Tourism sector cyber-resilience: challenges and best practices

Cyber security in the tourism sector faces complex and growing challenges arising from the adoption of digital and connected technologies such as Cloud infrastructures, Internet of Things (IoT) and Artificial Intelligence (AI) or connectivity. These technologies offer significant benefits for the sector, such as cost and environmental impact reduction, greater operational efficiency, implementation of advanced guest and visitor services or data analysis to improve decision making, among others.

However, the adoption of these technologies, which are essential for digitalization, also increases the area of exposure to attacks. These technologies become potential attack vectors that offer cybercriminals more options to exploit vulnerabilities if adequate security measures are not implemented.

This increases the risks and challenges for tourism companies, which need to implement cybersecurity measures to protect their operations, data and digital assets, as well as their customers.

Cyber resilience enables companies to continue operations even in the event of a cyberattack. Resilience is essential to minimize the impact on operations and customer experience.

Main cyber threats in the tourism sector

Some of the main cyber threats faced by companies in the travel industry can seriously compromise their operations and the security of their customers' data, including:

• New attackers, including threats from nation-states, criminal enterprises or anti-tourism movement activists, which represent a significant and evolving threat to the tourism sector.
• Impersonation, which has evolved significantly thanks to the information available on social networks and the advancement of AI, facilitating video and voice deepfakes (vishing) attacks. This tactic allows attackers to create realistic imitations of people, from executives to public figures that are used to deceive employees and security systems, gaining unauthorized access and compromising sensitive information and making it imperative to incorporate advanced identity verification and multifactor authentication solutions.
• Social engineering, which remains one of the most effective techniques for compromising a target's security. Tactics such as the aforementioned vishing or CEO fraud represent a complex challenge. Deepfakes have increased the effectiveness of social engineering attacks.
• Ransomware, which involves encrypting critical data and demanding a ransom for its release. In more advanced techniques, attackers first steal copies of data before encrypting it and subsequently threaten to publish or sell it on the deepweb. Ransomware attacks can completely cripple operations.
• Phishing: Phishing involves sending fraudulent emails to trick employees and obtain confidential information. These common social engineering techniques can lead to obtaining critical credentials and unauthorized access to sensitive systems.
• IoT exploits: The proliferation of IoT devices in the travel industry, from smart locks to building management systems, has expanded the attack surface. Cybercriminals can exploit vulnerabilities in these devices to gain access to wider networks and systems.
• DDoS attacks: Distributed denial of service attacks (DDoS attacks) can overwhelm a company's servers and networks with 'junk' or malicious traffic, rendering systems inaccessible. This can result in significant service interruptions, affecting customer experience and causing financial losses.
• Malware (malicious software), which includes viruses, trojans and spyware, can infiltrate a tourism company's systems through emails, software downloads or removable media. Once inside, malware can steal confidential information, damage data or allow remote control of systems.
• Insider threats from insiders, employees with access to critical information and systems who, accidentally or intentionally, become a potential threat if they are dishonest, greedy or negligent and can cause data leaks, sabotage or provide unauthorized access to external actors.

Cyber resilience in the tourism sector must adapt to the evolution of attackers and cyber threats.

⚠️ In the current cyber security arms race criminals are using Artificial Intelligence (AI) and automation to improve the effectiveness of their attacks.

✅ Defenders, in turn, are leveraging these technologies to detect and respond to threats in real time. This arms race underscores the need to stay current with the latest cyber security knowledge, techniques and innovations, as well as cyber physical infrastructures and systems up-to-date with security patches and updates.

The cyber-resilience formula for the tourism sector

Cyber resilience in the tourism sector is essential to ensure operational continuity in the event of cyberattacks. Companies in the travel industry must adopt their own unique resilience formula to improve their ability to respond and recover from these events.

The resilience formula for the tourism sector includes:

• Identify: Use a scheme that combines cyber intelligence and exposure management. It is vital to know the specific threats facing the travel industry and to continuously assess vulnerabilities within the organization.
• Protect: Implement a Zero Trust scheme on all systems. This approach is based on the principle that no entity, user or system should be considered trustworthy when accessing company data or applications. Identity-based protection is essential to secure critical assets.
• Detect and respond: Improve incident detection and response capabilities. This includes implementing advanced monitoring, behavioral analysis and automated response tools to mitigate the effects of cyberattacks as quickly as possible.
• Manage: Apply risk management practices and maintain ongoing resilience. Organizations should establish clear procedures for incident management, where communication and notification are key, disaster recovery and business continuity, ensuring that all employees are trained and prepared to act in the event of an incident.

