The new cybersecurity threats: how will you cope? (A TravelTech Show 2021 panel)
The recent TravelTech Show brought travel Agents, travel providers and tour operators together. Representatives from hotels, airlines, ground transport and the cruise industry were also in attendance. The show provided an opportunity for these plus travel and destination management companies and global distribution services to view exciting new content on technology in travel. One relevant panel, ‘The new cybersecurity threats: how will you cope?’, featured the MD of CRIBB Cyber Security, Conor Byrne. Read our transcript from this discussion below or watch the video here.
The new cybersecurity threats: Transcript
The Participants: Mark Frary (MF), freelance journalist; Conor Byrne (CB), MD for CRIBB Cyber Security; Emma Philpott (EP), CEO for The IASME Consortium.
MF: “Hello, I’m travel and technology writer Mark Frary. In this Traveltech Show session we’re talking about the new cybersecurity threats and how companies in the travel sector can cope with them. It’s now just over 25 years since the world at large was introduced to the ‘world wide web’. The cyber world is a very different place today from back then. Digital transformation and growing adoption mean we are now conducting more and more of our business and pleasure online. Covid has only accelerated that; it’s also a much more dangerous place than it was a quarter of a century ago. With organised gangs, hackers and rogue states targeting those who dare to enter. How can travel companies steer a safe and secure way between all these threats?
“Now I’m delighted to be joined today by Dr Emma Philpott, Chief Executive of IASME and Conor Byrne, Managing Director of CRIBB Cyber Security – welcome to you both. Emma, can I ask you to introduce yourself and… to those who may not know the organisation?”
EP: “I’m Emma Philpott, I originally trained as a material scientist before making my move into cybersecurity. So I rely on all the experts that work for our company to tell me more about cybersecurity. IASME has a core value of trying to make cybersecurity more accessible, so we particularly develop guidance and certification schemes for small companies or companies who are not [technically proficient]… so some of the terms used in cybersecurity they might not understand… so we try and make it understandable and affordable and accessible to help companies put in the most basic controls.”
MF: “Thanks for that… I’m glad you could join us today. Conor, can you tell us about CRIBB Cyber Security?”
CB: “…CRIBB Cyber Security [was] set up about six years ago. It’s part of theICEway ecosystem of companies. theICEway ecosystem of companies is mainly ICE Support which is a big managed service provider and consultancy, and we also then [offer]… cybersecurity as one [part of the] business and we have software testing services on the other side of the business… and putting these all together provides a fully rounded service to… our clients.
“What’s interesting… for this particular call is that 75% of our clients are in the travel and cruise business. So we deal with travel businesses of all sizes, from the massive cruise lines down to the… 10 people sort of tour operators so we try to service them all at an equal level. Most importantly I think is that we from day one aligned with IASME and what they were offering at the time because that really suits our… clients and actually that’s been a great relationship. I think we’ve worked well together and to get up to the accreditations that… maybe we’ll mention later… such as cyber essentials, cyber essentials plus and… that’s who we are.”
MF: “Well thanks for that, I’m really glad we’ve got the sort of sector specific expertise on the call as well as the… more sort of strategic overview that Emma will provide, so thank you both for that. Now let’s get down to business; so if we wanted to give companies / people listening into this to give an idea of the current cybersecurity risk level for companies in Europe on a scale of say one to ten, with one being least risky to ten the most… where do you think we are, Emma?”
EP: “Well that’s quite difficult because we don’t know how bad it’s going to get but it is… a high level in terms of organisations being vulnerable to scatter gun attacks… so it’s unlikely that many travel companies will be targeted specifically by… the really in-depth cybersecurity hackers that might be from nation states for example and so often we talk to smaller organisations in particular and they say:
“Well no one’s going to even notice us, no one’s going to target us.”
