Tag: Cyber Security

With a number of high-profile data breaches in the headlines towards the end of 2020 – including Heathrow airport paying £120,000 in fines after an employee lost a memory stick containing personal data, and hackers making off with the personal information of more than nine million Cathay Pacific passengers – it feels as if there is still a gap in data protection education, particularly in cyber security for travel agents.

Enter Graeme McGowan, Cyber Risk & Security Consultant at ESA Risk and Senior Tutor and Advisory Council Member at the Global Cyber Academy – an online training institute offering data security courses to individuals and businesses. Here, he gives tips to help travel agencies improve their cyber security and minimise the risk of data breaches.

Staying secure

First and foremost, McGowan recommends encrypting office hardware and software – computers, social networks and chat functions. Encryption is simply the process of encoding a message or information in a way that only authorised users can access it.

“Using a PIN, passcode or fingerprint to unlock your smartphone is sufficient, as most phones have built-in end-to-end encryption,” he says.

“It’s the same for a Windows PC or laptop, and encryption is turned on by default. But it can be undermined if you have no passcode when you boot up. Apple products are all fully encrypted, as are Android phones.”

Ensuring passwords are regularly updated is just as important, he says.

“Agents should change passwords regularly and never recycle any for a PIN, safe or security box.”

Adequate antivirus software is critical too, McGowan warns, adding: “Make sure whatever software package you choose is patched and up to date. Personally – and there are many other good options out there, I use Avast Pro on my PC and other devices. It has everything you need, including a virtual private network (VPN) and some very useful tools to monitor your footprint.”

He advises agents to avoid using shared computers if they can, which may prove difficult in an agency with a limited number of machines.

“If you must use a communal computer, avoid sharing any information – do not save passwords, and employ two-factor authentication when logging into accounts.”

Two-factor authentication is an extra layer of security that requires not only a password and username but also a security token, like a code.

“For example, in online banking, you often need a PIN that’s sent by text message to complete the transaction,” he adds.

Internet threat

“Always use a secure connection,” says McGowan. “Simply having ‘https’ at the beginning of the browser’s URL bar can protect you from a large variety of potential threats.”

These include “drive-by attacks”: cyber criminals looking for insecure websites to plant malicious code on one of the pages. When agents visit the site, malware is installed on their device. Such instances are called drive-by attacks because they require no action on the part of the victim. Locking the windows and doors of your agency doesn’t mean it’s safe from attacks either, says McGowan.

“At the end of the day, shut down, or at the very least, switch off wireless and Bluetooth on all devices. This prevents hackers from accessing devices if they are connected to an open network or any other connection.”

A good example is Feherty Travel in Bangor, Northern Ireland. They have recognised the importance of keeping data secure. Company director and part owner Scott Parker has ensured his business is protected through education and implementing practical measures.

“I attended a course on general data protection regulation (GDPR), which I then wrote up and trained our staff on. We have also installed new filing cabinets with locks to keep data secure, purchased shredders and replaced door locks on our archive room,” he explains.

Protection on the go

McGowan says travel agents should warn clients about using public Wi-Fi in airports, hotels and cafes.

“Because information that’s transmitted is generally unencrypted. It’s not just the hotspot that’s public – it’s your data too. You might as well shout out your details. A compromised router can vacuum up a lot of personal material relatively simply.

“Just getting into your emails, for instance, gives hackers access to your usernames, passwords, and private messages. It’s fairly easy to set up a fake access point (AP), and it’s well worth the effort for cyber criminals.”

Using a VPN in this instance will provide a level of encryption between the user and a website, says McGowan. It makes intercepted data unreadable by a hacker without the correct decryption key.

“‘Packet sniffing’ is another method used by hackers to acquire airborne information then analyse it at their leisure. A device transmits a data packet across an unencrypted network, which can then be read by free software like Wireshark. The bottom line is, never turn your Wi-Fi or Bluetooth on in public places unless you are in a trusted area.”

Finally, for agents embarking on familiarisation trips, McGowan recommends taking a loaner device to deter cyber criminals.

“This is when the IT department would lend an agent a clean laptop or smartphone for their trip. This ‘loaner’ would be better protected if it were misplaced or stolen, as they would be able to guard the data more effectively. For a small business, buying one laptop for travel and making someone responsible for keeping its security systems updated and patched would also work.”

Most social media sites are free to use, and unrestricted access gives way to corrupt users or false accounts. As there is rarely a process of verification of identity, it can feel difficult to stay safe on social media sites. However, with security settings and privacy controls, users are able to monitor who and what they interact with.

