Theory: Cyber Security and Cyber Resilience in Tourism SMEs

How are tourism SMEs vulnerable?

The WTTC reports that more than 7 in 10 (72%) SMEs in the UK, US and Europe have fallen victim to at least 1 cyber-attack (World Travel & Tourism Council and Microsoft, 2022).

Among the travel and tourism industry, which comprises mostly SMEs such as agencies and tour operators, the percentage is even higher, with SMEs accounting for about 80% of all businesses. 

https://wisedistribution.co.uk/deception-technology/

Tourism SMEs have become an attractive target for cybercriminals in the last few years:

●        The high level of digitalisation maturity makes tourism SMEs a very vulnerable industry in terms of cyber security and cyber resilience, especially due to poor defences in IT and point-of-sale (POS) systems (Fragniere & Yagci, 2021). According to Hussain (2023), hackers have realised that SMEs are easier targets as compared to larger companies with inadequate cyber safety, either due to lack of qualified and skilled personnel (i.e. human error) or insufficient budgets.

●        Tourism SMEs are especially vulnerable to cyber threats because of the highly sensitive data and analytics they store on the cyber space, making it valuable information for cyber criminals that attempt to access and breach such data, leading to identity and financial theft, threatening data governance and customer and employee privacy protection (customers’ e-mail addresses, passport numbers, credit card details etc). 

The tourism SME industry is particularly susceptible to cyber threats, as it is fragmented in its nature, with the entire supply chain (which involves numerous agents and third-party service providers) being a potential area of entry for threat actors. Proactive cyber security measures to ensure cyber resilience and maintain effective business operations are necessary.

https://www.enisa.europa.eu/
The European Union Agency for Cyber Security (ENISA) found that 90% of the SMEs stated that cybersecurity issues would have serious negative impacts on their business within a week of the issues happening, with 57% saying they would most likely become bankrupt or go out of business.

How should the SME respond in case of a data breach?

In case of a data breach the SME is advised to notify this breach to the information and data protection commissioner and attach this online notification form not later than 72 hours of becoming aware of such a breach.

If the breach poses risk to the data subject, the supervisory Authority needs to be notified.

These are 5 concrete actions that can be taken by an SME, following a data breach.

1. Identify the source and extent of the breach.
2. Alert your breach task force and address the breach as soon as possible.
3. Test your security fix.
4. Inform the authorities and all affected customers.
5. Prepare for post-breach clean-up and damage control.