“That’s not really the biggest threat, the biggest threat that we look at is… the general attacks… sent out to everybody, so the phishing emails, the scams, those kind of things… That’s the biggest danger for… particularly the smaller organisation and that’s at a very, very high level. So originally it would be quite simple scams that people would send out but particularly in organised crime they’re making so much money out of it now.
“[There are] actually some reports [which] say they’re making more money out of cyber-crime than they are out of… drugs and… people-trafficking. Cyber-crime is a big boom industry and so the cyber-criminals are investing a lot of money in smart people… high technology but also there is technology for sale. So on the dark web for example, somebody who doesn’t know very much about cybersecurity can go in and they can buy actually quite sophisticated attacks… That then they can send out to anybody they want of course anywhere in the world… so that level of… danger is going up so it’s really important for companies of all sizes in all industries to take some basic precautions… particularly… organisations that hold… personal data, because of course that’s where… people can really make a lot of money by selling [it] or by trying to hold people to ransom.”
MF: “… As a supplementary question to that, you mentioned that you know these smart people working in this; do they recognize that they’re part of potentially criminal activity or are they working under the impression that they’re actually working for legitimate businesses do you think?”
EP: “I don’t know that much about the criminal underworld… but I think since time began there has been… different levels of organised crime and people… money-laundering. [You can] watch TV and see lots of people who are [going to be] involved at some level in organised crime and so the same goes for people who know about technology but they also do prey particularly on… vulnerable people who may be feeling isolated and lonely and wanting to be part of something. Maybe they find it difficult to make friends, they might have dropped out of society and there’s evidence that they are being particularly targeted by cyber-criminals who recognise that many of these people are very skilled at cybersecurity and they get targeted.
“They get made to feel part of the group, part of the gang, [with] an important role and they are made to do the cyber-crime on behalf of the criminal gangs and then of course it’s them that [are] caught and they’re put in jail and it’s… really unfair that those vulnerable people are put in that position but I think with all crime there’s always going to be people who are happy to take the payment and do something that’s illegal unfortunately.
“But equally we have very clever people on the other side who are white hat hackers and work throughout cybersecurity and they are equally clever. And we need to make it very important that they’re equally as diverse and we need to make it easy to go into the cybersecurity industry so that people who are good at those kind of things don’t have to join a criminal gang to be appreciated. They can actually work for a genuine cybersecurity company. So yes, quite a complex issue.”
MF: “…Conor, I want to bring you in here because you know… the travel sector… do you think there are particular risks faced by the travel sector because of its global reach? Unlike a lot of other small companies for example, do you see it [as being] so very risky for travel companies at the moment in cybersecurity?”
CB: “Yes, very much so [for] a number of reasons… [the] first thing about travel companies is they hold a lot of personal data. They hold health information… passport information, Visa information and all the other… key information.
“One of the key pieces of information they hold about a person is that they’re away for two weeks, so their house is empty.”
“Then you have the [fact] that [this] information has to be shared… across the world. Your information has been shipped out there with the ferries with everything else… and then you [have] small… travel companies that are receiving that information… [and even though] in the UK I think… we’re much better than a lot of the world [when it comes to cybersecurity]… [some of the] smaller places you go to, they really… [are not] cyber aware.
“… Secondly, all the across the world… there’s different frameworks… America has NIST (National Institute of Standards and Technology)… and there’s different countries so… a tour operator in the UK… [must] deal with potentially their frameworks and… the cyber rules for many countries so for what could be a small tour operator there is a lot of risk as regards cyber. Now that’s only down to the fact that you potentially could get hacked for your data and you could lose your clients… and it’s not easy for a small travel company to build up a portfolio of clients. Their business can be wiped out very quickly and that’s before you even talk about actual hacking and phishing and… the things that operationally hurt you as well. So yes, it’s very big on that area.”