Oftentimes people are too personable on social media and overshare details of their private lives. This creates the threat of online criminal activity, as situations like stalking, identity theft or hacking can occur if you do not make use of the safety precautions on social media.

There is also an increased risk of phishing, as criminals can tailor phishing emails just by looking at your social media profiles. For instance, once they know your job and some of your connections on LinkedIn, they can craft phishing emails that include company details or manager’s names to make them sound more believable. By having access to your connections on social media, hackers have information to build up an idea of a company’s employees, to either target certain individuals or identify entry points into company databases.

In cases where attackers cannot directly access company data, nor manipulate employees via phishing emails or contaminated links, they may use social media to decipher suppliers and related companies to find a different entryway. This can be done via fake profiles which give hackers access to people’s information, enabling them to spread malware or malicious links. Hackers might also use fake business pages, or fabricated job offers, to lure people in and take their personal data or set up transactions which result in financial information being exchanged, or money being sent.

How to stay safe on social media

Staying safe on social media works differently for each platform: on Facebook, users can alter their privacy settings, making their posts viewable by ‘friends and family only’. You have control over who can see your page and even search for you, as well as the amount of access they have to your friend list, which can be changed to ‘only me’.

Similarly, Instagram allows you to monitor who follows you by setting your account to ‘private’ in your settings. There is also a block feature and ‘remove follower’ feature that means you can revoke users’ access to your page. Location services can also be turned on or off when necessary, so that it is difficult from criminals to locate you or gather information about where you live and work.

On Twitter, there is also the option to remove your location from your tweets. Twitter offers various privacy and security options that protect your account and allow you to be discreet with your personal information. You can manage your contact lists, remove pre-filled contacts and put your account on private so third-party users cannot access your tweets.

LinkedIn is a platform where users can obtain a lot of information about each other, but people are often less cautious, as the site is primarily used for professional networking. Updating where you work, your current projects and places like your education history can be a goldmine for hackers and scammers. As with the other social media platforms, your safety could always be compromised, so it is important to implement security measures to avoid that.

10 tips for staying safe

1. Never give financial information to anyone over social media.
2. Research job offers received via LinkedIn, especially if it seems too good to be true or is made up of generic messages or unaffiliated links.
3. Keep personal information private, such as your phone number and place of residence.
4. Limit details about your work history online.
5. Be cautious with who you are connecting with. A lot of people ‘over-friend’ on social media for the sake of networking, but adding strangers is not very safe.
6. Protect your passwords. In 2012, LinkedIn lost over 100 million users’ passwords and email addresses to the dark web. Many people use the same password for every site, so vary your passwords, make them a mix of both letters and numbers and try to vary them between different social media accounts.
7. Have a Master Key (a password storage application) to keep all your passwords secure and use ‘Last Pass’, an app that helps you keep track of your various passwords.
8. Set up security answers (this option is available on most social media sites).
9. Use two-factor authentication (a second barrier of security that verifies your password, for example, by sending a code to your phone number or email).
10. Use a single sign-on, such as OpenID, which enables you to manage all your social media accounts from one place.

According to the Ponemon Institute, the accumulated cost to a company from a data breach is $3.86 million on average. Hackers may blackmail companies with threats to leak private data by holding information hostage and demanding a ransom. Data breaches are thereby invasive and extremely costly, both financially and in terms of the damage they can have on a company’s reputation.

Stolen data could include:

• Financial information – including bank details and investment details.
• Personal Health Information (PHI) – medical data, details on health conditions, prescriptions and treatments.
• Personal Identifiable Information (PII) – contact information, education, workplace, birth dates and other personal details.
• Corporate information – details of contracts, trade secrets, business plans and marketing information.
• IT data – system structure, encryption keys, passwords and usernames.
• Legal information – information on court cases, acquisition details and regulatory rulings.

This data can then be sold or used for fraud and identity theft. Hackers tend to sell stolen information on the dark web, like in April 2020 when Facebook was breached, leaking the identities of 267 million users. Although passwords were not included, the hacker stole names, email addresses, dates of birth and phone numbers, all information that could be used to target the users by phishing.

Similarly, in May 2014, eBay experienced a data breach that impacted 145 million users. The attacker used three employees’ details to break in and for 229 days accessed names, addresses, dates of birth and encrypted passwords. Although credit card information remained safe, customers were required to renew their passwords and in turn, eBay’s client confidentiality was affected.

An instance of a medical breach was the NHS Highland data breach, where almost 300 patients’ details were sent to members of the public. This included contact details, dates of birth and the name of their clinic.

