Travel Industry: How to Keep Your Travel Site Protected
With reservations for flights, hotels, car rentals, and other amenities being booked over billions of smartphones and devices, the travel industry needs to take aggressive pro-active measures to ensure the security of their customers' data.
In today's reality where hackers get past firewalls and penetrate deep into networks, there is an unprecedented escalation in the number, size and frequency of data breaches and cyber-attacks. In 2013, a total of 550 million identities were breached; a 62% increase from 20121. According to internet security leader, Symantec, in its April 2015 report2, 2014 saw faster attacks, more files held for ransom, and far more malicious code than in previous years. The number of breaches increased by 23%.
In 2014, 5 out of every 6 large companies (2,500+ employees) were targeted with spear-phishing attacks – an email that appears to be from an individual or business that you know; a 40% increase over the previous year. Small and medium-sized businesses also saw an increase, with attacks increasing 26% and 30%, respectively. Ransomware attacks grew by 113% in 2014, driven by a more than 4,000% increase in crypto-ransomware attacks in which a victim's files, photos, and other digital media are held hostage. The victim is offered a key to decrypt their files after paying a ransom ranging from $300-$500, and there's no guarantee their files will be freed.
The hotel industry seems particularly vulnerable, with cyber criminals stealing customer credit card data and personal information, according to the Hotel News Now website. There are solutions in the marketplace to dramatically reduce the risk of data breaches, such as avoiding the need to store credit card numbers in hotel systems at all, so if a cyber-criminal does get in there is nothing there to steal.
There is much advice about what travel companies can do to protect their customers and themselves. Aggregating information from a number of industry experts, such as the UK's /Information Commission responsible for data protection, CIO.com – an information technology trend website, and American Express, among others, makes it possible to determine that the most significant security measures emerging are staff training, improved IT systems, and access to information:
- Provide Data Protection Act training for all staff
- Appoint an employee to be responsible for data protection – for example, a Chief Security Officer
- Train employees to thwart attacks: Don't hand over sensitive information to hackers presenting themselves as reputable people; don't open suspected malicious links sent via email.
- Put the right technologies in place. Make sure you have a firewall protecting your network.
- Implement the relevant PCI DSS standards
- Require strong passwords
- Use cyber-protection software and/or service that hunts for viruses and malware on your website
- Choose a secure ecommerce and payments platform and a secure connection for online checkout – make sure they are PCI compliant
- Set up system alerts for suspicious activity
- Layer your security
- Monitor your site regularly and perform regular PCI scans
- Make sure you have a DDoS protection and mitigation service
- Consider a fraud management service
- Make sure you or whoever is hosting your site is backing it up--and has a disaster recovery plan
Access to information
- Ensure documents containing personal information can only be accessed by members of staff on a need-to-know basis
- With group bookings, ensure that customers understand which members of the group can amend the booking and obtain information about it; make sure staff are aware of these procedures
- Sensitive information about customers' disabilities or special needs should be handled with extra care
- Don't store more customer data than you need. Once sensitive data – e.g. credit card numbers - is no longer relevant for the business at hand, purge the customer records.
About the Author
Eran Feinstein is the founder of 3G Direct Pay Limited, a global e-commerce and online payments solutions for the travel and related industries. With over 14 years of leading technology, sales, marketing and operation teams Eran is an authority in the East African e-commerce and payments arena. He's also an avid marathon runner.