MF: “… I suppose that it’s also the smallest link in the chain or the weakest link in the chain… with cybersecurity. So some of these small travel companies may actually have access to all this data in the same way that some of the big players do, big suppliers for example. Even if the big supplier has excellent protocols in place, if the small travel agent doesn’t then you know that same information can get out…”
CB: “Very much so and it’s there and the big suppliers try to manage that but take BA Holidays [for example]… how many thousands of suppliers do they have across their whole [enterprise]? The hotels, the tour operators, the ferries, the planes… and all that information is going between all these people. Or there’s no way that you could have a nice holiday, unless the relevant information is there… so that… weak link happens in the chain. One good thing… is that the big companies are distilling the information so they should only be [sending] the information… specific to that tour or that holiday, they shouldn’t be sending all the information. They should only send what needs to be sent and the big companies need to be working on that using their data flows… [and other] cybersecurity methods to manage that correctly.”
MF: “Now Emma, we talked there about criminal gangs… it might be [those], it might be rogue states… spotty teenage hackers, disgruntled ex-employees and rival companies even who don’t have very many morals [who are the actors] and it’s the big actors that we need to be worried about?”
EP: “I’m not sure that that’s so important, I think the most important thing is to know that everyone’s data has a price so it doesn’t really matter who’s doing it… and often nobody knows because… they are in every country and they’re making a lot of money. It’s a very lucrative place to be at the moment so I think the awareness that all data can be sold… identities can be sold, all data can be sold. It could be sold to your competitor but also of course, really very prevalent at the moment [are] the ransomware attacks where it locks all your systems up and you can’t access it unless you pay ransom and of course you might pay ransom and they [might] still not unlock it because they’re criminals.
“… [The] criminals… they’re getting very sophisticated and they will… watch the company through your keystrokes and through intercepting your information. [They will] work out how much they think you can pay and then they will do the ransomware attack… but also we’re seeing a change… now they also take your data out. And so you’ll pay the ransomware, you’ll get access to your data again and then you’ll have another communication from them saying: “Now we’re going to release all your data on the internet unless you pay this additional ransom.
“… Not only that, it’s very difficult to clean… malware out of someone’s system. You basically have to start again otherwise before you know it you’ll have another ransomware attack very shortly afterwards. These are clever people using high technology and the most important thing is to be aware that you [as a] small travel company are as much at risk as anyone and… you don’t want it to happen to you.
“It’s happening a lot but usually people try and keep it out of the press so people don’t realise that their competitors and… other companies that they work with have had these breaches.
“Just look into the most basic technical controls.”
“It’s like we say that… you’ve got to eat five portions of fruit and vegetables a day. Lots of people don’t but it doesn’t mean to say that you shouldn’t eat any!
“… Even if you feel that cybersecurity is too much, too complicated [or] you can’t deal with it, do one thing today and then try and do one thing in a week’s time because every single step you take to be more secure means it’s less likely that you’re going to be hit by one of these terrible… events which are really stressful… even if your company stays afloat it is really stressful and awful.”
MF: “…We’re going to talk about some of the practical steps that we can take later on [but] Conor, did you want to come in there as well?”
CB: “… Emma’s point is very valid there and the other thing as well is that these attacks are scatter gun attacks. In other words, they send all these links out to thousands of people and then if you’re the one that succumbs to it then you become the [victim of a] ransomware attack. They’re not out to get you personally, even the NHS one a couple [of] years ago… that wasn’t targeted at the NHS, it [is] just that they hit the NHS and a lot of the computers hadn’t had the security patches attached, so that’s why those things happen.
“So you [must] protect yourself against this because you’re usually an unknowing victim of this sort of attack… that’s the way to think about it and don’t ever think that they’re not going to come for me. No they’re not going to come for you but you’re going to fall into their trap randomly.”
MF: “… Emma I was just going to ask about the pandemic and you know obviously we’ve all had to work from home or many of us have… obviously there have been key workers who’ve been actually going to the office all the time but… we’ve all embraced virtual working. It may or may not be an efficient way to work, it’s the nature of Covid, but has that actually made things worse from a cybersecurity point of view?”
