforce.


Travel companies have also taken advantage of technology that allows them to serve customers through digital channels, which has led to a rapid surge in digital capabilities, services, and products for customers of those sectors.


However, this digital response to the pandemic crisis has led to new cybersecurity risks and vulnerabilities. And attackers are looking to exploit the gaps that open up when agile employees use insecure networks and devices.


What are the main risks associated with homeworkers?

1. Phishing emails. Employees working remotely can be the largest threat to the security of your network. If they unknowingly follow poor cyber security practices, they might end up giving cybercriminals and hackers access to the network and sensitive data of the company.


Commonly, the hacker will send an email to trick the victim to login to a malicious website that looks exactly like the original website. Once the victim enters the required information, the attacker uses it to hack into an account and carry out identity fraud or steal more sensitive information. The phishing emails may look like from a person or organization you trust. It may be from a social media site, credit card company, streaming app, bank, or even a work colleague or supervisor.

2. Password Theft. Even when an organization uses firewalls, VPNs, and other cybersecurity software for protecting remote work, human error might come into play when employees safeguard the account using weak passwords.


Hackers can exploit human error to get past sophisticated security software. This is the reason they will try to crack the account passwords for accessing sensitive details. You won’t believe it, but twenty-three million people still use the password 123456.


Cybercriminals use different measures for cracking passwords. Often, the hackers design codes to crack a password by trying out various variants. Repeat password is another insecure practice that hackers try to exploit. As soon as the hackers crack the password to an account, they will try accessing other accounts with the same password. Employees repeating their passwords on various applications are at a higher risk of having their accounts hacked. This is particularly true for employees who use the same passwords across personal and work networks.

3. File Sharing. While companies might think of encrypting data that is stored on the corporate network, they might not consider encrypting data when it is in transit from one location to the other. This might result in employees sharing or remotely accessing sensitive details on a regular basis that the company is unable to secure from being intercepted by a hacker.


4. Personal Devices. Employees often don’t encrypt their own personal devices. Nevertheless, if work is conducted on personal mobile phones, such as logins or phone calls to business accounts, this may cause data breaches.

Some businesses provide their employees with work computers to remotely access the files and information. However, others allow remote employees to work on personal computers. This approach might leave company data at risk.


5. Home Wi-Fi. While companies generally think about securing the laptops of remote employees, many don’t consider the Wi-Fi networks that their employees are using at home. It might be posing a risk for their company data if it is not secure. Many people might update their antivirus or smartphone software. But many tend to overlook the updates of home router software. This can lead to network security gaps.


Can you protect yourself from these attacks?

Yes, you can.

Here at the centre, we would advise a whole system or organisation approach to cybersecurity to maximise its effectiveness. That would include carrying out staff awareness sessions to make sure that staff know what to look for – to spot potential attacks, and to identify when an attack has been successfully carried out.


We would also recommend that organisations look at bringing in clear policies around cyber security so that all staff are aware of their responsibilities and what they should be doing to strengthen their remote working set-ups


The impact of a successful attack against your website or network can be catastrophic and lead to website downtime, loss of business and loss of reputation. In the worst cases it can lead to the closure of the business altogether. But all is not lost.


So, what should my business be doing now?

Here at the centre, we would advise you to do three things now

  1. Join our free core membership by clicking through to https://www.ecrcentre.co.uk/core-membership-sign-up. You will be supported through implementing the changes you need to make to protect your business and your customers.

  2. For small and medium sized businesses in the Eastern region we would recommend that you look at improving you overall cyber resilience through the free Little Steps pathway we provide to Cyber Essentials – the basic government backed kite mark standard for cyber security. https://www.ecrcentre.co.uk/what-is-cyber-essentials. Join the centre as a free member and we will take you as far as the CE accreditation process. And if you want to pay for the assessment, we can refer you one of our Trusted Partners – all regionally based cyber security companies that can help you become accredited.

  3. We would also recommend that you speak to your Managed Service Provider and / or website company to discuss how they can implement cyber resilience measures on your behalf. And remember that a company operating under Cyber Essentials processes is 99% protected either fully or partially from today’s common cyber-attacks.


Reporting Cyber Crime


Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).




The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for the East is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for the East provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for the East does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for the East is not responsible for the content of external internet sites that link to this site or which are linked from it.