By Charles Duncombe, owner and director of Holidays Please
A couple of months ago someone tried to hack our website. They spent more than two days trying to gain entry with the sole purpose of trying to get hold of our customer data. How do I know this?
Well, mainly because I paid them to do it.
Following high profile security breaches at companies like TalkTalk and Hilton, it is clear that cybersecurity continues to be a big issue for business and consumer alike.
The travel industry is particularly vulnerable as we store some very important personal information such as credit card details, passport details and when customers are going to be leaving their house unattended!
While it sounds slightly kinky, we started on the “penetration testing” journey last year and I would recommend it to any company who stores critical business information electronically.
We engaged a company of professional hackers to try and breach the security of our website and systems. Our technical person sweated profusely as we were bombarded with password attacks, attempted script injections and goodness knows what other nasties from their evil cyber toolkit over a two day period.
Thankfully we survived the test. We then took the test to the next level and gave the security company the login details for a member of staff. Armed with these details they found one weakness which could have been exploited.
We managed to fix the issue and the security company only got in because we had given them passwords that hackers wouldn’t have access to. However it showed me that if the right circumstances conspire against you, your whole business can be at risk.
I did wonder why hadn’t we done this earlier? I thought how crazy it was that most businesses will frequently test burglar alarms designed to protect replaceable, insured property and yet very little testing goes on to prevent the theft of irreplaceable, uninsured property.
Don’t underestimate the damage, the effects really can be devastating. TalkTalk are reported to have lost more than 250,000 customers as a direct result of their security breach last year.
Too often we feel (or rather hope) that the tech company who built our website and/or office network are on top of the latest hacking techniques and that they will keep you safe. They won’t. Especially if you last used them two years ago and they haven’t touched your website since!
And if you think your business is too small to be on the hacker’s radar then think again. It’s not like in the films where it’s the spotty bedroom hacker vs the Pentagon. The reality is that hackers run automatic software programs that scan the internet for websites and office networks that show vulnerabilities.
These programs scan thousands of sites and networks a minute and then prey on the weak. So while you are in the herd travelling across cyberspace are you the one limping at the back and wheezing while the predators lick their lips?
So what can you do? As a first step there are some very easy, cost effective websites that can run the sort of tests that hackers would run. They will then highlight any vulnerabilities which you can then pass on to your technical person to fix. Prices start from as little as £25 a month, visit trust-guard.com or qualys.com for some examples.
Then for the more in depth testing I recommend employing a proper cyber security company. You may have to spend a few thousand pounds but how does that cost compare to the cost of losing your customer data, reputation and business? We used perspectiverisk.com but others we looked at included nettitude.co.uk.
Our industry often has to deal with thin consumer confidence because of some of the bad news stories that are affecting certain holiday destinations, let’s not give the customers another reason to worry?