EP: “Yes it has because of course before often you could have an office which you could fairly well protect. You could put firewalls around the office and you could make sure that it was quite difficult for people to get access to the IT systems in the office. As soon as everyone is working from home you’re talking about how secure people’s home routers are usually and how the data gets between the home user and the company and so a lot of companies have put VPNs in which is like a secure tunnel between the person’s computer and their company. [However] you need a certain amount of expertise to set the VPN up correctly, otherwise it doesn’t do any good and you need to know which countries the VPN is going via for example.
“… Also when the pandemic first hit… people were sent home… to use whatever computing device they had… So people were using very out of support I-Pads that had [many] vulnerabilities, they were using the computers that their kids had been gaming on… all these… things that were really risky. Of course as soon as everyone was sent home and started using equipment like that it didn’t take long for the cyber-criminals to realise what was going on and start to target them.
“Also… and we’ve had this in our company as well, people know that you’re not talking regularly to your colleagues on a day-to-day basis and so the nature of the phishing attacks changed. They would [pretend to be a colleague] in a meeting [and make requests to act] online… so it’s created another way for attackers to target people. So yes, it is quite a significant increase in the vulnerability… when working from home… [or] doing some kind of hybrid working.”
MF: “So coming to advise companies on how to deal with that; maybe we’re never going to go back to the enterprise devices… and it’s going to be [a case of] bring your own device or a mixture of the two, we’re having to advise companies on how to do that securely?”
EP: “Yes and it’s needed companies to invest over the year so it’s been a difficult, frightening year for organisations not knowing how their income is going to come in… They’ve had to buy in support laptops and… equipment for their staff to work from home and they’ve had to learn about how to set up VPNs. A lot of organisations have had to try and teach their staff how to make sure that their home routers are configured correctly. Which has been quite a challenge but it has also hopefully helped people understand about individual responsibility.
“I hope companies have also taken the opportunity to train up their staff a bit more and make them more [cyber] aware.”
MF: “Conor… Emma was talking about the need to invest [but]… that is an incredibly difficult thing to do for the travel industry right now because no one’s been traveling. [Incomes and] revenues have been decimated [so] how can they afford to do this?”
CB: “[At first] they really had to work with what they had. [With] theICEway [and] the IT support side of the business… [it was a case of] working with all these clients… to turn these 20 to 30 people office [workers] into home workers with all kinds of laptops and PCs… and as Emma said, setting up VPNs.
“… I think the key thing once it settled a little [was we] then tried to go back over that with our clients [to lock everything down]… by using virtualisation, so basically they don’t actually have anything on their own computer, they’re using the servers on Azure or AWS [for example]. Then we were able to use… CRIBB Cyber Security… to lock that down [and] we were able to push out information and policies [detailing] what to be careful of, what to look for and keeping them up to date. So they had to make investments but obviously this is really [sad] for the travel industry [but] they had to almost immediately put so many people on furlough that the problem went away to some extent because they were reducing their staff levels by 80 percent so it was only key staff we were dealing with.
“… The travel industry just stopped dead and… within a month they had dropped down to that so actually the problem of the home working in the travel industry wasn’t maybe as big as [in] other industries because they were decimated. I’ve already seen green shoots by the way in the travel industry… so I’m really happy for that because it was a horrible situation for them, it really was.”
MF: “Now we said before that a lot of companies don’t like to publicise the fact that they’ve been a victim of some of these sorts of attacks. Is it literally pretty much every company that has had something like this, even if it’s a small issue… [with] their antivirus software? Is it really every company that has had a problem but we only hear about the biggest ones?”
EP: “A lot of companies have had a problem but it’s very interesting that a recent survey showed that the companies that have been through cyber essentials, which is the Government’s basic-level cybersecurity scheme, were much better at spotting when they had a cybersecurity incident. So when you look at the figures to start with you think [it is strange that] they go through cyber essentials and then they’re more likely to get an incident but actually it’s because a lot of companies have no idea that they’ve even had an incident unless they’ve actually done a bit of work on cybersecurity.
