Theory: Cyber Security and Cyber Resilience in Tourism SMEs

Cyber Security and Cyber Resilience in tourism

In the context of tourism and travel, digitalisation has become a strong enabler of business in today’s digital world.

Cyber security and cyber resilience are important as the digital innovation they safeguard:

●       Digital innovation redefined the tourist experience and has led to a heightened susceptibility of tourism to security risk.

●       Cyber security and cyber resilience are tools that shape the sector and ensure a safer future for the tourism and travel SME sector. 

Technology now plays an integral role in nearly every aspect of the travel and tourism experience:

⮚     from inspiring tourists during the pre-purchase stage of the consumer journey,

⮚     to leaving online reviews in the post-purchase stage.

This often involves online transactions, customer sensitive information, cloud integration, and digital payment technology, which as a result has increased the digital footprint of tourism businesses, rendering them exposed to cyber threats and attacks, some of which may constitute cybercrime (Paraskevas, 2020).

https://thecyberverdict.com/author/emmanuel/

Since 2010, several of cyber security breaches were reported, even by the biggest hotel chains in the world:

⮚     Marriott International Hotel Group was responsible for a data breach in 2020 that failed to protect customers’ personal data and disclosed names, mailing addresses, loyalty account numbers and various other sensitive information.

⮚     An approximate 340 million guests were concerned by this attack. 2 years prior, in 2018, Marriott received an alert from an internal security tool regarding an unauthorised access attempt in their guest reservation database in the United States.

Further investigation by cybersecurity experts revealed that unauthorised access to the hotel's reservation system had occurred as far back as 2014 (Secure Stay, 2020).

https://gritdaily.com/marriott-hit-by-second-data-breach-2020/

The repercussions of cyber threats and/or attacks can cause considerable harm to brand reputation and consumer trust, resulting in significant financial, legal, and regulatory consequences. Tourism providers can suffer from both direct and indirect financial losses (Paraskevas, 2020) – 

●        Direct financial losses: company expenses associated with IT recovery services, as well as legal fees and public relations services.

●        Indirect financial losses: costs for hiring additional technical IT staff, providing staff training on cyber security and cyber resilience, upgrading cyber security infrastructures, etc.

●       Reputational cost: if a data breach were to occur, there are also reputational costs to consider. Reputational costs can be staggering and lead to a decline in consumer confidence and bookings. Tourism providers must recognise their responsibility to keep data and information safely secured to avoid substantial negative impacts on their business.

Therefore, it is crucial for businesses, and especially SMEs, in the travel and tourism sector to understand the importance of implementing cyber security and cyber resilience as priorities for their business, instead of as an afterthought.

Post Covid-19 Developments

In the wake of a global pandemic which forced the tourism industry to move online, the travel and tourism sector had to redefine their products, services, and consumer experiences to deal with the new reality. 

In the post Covid-19 era, the number of cyber threats has never been so high.

The World Travel & Tourism Council (WTTC) reports that accelerated growth in digital operations has left the industry more vulnerable and exposed to cyber risks (World Travel & Tourism Council and Microsoft, 2022).

This encouraged businesses to revisit their security posture to build a more cyber resilient enterprise and business owners are doing quality cyber security and cyber resilience work.

https://www.idealarticleswriter.com/2023/03/-Understanding-Digital-Forensics-Process-Techniques-and-Tools-.html

Cyber threat actors are agile and saw Covid-19 as an opportunity to exploit the vulnerabilities of tourism providers who were trying to facilitate travel while at the same time protecting public health. The continuous and inconsistent restrictions created room for cyber-attacks.

The adoption of remote work, which has led to a greater reliance on personal and mobile devices, has increasingly placed responsibility for company cyber security on employees.


https://www.techtarget.com/searchitoperations/news/365534899/Securing-remote-access-grows-crucial-for-DevSecOps

While companies’ on-site cyber ecosystems tend to be secure, this security had previously not been extended to employee homes. As a result, attackers who gained access to home or public Wi-Fi networks could easily breach company systems, emphasising the need for a more comprehensive approach to cyber security – one that emphasises cyber resilience.

Although organisations cannot guarantee the security of home or public Wi-Fi networks, staff training can help safeguard employees against threats when using IoT (Internet of Things) devices.

Cyber threats resulting from COVID-19 should not be treated as separate to organisational risk, including cyber risks associated with hybrid work models. 

As such, to ensure cyber resilience, organisations must broaden their threat monitoring efforts to encompass possible entry points for attacks through home and public Wi-Fi systems (World Travel & Tourism Council and Microsoft, 2022).