As travel businesses increasingly rely on digital information systems and other online processes, cyberthreats are rearing their ugly heads with costly consequences. Unless the right measures are taken, few are exempt from the risk of a security breach, not even smaller-scale companies
Recent hacking cases in the travel industry are driving home the message that the digital age presents immense opportunities for the travel industry, but also insidious dangers.
In Hong Kong, three cyber attacks on mid-scale travel agencies have sounded a wake-up call for agents to take cybersecurity seriously or run the risk of losing their client database, business disruption or blackmail by hackers.
Besides the recent cases in Hong Kong, the Travel Industry Council (TIC) says it is aware of similar cases overseas. For instance, in 2016, JTB, InterContinental Hotels Group, HEI Hotels & Resorts and Dallas-based Omni Hotels & Resorts were hacked. Last year, the Association of British Travel Agent’ website, and one of the reservation systems of Sabre Hospitality Solutions were also compromised.
TIC executive director Alice Chan said: “The recent cyberattacks on travel agents have definitely created a sense of crisis for our members. In this digital age, to be cyber-vigilant is of paramount importance not only for TIC members but also members of all industries that are in possession of customer data, because they have a duty to protect the data privacy of their customers. It is also most undesirable for their business operations to be disrupted by such attacks.
“Cyberattacks are on the rise… It is obvious that growing reliance on IT and increasing inter-connectivity have made travel agents increasingly vulnerable to cyber incidents.”
Elaborating on the susceptibility of businesses to such attacks, Jebsen Insurance Brokers’ senior manager Kenneth Leung said that as long as a company relies on computers to handle everyday business – i.e. incoming and outgoing emails, client database, system payment gateway for online payment and smartphone access to company resources – they are prone to risks like virus infection and cyberhacking. The impact of such attacks on businesses are undeniable, Leung added.
“The potential loss for the first party could be how to recover and restore system and data, which means paying more money to rebuild their system and input all data again. But if the system is hacked or locked as in recent cases, agents may have to suspend services temporarily, so annual income will be affected. In terms of third party liability, if it involves large amounts of personal information of clients or business partners, these parties may sue the company.”
While this paints a sobering picture of the threats that lay in wait in the cyber world, Blue Sky Travel’s director, Angela Ng, said the small-scale operator is not a target.
Apart from its Facebook page, the company leaves little trace on the Internet.
“We don’t plan to build any powerful website with online storage due to costly installation and maintenance. Frankly, I find it risky to store clients’ information on cloud, so (our) data is kept in hard disk without online access. We are a small agent and serve mostly repeat clientele.”
Others argue that the cybersecurity investments are costlier for smaller businesses.
However, TIC’s Chan stressed that all types of travel agents are vulnerable to cyberattacks unless they are completely offline.
“Every agent should be aware of the risks, stay vigilant and take the necessary preventive measures to guard against such attacks. SME travel agents may have limited resources but should still exercise great care in upholding the integrity of their information systems, or else not only their operation, but also their reputation, will be at stake,” she said.
While their cost concerns are valid, SMEs in Hong Kong have subsidies available to them. The 2018-19 Government Budget announced in early March increased funding of the Pilot Information Technology Development Matching Fund Scheme for Travel Agents by HK$20 million (US$2.6 million), bringing the total support to HK$30 million.
The scheme matches each eligible travel agent’s spend on technology that goes towards upgrading productivity, service quality and competitiveness.
Moreover, agents can make up for the lack of in-house expertise by outsourcing.
“With the rapid acceleration of (technological change), it’s impossible for SMEs and their staff to keep pace with new skills so there is a need to rely on suppliers,” said teaching fellow at Hong Kong Polytechnic University’s Department of Computing, Walter Fung, who spent over 20 years building up his expertise in computer management before taking up his university post.
“Both security capacity and maturity need to be addressed. Apart from periodic reviews of a system, backup is vital. If you hope to recover something in a short time, it’s key to (have) a high-calibre technological supplier, (invest) in backup or disaster recovery (and foster) internal staff cooperation.”
A hard-to-attain but increasingly popular standard agents can strive towards is ISO27001 certification, he shared. “This covers a wide spectrum (of criteria) like the ability to recover when things happen, security policy do’s and don’ts, having staff change passwords regularly as well as staff education.”
Associations are also stepping up efforts to educate agents on the importance of cybersecurity. Since 2017, TIC started organising seminars for its members. Two seminars were conducted in January and February 2018 respectively.
And in late January, the Hong Kong Association of Travel Agents engaged specialists to speak to members about technology risk management and information security.