“So this is information going to the wrong people… not necessarily a massive ransomware incident which of course you know about… but a lot of companies don’t know they’ve got an incident. [For] quite a lot of companies it takes months, even years before they know that they’ve got a malware in their system sending their information out… so it’s very difficult to know how many organisations have had an incident. [However] it is a significant proportion, I don’t know if you can comment, Conor?”
CB: “… I don’t think I know a company that hasn’t had an attack of some description, especially the simple ones like [when] somebody sends emails out [in a] phishing-type attack. They tell them you’ve got new bank details and… [your] supplier pays another account somewhere.
“… What actually happens there is the supplier then doesn’t want to work with you anymore because [to them] you’ve told them [the incorrect] bank account details… but it’s actually the hacker and then that causes a relationship breakdown.
“… That happens all the time, even this morning… [one of our clients] had a phishing attack. He downloaded a tender that he thought was a very real tender… and next thing there is a whole pile of phishing emails gone out to his address book.
“… This guy was very… aware and we see these quite regularly but I think what Emma was saying there about the cyber essentials, people really need to look at cyber essentials [and] cyber essentials plus. By following those frameworks… you will one, spot it and two, you will reduce the chance of being severely affected by just doing those two things.
“… We’re [not] talking… a huge amount of money to actually get there [and] to get that done.”
EP: “Indeed, you can even just look at all the questions completely for free so you can go on to the IASME website and you can just download all the questions.
“… We get a lot of companies just going through that and putting those in place one after the other. Then you are way more secure than when you don’t have them in place.
“… Then [there are] organisations like CRIBB who are specifically designed to help if you don’t understand the questions.”
MF: “I wanted to ask you about a couple of big cases in the travel industry… it’s data protection which I know is not exactly the same as cybersecurity but one can lead to the other. A cybersecurity hole can lead to data being leaked out of your organisation. So I’m talking about… British Airways and Marriott Hotels, they’ve both recently been handed huge fines by the ICO in the UK for leaking data.
“… Do you think the purpose of those fines is just to… scare other companies into complying… and is there anything that companies can do about those sorts of threats?”
CB: “I really think they have a scary effect… when BA and Marriott get hit by big fines I’m sure the CEOs and the boards of all major companies have suddenly moved that point up on the board agenda.
“… The fines are up to four percent of global turnover which is a huge amount of money… but you know they can afford it.
“… It takes the ICO [a huge amount of effort] to actually get to the stage where they can produce fines on one of these companies. It costs hundreds of thousands of pounds. Maybe millions of pounds to do all the governance, the research, the court case… so they’re not scaring smaller companies because I don’t really think at the moment that the ICO [is] going after smaller companies.
“… Can you imagine the ICO [targeting] a 20-person travel company? The big companies should be better, they can afford to employ the cyber specialists [and] they should be able to protect their information. It is kind of negligence on their part, not respecting the information that we give them.
“… The other thing about… it is that it’s scare after scare after scare. And when you see this and it doesn’t directly affect you, then you kind of ignore it because everybody believes it’s only going to affect big companies. So they’re not scared about it anymore.
“… [However], as we discussed earlier, [all organisations] will be a victim in one way or another of a cyber-attack. I would genuinely say… over the next two years, a hundred percent of companies will have some sort of a cyber-attack. The message I really wanted to push is… you have to get ahead of the curve on this. You have to protect yourself [and] really make sure that you’ve got the things in place to reduce the attack.
“… Most importantly once again, as Emma said, most companies don’t even know they’ve had a cyber-attack. That’s the big difference, it’s a bit like [where] the UK has got a massive amount of Covid cases. Why? Because we did [a] fantastic amount of testing, that’s how.
