Although the travel industry has faced serious disruption over the past three years, the horizon is clearing up with more and more passengers planning to travel for leisure. With the rebounded interest in travelling since the pandemic, it’s no secret that the sector has become one of the most attractive targets for cyber attacks, not least because the nature of the industry means businesses of all sizes and sophistication are handling large amounts of sensitive personal and financial data. 

A recent industry report found that digital fraud attempts increased more than 150% in the last year alone as attacks intensified in areas including credit cards, personally identifiable information and reward programmes.

While no organisation can claim to be 100% bulletproof, there are critical steps any travel business can take to protect its reputation and mitigate risk. A question arises –  how can the travel industry design security into their operations? When embarking on a security journey, businesses must consider several methods of security:

 Passwordless authentication is the future

Although passwords are often seen as a rudimentary method of security, many businesses tend to heavily rely on them to protect their networks. The reality is passwords can pose serious risks as they are usually easy to crack.

Passwords are a major cause of security breaches, yet they remain prevalent in just about every organisation. However, there are alternative and easy solutions to mitigate threats which still let businesses confirm a user’s identity without using the standard log-in process. Making the shift to passwordless authentication, for instance, verifying a user with an inbound link or one-time code sent via text message, can greatly strengthen security and alleviate the pressure on both employees and the IT team. While ditching passwords as we know them and rolling out passwordless authentication can seem daunting at first, it is crucial to remove a critical vulnerability.

Embrace two-factor authentication (2FA)

If completely removing passwords from the security toolbox is not an option for decision-makers, they can still implement solutions to reduce the chances of a breach. As attackers can and will gain access to employees’ password and identity details, adding an extra layer of authentication on a different device (like a smartphone) almost entirely negates the threat. Such two-factor authentication (2FA) steps can help ensure that the identity of a user is true. It’s a widely used technology but more businesses in the sector – especially smaller companies – need to make use of it to protect themselves.

Removing trust and regularly verifying each digital connection, the zero-trust approach to cybersecurity safeguards an organisation. By adopting a Zero Trust approach, organisations can ensure better security with strong authentication techniques, joint log-ins and “least access” policies protecting the internal ecosystem. 

Focus on people, not just tech

While companies might put the strongest security solutions in place to avoid a data breach, internal risks should be treated as seriously as external threats. In many cases, data leaks caused by employees are a result of simple mistakes rather than malicious actions. Worryingly, it was reported that a staggering 82% of data breaches are caused by human error. 

Furthermore, the surface of possible vulnerability has expanded as employees use an increasing number of different devices and communication channels. In many instances, workers communicate outside of traditional work platforms such as Whatsapp which can be easily exploited by malicious actors.

Therefore, to ensure better protection against internal risks, security training is key. Educating employees to spot phishing emails, report suspicious links and avoid other increasingly advanced and socially engineered methods of extracting data or money from people trying to do their job in good faith is absolutely vital. Lack of effective training in this area can cost travel firms dearly.

Traditional antivirus is not enough

Along with advancements in technology, cyber criminals’ tactics have become increasingly sophisticated and complex. Traditional antivirus software is simply not designed or updated quickly enough to combat the developing threats and can’t keep up with the speed with which hackers’ approach evolves. 

Businesses need tougher security frameworks with multiple defences. For instance, the likes of endpoint detection and response (EDR) tools are likely to become commonplace because they add extra layers of data security and provide a more proactive way of dealing with threats. EDR is particularly good at Zero-Day threats – security vulnerabilities within the software that a business is not aware of.

Intelligent threats 

And the threats around the corner are getting worse. As the travel industry turns to AI and the metaverse, the security threat increases. The technology is already transforming travel and the impact of the metaverse could be huge. Innovative solutions such as Chat GPT could help businesses in daily operations by evaluating log files quickly and scanning codes for vulnerabilities. But, because both hinge on high volumes of complex data, they can be exploited. The industry needs to have its eyes wide open to the future security threats they are exposed to as they simultaneously seek to benefit from the latest technology. The industry needs to have its eyes wide open to the future security threats they are exposed to as they simultaneously seek to benefit from the latest technology.