Key practices to improve cyber-resilience

Implementing key security practices, such as identity and access management, continuous monitoring and penetration testing (pentesting), is key to maintaining a robust security posture. Key practices to improve cyber resilience include:

• Develop a sound strategy to align security objectives with corporate business objectives. A well-defined strategy directs security investments and efforts to the areas of highest priority and risk.
• Governance involves establishing policies, procedures and controls to ensure that security management is performed consistently and efficiently. It includes the definition of roles and responsibilities, compliance with regulations and standards, and continuous monitoring of security activities.
• Detailed analysis of security data and events enables the identification of trends, patterns, unusual behavior and potential vulnerabilities. It is essential to anticipate threats and proactively improve defenses.
• Optimizing service involves continually improving processes and practices to ensure they are as effective as possible. It can include upgrading technologies, restructuring processes, and ongoing staff training and awareness.
• Consulting services enable organizations to obtain expert perspectives and recommendations. Consultants help assess current security strategies, identify gaps and propose solutions tailored to the specific context and needs of each company.
• Prioritizing use cases is essential to focus resources and efforts on areas of greatest risk or impact. The identification and classification of these cases allows for a more efficient allocation of resources and improved responsiveness.
• Automation uses advanced technologies such as machine learning (ML) and AI to identify threats, classify incidents, respond to security events and mitigate risks. Security automation reduces the time and resources required to detect and respond to threats and minimizes the risk of human error.

Automation and optimization are key elements to ensure efficient and effective operations.

Optimizing the cyber-resilience formula for the tourism industry

Protect your customers

• Ensure that customers enjoy a secure and pleasant travel, lodging and entertainment experience with adequate security measures commensurate with risk and trained personnel.
• Facilitate processes such as reservations, check-in and check-out or the use of mobile applications, ensuring secure, intuitive and easy-to-use platforms. Implement fraud protection, payment security and personal data protection measures to ensure customer confidence and satisfaction.

Protect your operations

• Effectively manage logistics, order fulfillment, service provisioning and maintenance with security and efficiency protocols, with a focus on supply chain and third-party interdependencies.
• Keep online processes such as billing, payments and reservations secure and efficient using up-to-date technology and cyber security best practices. Protect your databases, digital assets and intellectual property information, and safeguard your company's online reputation through cyber security and crisis management strategies.

Combat ransomware

• Design a robust cyber security strategy to prevent ransomware attacks, including regular backups, employee training and awareness, and periodic drills and tests.
• Have continuity and disaster recovery plans in place to quickly restore data and systems affected by an attack.
• Develop and implement postmortem procedures to prevent future threats and improve system resilience.

Anticipates threats from nation-state actors

• Be aware that the tourism sector is vital to the economy and well-being of Western nations and therefore a potential target for threats originating from nation-state actors.
• Beyond common cybercriminals, identify threats from nation-states, groups or activists with political or economic objectives.
• Be prepared to face advanced persistent campaigns (APTs) that can attack on multiple fronts at the local, regional or national level.

✅ The adoption of these practices will not only better protect organizations in the tourism sector but will also strengthen customer confidence in the safety and integrity of their services, and their overall satisfaction.

Security challenges faced by tourism companies

As we have seen, companies in the tourism sector face several complex and evolving challenges that include, among others:

• Adoption of cyber resilience strategies with a proactive and collaborative approach to risk that includes the implementation of zero trust strategies and the use of advanced technologies and Artificial Intelligence to protect both your operations and your customers' data.
• Increased surface area of exposure to cyberattacks due to the adoption of digital technologies such as Cloud platforms, IoT or 5G connectivity that increase the chances of attackers exploiting vulnerabilities in connected devices and unsecured networks.
• Budget constraints while increasing costs due to social and corporate pressure, stricter regulations and standards or cyber insurance policies, coupled with a shortage of specialized talent.
• Cybercrime as-a-Service (CaaS), a model that facilitates the proliferation of attacks such as phishing, vishing or ransomware. It allows malicious actors to buy and sell tools and services to carry out cyberattacks even without having the necessary technical skills.
• Automation and use of Artificial Intelligence (AI) that attackers apply to create more complex threats and to increase the effectiveness of their attacks or to use tactics such as vishing, with generative AI.
• Protection against ransomware attacks, especially those involving the “total ransom” (ransomALL) of digital assets discussed above. As we have seen, these attacks can cripple operations, significantly affect the customer experience and the organization's reputation.
• Protection of customers'personal data to ensure that attackers do not gain access to sensitive information, such as identity-related or banking information.
• Management and cost of incidents which can be high, both financially and in reputational damage. Although the investment in cyber security may seem high, it prevents major losses.

Continuous training of employees in security practices and regular updating of the technologies and techniques used are critical to maintaining an effective security posture.

Conclusion

Tourism companies must implement robust cyber security strategies and continuously adapt to new threats and emerging technologies. Constant training and technology updates are essential to maintain effective security and prevent financial loss and reputational damage.

Companies in the travel industry must also adopt cyber-resilience strategies, including a zero-trust approach and the use of advanced technologies and Artificial Intelligence. Adopting these strategies is critical to protecting operations, digital assets and customer data. As it is to anticipate threats and minimize the impact of potential attacks, thus ensuring business continuity and customer confidence.

The industry, by learning from recent incidents and adopting proactive and adaptive strategies, can fortify itself against future threats and protect both its customers and its operations.

— CONTRIBUTED: Juan Campillo, David Prieto & TEAM OF Govertis, part of Telefónica Tech —

Cyber Security

Cyber Security strategies to protect the financial sector

October 10, 2023

Image: Freepik.