“… A lot of countries that didn’t have a lot of Covid cases, you look at their testing amounts and they didn’t have a lot of testing so it’s the same sort of principle. So actually knowing you’ve had a cyber-attack is really important.”
MF: “Emma, I just want to talk about a couple of practical steps that small companies can take. I know we talked about the cyber essentials there but are there… some quick things that will really help?”
EP: “… Just reading through the cyber essentials questions. [Also]… trying to make sure that all your software is patched and in support… getting updates. When software gets to a certain age they just stop giving any updates. The reason they need updates is because people out there, sometimes criminals, sometimes other people, find errors in the software all the time. You can imagine when there’s thousands and thousands of lines of code in Microsoft word, there are going to be errors. When somebody finds an error that can then be used to access somebody’s systems and so as soon as for example Microsoft realize that there’s that error, they then write a patch or an update to stop that actually being used by the bad guys to get access to our systems.
“… Of course, as soon as they put that patch out all the cyber-criminals know about it as well. So then it’s a race against time. The cyber-criminals write code to try and use that to get into your systems and steal all your data. But you have a certain amount of time to implement that update and close that door.
“… Conor was saying about the NHS attack before; that attack used an error in the code that people had known about for six months. So anyone who was affected by that attack had not done the update on their systems for [that time]. That’s why they were vulnerable and so cyber essentials… from the government… says it is really important that you need to put any software updates in place within 14 days. Now that’s quite a short time and it’s quite challenging but you [must not] leave it six months because you’re just open to all the attacks. Everyone’s trying to get in and then some people are using things like Windows XP… [which] has got so many holes in it that it’s like not just living in a house without locks on the doors. It’s like living in a house without doors – that’s how bad it is.”
MF: “We haven’t much time left so I just want to ask a couple of last things. Conor, what about if you’re a company and threatened by ransomware / hackers, how would you respond to that? Just call you I suppose?!”
CB: “… That is the first answer!
“… You don’t get threatened with a ransomware attack, you have a ransomware attack and then you’re threatened. The first [action] is [to call] your IT services company or a company like CRIBB Cyber Security – you should have people like us retained to some extent as advisers.
“Forewarned is forearmed. You can actually block ransomware attacks reasonably easily by following cyber essentials. I just want to say two things quickly; two factor authentication, where you have to use your phone to authenticate your Office 365 account, and removal of local administrative rights on the PCs and computers. They will actually block a vast amount of ransomware and Phishing attacks, so that’s just for anybody watching this – look into that straightaway.
“The other [thing] about the ransomware attack… [is] there was a time when… if you paid the [ransom], they usually gave you the keys [back] but now… it’s getting harder for them to actually do the ransomware attack. So now that they’ve hooked one they’re going to try and use it and reuse it and they will ruin your business.
“… So the other part is backups, you’ve got to make sure your backups are regular, that they’re verified, that they work. If you’ve got regular… backups and every day or even more regular than that on your databases then you can reinstate your business. It might take a week to do it [but] you just wipe everything clean [and] you start again. It’ll cost you a lot of money in IT services but you have all your data and you will recover. If you haven’t got the right backups, if you haven’t got your backups protected against ransomware and these type of attacks, I would genuinely say your business is not going to recover unless you pay the ransomware and then again paying the ransomware probably isn’t going to fix the problem either. So it’s all about preparedness in this situation.”
MF: “Well that’s really helpful Conor and I really like the fact that we had some very practical tips that people can do today even if they can’t engage with someone like you, so that’s been really helpful. So unfortunately that’s all the time we have today for this, I’d like to thank my experts Dr Emma Philpott, Chief Executive of IASME and Conor Byrne, Managing Director of CRIBB Cyber Security. Hopefully everyone watching has found this entirely useful as well, so thank you very much for listening in.”
End of ‘The new cybersecurity threats: how will you cope?’ discussion transcript. Contact us if you would like to learn more or discuss your own cybersecurity requirements.