ACCESS TO TRAVEL INFORMATION, WHETHER ON A TABLET IN TASHKENT, a laptop in Lusaka or a smartphone in Seoul, is now a fact of corporate life. We all need to work on data, on-the-go, on all devices if we’re to embrace our increasingly connected world.
Yet companies are struggling to offer travellers secure access to the systems they need. This is concerning, since we’re in an era when cloud computing, multiple devices and social networks have radically transformed the way businesses operate.
“The growth in sophistication and volume of cybercrime has now revolutionised the threat landscape,” says Nicolas Reys, a consultant on cybersecurity at Control Risks. “Travel buyers and managers face an expanding pack of threat actors including criminals and activists, even nation states, all targeting sensitive data.”
Numerous top cybersecurity reports from the likes of Verizon, Dell, IBM, Symantec and Cisco all paint a grim picture: an escalation in targeted cyberattacks, hacking and security breaches. Juniper Research estimates this type of crime will costs businesses globally over US$2 trillion annually by 2019.
Headlines over fraud are constantly in the news, although these tend to be big consumer breaches of well-known companies that are not only in the public eye, but serving large numbers of customers, from Tesco Bank to Talk Talk. The International Air Transport Association (IATA) estimates that airline card fraud, much of it online, costs the airline industry at least US$1 billion a year. Yet there’s also a lot of cybercrime that goes unreported, specifically in the corporate travel industry, much of it at a low level.
“36,000 known frauds are reported each month; however, only 6,000 are ever followed up and taken through to investigation,” says Ken McLeod, director of industry affairs at Advantage Travel Partnership. “Corporate fraud doesn’t appear to be taken as seriously as, say, personal banking. Having experienced the disinterest of the authorities at first hand over fraud issues, it is only when a complaint is made by an individual who has been affected, do authorities start to take action.”
As we enter what many are calling the ‘fourth industrial revolution’, or ‘industry 4.0’ – characterised by the digital economy with the intensive digitisation of consumption and production of goods and services, combined with the rise of the Internet of Things, where devices talk to one another – businesses globally are seeing a proliferation of risk.
“What’s also different today is that billions of us have a mobile phone and, increasingly, a smart one,” says Kent Purdy, solutions marketing manager at Micro Focus, a multinational IT firm. “Companies want to facilitate anywhere, anytime access, to anything from anyone, through our devices. Yet the adoption of technology has occurred faster than our willingness to secure it.”
Travel services are also now becoming more global. The industry has historically been highly regional, for example, in the limited scope of each global distribution system. Data once locked in unique systems is becoming aggregated globally, and this integration creates potential points of attack.
“One of the areas of focus is the need to continually upgrade systems that are central to the travel booking process,” says Kathy Orner, chief information security officer at Carlson Wagonlit Travel.
The travel industry as a whole could certainly do with working on a secure information exchange protocol where the end suppliers – the airline, the hotel, the ground transport provider and so on – are all able to work on a secure platform for encrypted information exchange, working alongside the travel buyer.
“Different suppliers within the industry are all at different levels of security and this causes vulnerability within the value chain, leading to an increased risk in cyber breaches,” says Ali Hussain, head of group strategy at the ATPI Group.
Blockchain technology, the computer network underpinning Bitcoin, the virtual currency, has been touted as a way of achieving this. This would provide a single, secure, transparent global ledger used by travel companies. You could then track payments and settle them in multiple countries and currencies.
One travel company in Australia, Webjet, has built a blockchain proof-of-concept solution with Microsoft. The online travel service claims to be the first in the world to do so. But this is a long way off from being an industry-wide solution. So watch this space.
THREAT TO DATA
The most prominent threats buyers should be aware of are those to personal and financial data. Increasing profits have fuelled the development of the cybercriminal infrastructure – for example, dark-web marketplaces.
You can now buy access to someone’s mobile phone for tens of pounds sterling on the dark web. “These provide relatively low-risk environments in which criminals can anonymously monetise stolen data,” says Reys.
It doesn’t help that travel data is an especially fruitful source of information – revealing personal, credit card, passport driver’s licence and financial information, and details of an employee’s location. The good thing is that the industry has a long tradition of duty-of-care for the business traveller. “This has helped people create very effective strategies for the industry as a whole,” says Si-Yeon Kim, chief risk and compliance officer at American Express GBT. “But we must understand that data has a price beyond just raw monetary value. An individual piece of information may have less than a pound’s value on the black market; but the personal value and loss of business trust are immeasurable.”
