With travel companies firmly in the sights of data hunters, cyber security expert Simon Borwick of Deloitte spoke to Ian Taylor
The high-profile data breach at telecom provider TalkTalk in October put the cyber-security threat to business in sharp focus.
Simon Borwick, director of Deloitte UK’s cyber sector practice, warns that a previous focus by attackers on the banks has shifted following heavy investment in improved security by financial institutions.
He warned: “The travel economy is now in cyber attackers’ sights, as a sector with a large customer base and high volume of transactions.”
Borwick advises consumer-facing industries on security and risk and he sees recurring ways in which attackers breach security.
“One is through the front door via a website or app that is not well secured. Companies can take a number of relatively low-impact measures to prevent that.
“Another is through targeted phishing attacks. A lot of organisations are targeted with personalised viruses to get insiders to click on an attachment.
“It’s key to educate people to ‘think before you click’ and ask ‘why have I been sent this attachment?’
“Attacks are very common. Organisations which have good monitoring are under cyberattack more or less daily. There is a constant race to keep systems up to date. When organisations say attacks are not an issue, the question is ‘how do you know?’”
Borwick said: “The biggest group of attackers are criminals seeking information they can monetise immediately, such as credit-card data or personal data that has value for identity-theft purposes.
“In the airline and hotel sectors we see an increasing amount of fraud against loyalty schemes to extract points which can be converted into something of value.”
The Payment Card Industry Data Security Standard (PCI DSS) requires all card data be protected and encrypted.
Borwick explained: “On new platforms that is a given. The challenge is that there is an awful lot of legacy technology in the retail, hospitality and leisure sectors.
“An issue for a lot of organisations is the complexity of their technology. Unpicking it to encrypt data can be a real challenge. The large online retailers have been grappling with this for a number of years and are more advanced than others in retail.
“Large organisations are fully aware of the problem. It’s at the smaller end of the market that people are less well prepared.
“Organisations which traditionally have to manage risk are also more comfortable – airlines are some way ahead at evaluating cyber risks.”
He highlights the risks on mobile devices, saying: “Consumers are familiar with anti-virus software on laptops, but most people don’t consider anti-virus software on a smartphone when there are just as many risks.
“This is worrying given the rush to embrace apps and mobile payments.
“Consumers are encouraged to embrace the convenience of mobile devices and smartphones are increasingly becoming a single source of someone’s identity.”
Borwick warned: “It’s risky to put everything on a phone.
“Device manufacturers don’t encourage you to think about the risks because the devices are about being all-encompassing. But just as when you go on holiday, you would not lie on the beach with your wallet beside you, why do it with your phone?”
He said: “You can never eliminate the risks, but it is incumbent upon providers to put the right systems in place and on consumers not to override security features.”
Company data can also be at risk. Borwick said: “Cyber security is not just about the breach of personal data, there is a wide variety of threats and of ‘threat actors’ with different levels of capability and persistence.
“Cyber criminals are becoming increasingly sophisticated. There are also hacktivisits [with a political agenda] and hobbyists -– people for whom breaching security is a challenge.
“I’m often surprised by the relatively large organisations which have not got to the bottom of this. Organisations need to consider ‘Who would like to harm my business?’
“Travel is increasingly a target. Online retailers are coming into focus and there is an increasing tempo to attacks, with cyber attackers’ tools becoming commoditised and sold as DIY kits.”
Asked what businesses should do, he said: “First, identify the critical assets to your business, the data you hold and where it is.
“Second, consider the impact if this data were unavailable or breached so you understand the scale of the problem.”
Moving data to the ‘cloud’ is an option, but he warned: “Moving to the cloud is [merely] transferring the problem if you’re not fully aware of the risks and how they are managed.
“The danger is you can rapidly lose visibility of data – where it’s stored and whether you’re in breach of the Data Protection Act by exporting it outside the European Union?”
This article is an extract from the Travel Weekly Insight Annual Report 2015