Print this chapterPrint this chapter

Theory: Cyber Security and Cyber Resilience in Tourism SMEs

5. Good Cyber Practices for tourism SMEs

One crucial element of cyber security and cyber resilience is providing staff education and digital skills training. Employees who are properly trained on how to prevent falling victim to cyber-attacks and know what to report, can enhance a tourism SME’s security systems and reduce the risk of cyber threats, such as unauthorised access to the company’s cyber systems.


https://www.digitalsocialcare.co.uk/digital-skills-and-training/

The WTTC identifies 7 good practices that can be taken in order to further enhance cyber resilience:

1. Integrate cyber risk management into organisational risk management

Cyber risks should be prioritised and managed along with other business and operational risks. Businesses should regularly review and update their risk management processes and allocate a budget according to the risk level and mitigation measures required. Skilled employees are necessary to create and inform cyber risk policies, implement best practices, and manage risks proactively and continuously.

2. Educate and train all staff

Training is crucial for introducing new staff and for educating current staff to ensure the effective use of digital systems and processes and safety. While not all employees require the same level of training, it is important for staff to have a fundamental understanding of cyber security principles. This reduces the likelihood of cyber-attacks resulting from insiders.

https://www.freepik.com/premium-vector/training-icon-vector-training-education-icon-blackboard

3. Expand risk protections beyond the physical workplace

With the move to remote and hybrid working, cyber controls should be applied more broadly. It is crucial to consider how hybrid working models could affect security and heighten vulnerabilities, including home Wi-Fi security, employee cyber hygiene on their own devices, etc.

4. Employ a zero-trust approach to cyber security

The zero-trust approach moves away from previous methods that relied on higher levels of trust within the organisation. It relies on explicit verification of access requests, least privilege access, and assumes a breach or compromise. This enables more flexibility in access while limiting exposure to core systems.


https://pbosecure.com/blogs/apply-zero-trust-information-security-framework-to-icsot-environment

5. Employ ongoing threat assessments

This includes enhancing resilience against cyber threats by building relationships with experts in the field, using analytics to refine protection measures, conducting penetration tests to identify vulnerabilities, segmenting systems to limit the impact of breaches, and prioritising the protection of systems.


https://www.clipartmax.com/middle/m2H7i8G6K9m2A0Z5_a-checklist-with-a-warning-sign-to-depict-risk-identification-risk-assessment/

6. Be transparent

It is key to communicate implemented security measures and the reasons for data collection, data usage, and data storage periods. Tourism SMEs should collect only the least amount of personal data and payment information needed and offer the highest levels of protection to foster trust. Compliance with legislation and standards (e.g. GDPR) should be highlighted. If a breach occurs, affected parties and regulatory bodies should be immediately notified, and measures should be taken to mitigate the impact of the breach. 

7. Implement an organisational standard

Business leaders should comply with legislation in the regions where their organisations operate. The EU’s mission to foster a standardised approach to cyber security and resilience and data protection has led to the development of:

●       The EU Cyber Resilience Act seeks to establish common cybersecurity rules for digital products and associated services that are placed on the EU market.

●       The EU Cybersecurity Act strengthens the ENISA and establishes a cybersecurity certification framework for products and services.

●       The evolving cyber landscape necessitates specific cyber laws to enhance civil protections; this is where the EU’s General Data Protection Regulation (GDPR) comes in. ENISA's current priority is to encourage data protection measures to show how cyber security technologies can support the fulfilment of the GDPR's data protection principles (see steps regarding data breach response in Section 10.3).

●       As part of the 2023 European Year of Skills, the Commission adopted a Communication on a Cybersecurity Skills Academy on 18 April 2023.

Such regulations and policy initiatives must be considered by tourism SMEs when they are developing and implementing an organisation standard, which should also be informed by cyber security, privacy, and legal experts.

The ENISA developed a cybersecurity guide for SMEs which highlights 12 steps in which SMEs can secure their businesses.

The steps are:

  1. Develop good cyber security culture;
  2. Provide appropriate training;
  3. Ensure effective third-party management;
  4. Develop an incident response plan;
  5. Secure access to systems;
  6. Secure devices;
  7. Secure the network;
  8. Improve physical security;
  9. Secure backups;
  10. Engage with the cloud;
  11. Secure online sites;
  12. Seek and share information;

\

https://ecs-org.eu/enisa-introduces-the-european-cybersecurity-skills-framework/