Welcoming travelers back while still absorbing the shockwaves of COVID-19 has spurred a digital evolution for the travel and tourism industry. A rapid move to the cloud offers new ways of reaching customers—and introduces new risks. Travel and tourism organizations hold sensitive customer information, in addition to proprietary business data. People are eager to once again move freely across the planet, but they’re asked to share more of their personal information, heightening the industry’s focus on cybersecurity.
From anywhere and on any device, travelers can book every step of a globe-spanning trip with flights, lodging, cruises, trains, and other providers. This represents a vast and diverse cyber ecosystem, where resilience is essential at every level. The industry includes booking platforms, insurance carriers, payment providers, loyalty programs, and others, all of which exchange sensitive data. Nearly all these need to confirm consumer identity, making every transaction and database a vulnerability.
Against this rapid growth in the digital ecosystem, COVID-19 and high staff turnover have left travel and tourism organizations more resource-constrained than ever. Digitization and increased data sharing have opened vast opportunities, but also exposed new vulnerabilities. The move to the cloud requires new expertise for already overwhelmed IT teams.
As the travel and tourism sector looks ahead, Microsoft partnered with the World Travel and Tourism Council (WTTC) to develop a white paper, Codes to Resilience: Cyber Resilience in Travel & Tourism, to help plan for a more resilient future. Drawing on insights from industry leaders across the globe, Julie Shainock, Global Leader, Travel and Tourism, and Shane O’Flaherty, Global Director of Travel and Transport, co-authored a white paper with the WTTC to share the most recent understanding of cyber-resilience for the industry.
Together, Microsoft and WTTC are committed to equipping the travel and tourism industry for an increasingly digital future, grounded in security and resilience.
Evolving pressures and new challenges
The white paper, “Codes to Resilience: Cyber Resilience in Travel & Tourism,” identifies the key challenges travel and tourism organizations should be thinking about and offers best practices for preventing and detecting cybercrime as it has become more complex in recent years.
Globally, the industry saw a sharp increase in digital security breaches from 2015 to 2019, at higher costs. The risks are familiar: phishing, ransomware, malware, and identity theft are common attacks. What’s new is the widening variety of vulnerabilities—not just in the various data systems and connections that have proliferated, but also with IoT-connected devices.
Travel and tourism organizations have a complex security environment because their employees are working across the globe. The shift to hybrid work has made this environment even more challenging, and workers more susceptible to cybersecurity breaches.
With the workforce challenges of COVID-19, many travel and tourism organizations need to defend against more vulnerabilities with reduced IT and security teams. As Alain Simon of Amadeus says in the paper, “the issue is not a problem of budget, but a problem with resources.”
An added dimension for a sector that operates globally is legal and regulatory compliance. Each country or region determines its own legislation around privacy, critical infrastructure, and supply chain security. For example, the European Union has implemented the General Data Protection Regulation (GDPR), Australia has the Privacy Act, and various states in the United States have different privacy laws—making compliance of utmost importance.
Highlighting best practices
People are eager to travel again, but COVID-19 has required travelers to disclose more sensitive information than ever, such as their health status, often accessed from smartphone apps and QR codes—solutions that could become compromised and risky. It’s important to make customers feel safe—and that requires new digital safeguards in every organization.
At the Microsoft Security Response Center, our experts in the Microsoft Cyber Defense Operations Center partnered with Julie Shainock and Shane O’Flaherty from our travel and tourism team to provide the latest best practices for ensuring cyber resilience across the industry.
With decades of experience safeguarding IT software and systems across the globe, Microsoft is at the forefront of cyber resilience. Working every day with partners in the customer, developer, and government communities, we’re continually developing new technologies and practices to stay ahead of cybercriminals.
Those best practices are detailed in the white paper, tailored to the unique environment and challenges of the industry. For example, it’s no surprise that with such high travel and tourism worker turnover in recent years, staff education is key. Cybercriminals are always adapting their attacks, and training ensures staff know how to identify and avoid security breaches. Training is imperative for organizations of any size, and how much should depend on employees’ level of access to sensitive data.
Another practice outlined in the paper is applying a Zero Trust approach to access within a given organization. IT leaders should be open with employees and customers about new security measures and data collection needs. Explain why policies are changing, what this information will be used for, and how long it will be kept.
The evolving vulnerabilities of hybrid work and IoT devices also require updates to organizational standards. Security protocols, including employee cyber hygiene, need to extend beyond the physical workplace. Organizations need the technology to provide protection anytime, anywhere, and anyplace.
With travel resurgent, customers expect to digitally share more sensitive information with more organizations, but they also expect that information is kept safe. The travel and tourism sector’s global reach and distributed nature require an approach that not only protects against attacks but also prioritizes resilience. This requires understanding the nature of cyber risk.
Customers are excited for travel to fully reopen, and the industry is eager to welcome them. With continued collaboration, innovation, and compliance, the industry can enable them to move freely around the world, safely and securely.
Download the white paper “Codes to Resilience: Cyber Resilience in Travel & Tourism” for the latest cybersecurity issues and best practices for the industry.