The following article is by Debbie Venn Partner, Head of Commercial and Technology, asb Law for Travel Law Today 4th ed. which can be downloaded from ABTA's Member zone and read here.
You can help make sure your business is GDPR-ready by attending one of ABTA's forthcoming seminars:
A Beginner’s Guide to Travel Law – 5 December (Manchester)
Essential Business Travel Law – 25 January (London)
Data Protection and Cyber Security in Travel – 1 February (London)
Travel Law Seminar – 22-23 May (London)
The consequences of a cyber attack have been brought into sharp focus in recent months, particularly when the NHS fell victim to a ransomware attack in the WannaCry incident. In 2017, an estimated 5.6 million incidents of fraud and computer misuse offences were reported. Sadly, cyber attacks are on the up and growing in sophistication and frequency. Prevention is often better than cure, although sometimes your best efforts will not stop a determined cyber criminal. So what should you be aware of to try and reduce risk as much as possible to protect your business information, data and systems.
What is cyber crime/attack? Data is a valuable business asset and developments in technology and a changing landscape on how businesses store, hold and transfer data mean that data is often in many different places; and, in the travel industry in particular, in different countries with different levels of data security. Use of third party IT providers or hosting platforms (e.g. the cloud); will mean that data is unlikely to be in your direct control. This makes it easier for someone to try to gain unauthorised access to your data.
Examples of types of threats that might appear in a ‘cyber’ environment are:
- Denial of service attack: network flooding causing overload and shut down
- Hackers obtaining access through system vulnerabilities
- Phishing: generally emails sent to acquire sensitive information (e.g. passwords) by masquerading as a trustworthy entity.
- Ransomware: attacks and infects a computer, encrypting files located and holding them to ransom, demanding money (usually in bitcoins) to gain access and decrypt the data.
All quite nasty stuff and your IT teams should be able to explain the systems security that you have in place to try and combat cyber attacks. However, a larger vulnerability is often people in the organisation who accidentally let attackers in to their systems and network. People in an organisation therefore need to be made aware of your organisation’s cyber security measures and be vigilant to potential attacks and communications that they might receive (such as a phishing email) so they can alert IT and shut the attack process down swiftly.
What can I do to improve cyber security? The National Cyber Security Centre gives ten useful steps to be cyber secure: www.ncsc.gov.uk. The key steps include:
- Get your network secure
- Educate your users
- Get prevention mechanisms in place
- Have a plan to manage incidents and follow it
- Monitor systems and procedures carefully
- Have policies in place
- Set up a risk management regime to fit the risks of your business.
For travel businesses, there are key considerations around data flows, including passing passenger information to authorities, hotels, airlines or other providers of services that are outside your organisation. You should map the data flow of your organisation so you know where the vulnerabilities to cyber attack might exist (technical and physical), to ensure that this forms part of your cyber security policy and risk management regime. Once data mapping is complete, conduct a risk assessment to also form part of your internal data protection and cyber/IT policies, which should be monitored, maintained and updated as necessary to keep up-to-date with new technologies and ways of working. It will also help feed into your disaster recovery and business continuity policies.
You should check whether your existing insurance policies include cyber cover, or whether you need to take out specific cyber insurance. Any cyber insurance cover you have should cover the risks applicable to your business and therefore should be checked against the risk assessment that you have carried out on the organisation. Cyber insurance can help with not only dealing with the costs associated with a cyber attack, but also the costs of controlling and managing the attack, PR costs and dealing with reputational issues and potentially damages for breach of data protection or confidentiality. There may also be fines to regulators, such as the Information Commissioner for data protection breach (exacerbated by GDPRs). Your policy should be checked to see what help you can get if something goes wrong.
If something happens, actions to take:
- Immediately protect your business from further attack
- Investigate what happened, when, how, who was affected and what was lost, damaged or compromised
- Notify under any insurance policy covering cyber crime and see if they can offer you help with damage control
- Issue communications internally to relevant staff, suppliers, etc.
- Consider and carefully put together an external communication to customers and those affected
- Check affected contracts ›› Inform regulators, those affected, even the police
- Implement measures to prevent an attack.
- Undertake a risk assessment on your cyber and security environment.
- Design appropriate processes and policies for dealing with information security (including how to deal with home and mobile working and data transfer to other third parties and countries).
- Train and create awareness in your organisation around the importance of adhering to the policies and processes to keep systems secure and create vigilance.
- Regularly review and update for organisational changes and identify and deal with new risks.
- Assess security having regard to the technical state of the art and apply budget to implement and maintain systems security based upon any updates on risk profile for the business.