It’s difficult to be an expert in both cybersecurity and travel buying, so it is worth partnering with professionals in their field, and selecting suppliers that demonstrate good data security practices. “It is imperative that you work with your IT department to ensure that reasonable efforts are being made to keep data safe,” says Antoine Boatwright, chief technology officer at Hillgate Travel.
EDUCATION AND FOCUS
Cybersecurity is not just about check-box compliance: there’s a real business risk involved, so it needs proper focus and education. Getting travelling executives not to tick ‘store credit card for next purchase’ when buying overseas with the corporate plastic helps, and as a travel manager pre-paying as many expenses as possible reduces the number of card transactions overseas in unsecure environments.
Using virtual credit cards can also reduce risk, as well as avoiding using multiple single-use apps and instead going with apps that can do the work of many programmes, such as those offered by travel management companies. Travellers should avoid connecting to public wifi networks where they can, but this can be unavoidable when on the move. Virtual private networks (VPNs) are one solution. A VPN enables users to safely exchange data across a public network as if their device was directly connected to a private network, such as their office intranet, using encryption. Larger organisations can provide in-house VPNs but, for smaller companies, cloud VPNs now start for tens of pounds sterling per month. As a travel buyer it is also good to ask questions of all your suppliers.
One manager at a media company whose data was recently breached, said: “Attacks can occur at any time – no one likes to talk about it since it affects the company’s reputation. You may feel your IT department is doing its duty, but this may not extend to all of your partners within the industry. They can all be subject to cybercrime, too. It’s a minefield.”
The questions to ask are: how secure is your service, and how is it secured? If you can’t find that in the documentation then further probing is needed. Are all communications encrypted? Are your databases encrypted? What do I need to know about your security?
You can make ISO 27001, which covers information security, a pre-requisite for suppliers. You should also know what jurisdiction the supplier is in, since a lot of data sits on overseas servers. The US is a big player in the travel industry and there have been privacy and surveillance concerns with European-based data sitting on North American servers. A new deal on data transfer, called the EU-US Privacy Shield, was adopted by the European Commission in July last year and this should have set this straight, but only time will tell.
“Certainly understand what key firepower your suppliers are using, such as their firewall,” advises Boatwright. “Validate their ICO [information commission office] membership. Realise that smaller suppliers have less IT resources.”
The key is to ask what your supplier does with your data. Many organisations are now using sophisticated data analytics and in some cases expanding their artificial intelligence capacity. “Once you know how the data will be used, you can go into the specifics of how it is being protected,” says Orner.
The insecurity of basic usernames and passwords is one of the biggest issues. Efforts to replace them with something safer go back a decade – IBM developers discussed ditching them as early as 2008. And biometrics as a way of identifying someone has existed for even longer and is now back in fashion. Even mobile selfies are now emerging as a way to verify people and payments in the consumer world. “Authentication technology has evolved more in the last few years than it has in the last two decades,” says Purdy. “But less than 10 per cent of companies out there have any form of dynamic authentication.”
This way of verifying people is a lot smarter and secure. It goes beyond passwords and instead adapts to a user’s situation and risk profile. This new type of authentication, also called adaptive authentication, can recognise changes in our behaviour – it isn’t static and context is crucial. For instance, is that person using the same device in their usual location? What else have they accessed lately? Does everything look normal?
“The trend will be to move away from rules-based detection and prevention to include more artificial intelligence and learning agents that evolve,” says Hillgate’s Boatwright. That time can’t come soon enough for many who have been attacked.
• The proliferation of connected devices being used beyond the corporate network is a growing issue.
• Data security should no longer be the domain of a single department or executive in an IT department – it must be a focus for the whole organisation.
• Cybersecurity needs to evolve as fast as the latest software, hardware and apps travellers are using.
• Security is a culture and needs a sustained effort in terms of building awareness.
• A cyberattack is not just a data breach – corporate reputation is at risk. Many companies report a loss of image and brand value.
• Airports, hotels, restaurants and cafes are all hotspots for cybercrime. A hotel business centre can often be less secure than a public internet café.
• Geography can be unimportant – cybercriminals are everywhere. You can be compromised in Lima or Las Vegas, Taipei or Tirana.
• Public wifi networks are cropping up in new spaces - aircraft, public parks, high streets and trains. This increases the chance of unfettered access from cybercriminals.