Best Practices for Cyber Safeguards in an Evolving Travel Industry
Welcoming travelers back while still absorbing the shockwaves of the COVID-19 pandemic has spurred a digital evolution for the travel and tourism industry. A rapid move to the cloud offers new ways of reaching customers—and introduces new risks. Travel and tourism organizations hold sensitive customer information, in addition to proprietary business data. People are eager to once again move freely across the planet, but they are asked to share more of their personal information, heightening the industry’s focus on cybersecurity.
From anywhere and on any device, travelers can book every step of a globe-spanning trip with flights, lodging, cruises, trains, and other providers. This represents a vast and diverse cyber ecosystem, where resilience is essential at every level. The industry includes booking platforms, insurance carriers, payment providers, loyalty programs, and others, all of which exchange sensitive data. Nearly all these need to confirm consumer identity, making every transaction and database a vulnerability.
Against this rapid growth in the digital ecosystem, the pandemic and high staff turnover have left travel and tourism organizations more resource-constrained than ever. Digitization and increased data sharing have opened vast opportunities, but also exposed new vulnerabilities. The move to the cloud requires new expertise for already overwhelmed IT teams.
As the travel and tourism sector looks ahead, Microsoft partnered with the World Travel and Tourism Council (WTTC) to develop a whitepaper, Codes to Resilience: Cyber Resilience in Travel & Tourism, to help plan for a more resilient future. Drawing on insights from industry leaders across the globe, Julie Shainock, Global Leader, Travel and Tourism, and Shane O’Flaherty, Global Director of Travel & Transport, co-authored a white paper with the WTTC to share the most recent understanding of cyber-resilience for the industry.
Together, Microsoft and WTTC are committed to equipping the travel and tourism industry for an increasingly digital future, grounded in security and resilience.
Evolving Pressures and New Challenges
The white paper “Codes to Resilience: Cyber Resilience in Travel & Tourism” identifies the key challenges travel and tourism organizations should be thinking about and offers best practices for preventing and detecting cybercrime as it has become more complex in recent years.
Globally, the industry saw a sharp increase in digital security breaches from 2015 to 2019, at higher costs. The risks are familiar: phishing, ransomware, malware, and identity theft are common attacks. What’s new is the widening variety of vulnerabilities—not just in the various data systems and connections that have proliferated, but also with Internet of Things (IoT) connected devices.
Travel and tourism organizations have a complex security environment because their employees are working across the globe. The shift to hybrid work has made this environment even more challenging, and workers more susceptible to cybersecurity breaches.
With the workforce challenges of the pandemic, many travel and tourism organizations need to defend more vulnerabilities with reduced IT and security teams. As Alain Simon of Amadeus says in the paper, “the issue is not a problem of budget, but a problem with resources.”
An added dimension for a sector that operates globally is legal and regulatory compliance. Each country or region determines its own legislation around privacy, critical infrastructure, and supply chain security. For example, the EU has implemented the General Data Protection Regulation (GDPR), Australia has the Privacy Act, and various states in the US have differing privacy laws—making compliance of utmost importance.
Highlighting Best Practices
People are eager to travel again, but the pandemic has required travelers to disclose more sensitive information than ever, such as their health status, often accessed from smartphone apps and QR codes—solutions that could become compromised and risky. It’s important to make customers feel safe—and that requires new digital safeguards at every organization.
At the Microsoft Security Response Center, our experts in the Cyber Defense Operations Center partnered with Julie Shainock and Shane O’Flaherty from our travel and tourism team to provide the latest best practices for ensuring cyber resilience across the industry.
With decades of experience safeguarding IT software and systems across the globe, Microsoft is on the forefront of cyber resilience. Working 24/7 with partners in the customer, developer, and government communities, we are continually developing new technologies and practices to stay ahead of cybercriminals.
Those best practices are detailed in the white paper, tailored to the unique environment and challenges of the industry. For example, it’s no surprise that with such high travel and tourism worker turnover in recent years, staff education is key. Cybercriminals are always adapting their attacks, and training ensures staff know how to identify and avoid security breaches. Training is imperative for organizations of any size, and how much should depend on employees’ level of access to sensitive data.
Another practice outlined in the paper is applying a zero-trust approach to access within a given organization. IT leaders should be open with employees and customers about new security measures and data collection needs. Explain why policies are changing, what this information will be used for, and how long it will be kept.
The evolving vulnerabilities of hybrid work and IoT devices also require updates to organizational standards. Security protocols, including employee cyber hygiene, need to extend beyond the physical workplace. Organizations need the technology to provide protection anytime, anywhere, and anyplace.
With travel resurgent, customers expect to digitally share more sensitive information with more organizations, but they also expect that information is kept safe. The travel and tourism sector’s global reach and distributed nature require an approach that not only protects against attacks, but also prioritizes resilience. This requires understanding the nature of cyber risk.
Customers are excited for travel to fully reopen, and the industry is eager to welcome them. With continued collaboration, innovation, and compliance, the industry can enable them to move freely around the world, safely and securely.
Learn More
Download the white paper “Codes to Resilience: Cyber Resilience in Travel & Tourism” for the latest cybersecurity issues and best practices for the industry.
Read more about the work of the Systems Security and Privacy team at the Microsoft Research Lab in Redmond.