Britain’s tight economic situation and improved credit card security is helping to fuel a rise in internet and telephone fraud attempts.
The UK economy is losing an estimated £30 billion a year through financial fraud, according to the National Fraud Authority, and the hard fact is your current security systems and practices may not be stringent enough to deal with the rising threat.
“Hackers and fraudsters are becoming more advanced, making businesses more vulnerable to attack,” warns Akif Khan, a director at CyberSource, a company that specialises in secure payment solutions.
The travel industry is suffering increasingly because criminals are realising the security of face-to-face, chip-and-pin card transactions are too difficult to hack in to. They are therefore moving to industries that sell high-value products over the phone and the internet – one of which is travel.
Despite the risks and dangers involved, the issue is often not given the attention it deserves, often down to a lack of technical expertise, a failure to appreciate the scale of the threat or simply because it’s seen as a dull area.
Robin Adams, director of security at secure payments and fraud specialist The Logic Group, says: “IT security may seem like a dry subject but you need to take it seriously and ensure responsibility is allocated at board level.”
The problem is that today’s malicious software or malware is invisible, unlike the mega-viruses experienced 10 years ago. As Yuval Ben-Itzhak, senior vice-president of engineering at AVG, warns: “When your computer is up and running, someone could be collecting valuable data from your machine and you won’t know.”
Agents should have stringent IT policies in place to protect their clients’ personal and financial data, especially if their company is heavily focused on internet-based trade or email enquiries from unregulated sources. That said, dependence on online trading platforms, which many agents use every day, means IT security can be particularly hard to control.
As today’s cyber-criminals are looking for valuable data they can use later or auction, the most vulnerable areas in your office are those where sensitive data is stored, including your local computer, a central database or online email. “It is crucial to make sure you protect the data where it’s stored,” explains Ben-Itzhak.
In-house servers are vulnerable and often viruses will try to work their way towards the server – up the chain from your inbox or elsewhere. Once a server is infected, it can quickly contaminate all the workstations connected to the network.
Data exchange is also an issue, so when dealing with third parties for holiday bookings, make sure you understand who has access to customer information.
Sean Sullivan, security advisor for software firm F-Secure.com says: “Reputable providers will have a data loss and security policy ensuring any information held complies with data regulations.”
Since there is an increasing challenge to comply with best practices in IT security, both from a finance point of view and investment in time, one trend is for agencies to host their systems with a technology supplier that provides all the security for the company.
“This has been a fast-growing trend,” says Roberto Da Re, president of IT firm Dolphin Dynamics. “Outsourcing often proves to be the easiest and cheapest way to achieve piece of mind over IT security. Today, 95% of our SME customers host their systems at our UK data centre.”
Remember, breaches in security don’t just cost money, they damage an agency’s reputation, and the buyer’s confidence should always be paramount – not least as they’ll be unlikely to complete a transaction if they think your systems aren’t up to scratch. And as Khan warns: “Brand perception and customer relationships are fragile and have the potential to be permanently damaged if a breach occurs.”
Case study – Egencia
Travel management firm Egencia requires that all full-time employees take its annual information security essentials course. Its agent teams also go through rigorous security training before they are able to book travel for their clients.
Jonny Shingles, managing director of Egencia UK, says: “Physical protection of laptops and other portable devices is also one of the most important responsibilities of employees. This is especially true for our agents, so this is something we brief our teams on extensively in all our service centres.”
As travel agents update clients’ personal data all the time, Shingles says it is important to be consistent by managing security at each step of data life.
“There is no one-size-fits-all solution – security needs to be approached at all levels and at all times,” he says.
How to make your systems more secure
- Employ a security firm. This is not just investment in security, but investment in your company’s technology.
- Ensure all staff are engaged and know how to use their computers responsibly. Think about offering training and include it in inductions for new staff.
- Make sure you have a good firewall and it is correctly configured. This will guard the gateway to your network.
- Back your data up regularly. Experts suggest backing up all data to tape or external hard drives and storing it off site.
- Install the latest software patches on your website to reduce the risk of hackers stealing sensitive data or defacing your website.
- Secure your wireless networks and introduce rigorous authentication measures for staff accessing sensitive data and systems, especially mobile workers.
- Protect yourself from USB threats. The increasing use of USB memory sticks and portable drives poses a security threat as data can be lost or stolen. They can also be used to download viruses and malware whether on purpose or accidentally. Make sure you encrypt all sensitive data that you pass around on either memory sticks or portable drives.
Best practice dos and don’ts
- Update and audit your security policy and train new and existing employees on a regular basis
- Conduct regular testing, risk assessments and external reviews
- Expect the unexpected, and build in contingency plans to your security controls
- Stay one step ahead of fraudsters and keep up to date on the latest threats
- Treat personal data respectfully
- Lock away laptops and all sensitive information at night
- Assume you are secure just because you haven’t noticed anything
- Depend on one control to be sufficient to ensure security
- Assume because technology is in place you are secure, as fraudsters will continue to search for areas of vulnerability
- Use unsecured wireless networks for agency work
- Disable anti-virus software
- Copy software from your work computer on to another system – contact the IT service of your company
- Download unapproved software – it opens the door to threats from hackers, data sniffing tools, and peer-to-peer file sharing