Travel staff are the weakest link in cybersecurity, says expert
Travel industry staff are the “weakest link” in the fight against cybercrime, a security expert has warned.
Cyber consultant Bruce Wynn said cybercrime attacks risked bringing down entire businesses.
He was speaking at the launch of anti-fraud group Profit’s Secure Our Systems campaign, backed by Travel Weekly.
Wynn, who has 40 years’ cybersecurity experience and is one of several experts supporting the seven-week campaign, which aims to give the industry the tools to fight cybercrime, said: “The weakest link in any cybersecurity chain is the thing that fills the space between the keyboard and the floor.”
There was a 92% rise in the number of cyberattack reports made to Action Fraud between January 2016 and September 2018, from 1,140 to 2,190, according to The City of London Police’s National Fraud Intelligence Bureau. Reports of hacking, in which fraudsters gain unauthorised access to data, saw the biggest increase, up 110%.
Wynn believes all travel firms will have experienced cyberattacks but some may not know it.
“You need to have planned well ahead for what you will do when you do discover you’ve been attacked, including how to recover from some of the damage that will have been caused,” he said.
He said a ransomware attack, for example, could be “catastrophic” as a company could lose all data without an adequate data recovery plan. It could also face a GDPR fine.
“It will cost you big time if criminals get into your system and even just corrupt your information to the point you can no longer do business confidently,” he warned.
Other threats include cloned websites, impersonating chief executives and insider fraud, with criminals using techniques such as phishing and hacking to get into companies’ computer systems to steal money or information.
Wynn said one of the most productive attacks is spear phishing, which targets an individual for sensitive or confidential information and often relies on the vulnerability of the person involved.
“The bad guys are going to get in and they will do damage,” he said. “Who are your staff going to call? Your troops need to know how to detect something suspicious, and what to do.
“Computer technicians can try to ‘backstop’ some of it, but staff need to be educated and trained and get a professional to assess how their business can best manage its risk in terms of cybercrime as part of its wider risk assessments.”
At the very minimum all companies should have up-to-date systems in place with anti-virus and anti-fraud software and back-up programs that are regularly tested to ensure any data lost can be recovered.
Wynn believes 80% of attacks can be mitigated at “almost zero cost” to businesses. “Thirty minutes now [on planning] could save lots of money, embarrassment, legal costs and even your business, later on,” he said.
Wynn recommended free resource Cyber Essentials, at cyberessentials.ncsc.gov.uk. The government-backed scheme offers guidelines on self-assessment and access to professional advice on cyber security.
What are the cyber threats?
Here are some common terms for malicious technology and fraudulent activity.
DDoS attack – a distributed denial-of-service attack is where multiple computers flood a server, website or network with unwanted traffic to make it unavailable to its intended users temporarily or indefinitely.
Ransomware – a type of malicious software (malware), usually deployed through spam or phishing, designed to block access to a computer system, typically by encryption, until a sum of money is paid. It can be spread through email attachments, infected software apps, compromised websites and infected external storage devices. Famous examples include the WannaCry attack last year.
Rootkits – a set of software tools that enable an unauthorised user to take over a computer system without detection.
Trojan – type of malicious software often disguised as a legitimate app, image, or program. Typically users are tricked into loading and putting Trojans on their systems.
Viruses – a piece of computer code capable of copying itself, normally deployed through a spam or phishing attack that typically has a detrimental effect, such as corrupting the system, stealing, or destroying data.
Worms – self-replicating malware that duplicates itself to spread to uninfected computers.
CEO fraud – a senior executive in a company is impersonated to divert payments for products and services to a fraudulent bank account. Typically the fraud will target the company’s finance department via email or over the telephone.
Account takeover fraud – a form of identity theft in which the fraudster accesses the victim’s bank or credit card accounts through a data breach, malware or phishing, to make unauthorized transactions.
Insider fraud – when an employee uses his or her position in an organization to steal money or information to threaten security
Cloned websites – when a fraudster copies or modifies an existing website design or script to create a new site in order to steal money.
Phishing – when emails purport to be from reputable companies to induce individuals to reveal personal information, such as passwords and credit card numbers.
Spearphishing – email scam targeted to one specific individual, organisation or business often to steal sensitive information for malicious purposes. These purport to be from someone you know and use your name.
SMiShing (or SMS phishing) – type of phishing attack where mobile phone users receive text messages with a website hyperlink which, if clicked on, will download a Trojan horse (malicious software) to the phone.
Hacking – unauthorised intrusion into a computer or network.
Bot– a computer infected with software that allows it to be controlled by a remote attacker. This term is also used to refer to the malware itself.
Exploit kit – code used to take advantage of vulnerabilities in software code and configuration, usually to install malware. This is why software must be kept updated.
Keylogger – a program that logs user input from the keyboard, usually without the user’s knowledge or permission, often using memory sticks on laptop ports.
Man-in-the-Middle Attack – similar to eavesdropping, this is where criminals use software to intercept communication between you and another person you are emailing, for example when you are using third-party wi-fi in a café or on a train.