Breaches often occur by cyber attacks, weak passwords, malware attacks from infected emails, drive-by downloads from compromised webpages, payment card fraud and theft of office computers. It can also occur by human error through accidental insider leaks, as well as intentional disclosure by employees with access to confidential data and systems.

Attackers can use employees as their way into an organisation’s information. They usually exploit weak systems by researching the company’s infrastructure to find loopholes, or target employees by analysing their social media and constructing emails that can trick that employee into clicking on infected links or to follow phishing messages. Fraudsters also make use of phone numbers by making phone calls asking for card details pretending to be a bank employee or a service provider. So, how do you avoid a data breach and protect your sensitive information?

How to avoid a data breach

Remember that banks and regular corporations never ask for personal information over the phone or on email. Look out for correspondence that asks you to reset your password, receive compensation or tells you to act immediately to recover funds.

Ensure that:

• Employees secure all personal and work devices.
• Employees remain mindful of their personal social media accounts.
• Staff are wary of suspicious emails and educated on cyber security.
• Bank accounts and credit reports are regularly monitored.
• Files are backed up and protected by firewalls and antivirus software.
• IT systems are updated to avoid hackers finding vulnerabilities in the system.
• Audits are regularly undertaken to make sure everything is running in order.

There are now laws for companies to inform customers if they have had a data breach, in case personal information has been compromised. To avoid this happening in the first place, get good defences in place and be alert.

Most are using remote working on a much larger scale than ever before, meaning they have had to implement new rules and improvements in technology to ensure productivity, staff wellbeing and information security to ensure that working from home is safe from cyber threats.

There are many reasons data breaches are more likely to occur while working remotely. For instance, the lack of supervision can result in employee apathy. Remote workers are less aware about cyber security, using insecure Wi-Fi networks or personal laptops that may have malware or ransomware that can then infiltrate the company network. Working from home also introduces the issue of family members sharing the same PC, or employees adding home printers to the office network and using external USB drives on office computers. This consequently puts company data at risk of being leaked, unless there are the necessary technological safeguards put in place to prevent it.

Furthermore, cyber criminality is on the rise, with hackers taking every possible opportunity to steal company or personal information. The main methods used are fake warnings on social media and pop-up links on websites that urge users to click on them. Fraudulent emails containing similar malicious links are also used to spread viruses that can infect or damage your files, so it is important to be aware of what is on your screen and in your inbox.

Solutions

1. Education

Staff must be educated on the risks of viruses, phishing or cyber attacks. Whether they come in the form of online updates, scam emails or phishing links, workers should be trained to recognise suspicious activity and filter them out. It is important to note that sudden, emergent situations that require immediate action, such as being asked to update your bank details, are to be approached with caution and that workers should be mindful at all times. Ensure that security guidelines are clear, so that workers are briefed with the necessary knowledge to avoid cyber fraud. This might include paying attention to spelling and grammar mistakes in emails or noticing unsolicited attachments. Domain emails that are replicas of genuine business emails to appear credible, as well as URLs made to look like an already established URL, are also signifiers of fraudulent correspondence.

2. Passwords

Password control plays an important role in managing the potential risks of remote working. Using password screens with strong, two-factor authentication is recommended and employees should avoid writing passwords down, keeping them out of sight of other people. Password protection avoids third parties accessing confidential files, so companies should ensure maximum protection with passwords that are at least 12 characters and include uppercase and lowercase letters, numbers and symbols, as advised by The Federal Trade Commission.

3. VPN

A VPN (Virtual Private Network) enables a secure connection to another network, over the internet. It ensures protection of private information by routing traffic through the VPN server, encrypting the connection and hiding your IP address in the process. This provides anonymity from hackers, enabling safe and private browsing online. My recommendation is to invest in Firewalla – a cyber security firewall that alerts you to and protects you from cyber threats at home. It ensures that all your connected devices become part of a virtual protective network that you can see and manage from a control centre. It is also important to use protected browsers, such as Firefox or private browsing pages to avoid your data being monitored and collected by hackers.

4. Antivirus

Viruses are one of the biggest threats to businesses operating online. These arrive in the form of spyware, malware, zero-day attacks, trojans and phishing scams. Whether employees are using their own computer at home or company property, they must have installed antivirus software, from a reputable supplier such as Bitdefender, Kaspersky or Norton, ensuring it stays up to date. Antiviral software creates a firewall against viruses and alerts you when you are visiting sites that are potentially malicious. It conducts regular vulnerability scans and checks that filter out threats to your data while detecting any irregular activity. Antivirus is paramount in privacy protection, both for business and at home.

5. Shared storage

In case of attacks or breaches of company information, it is useful to keep centralised storage so that lost files can easily be recovered. Keeping data in shared storage with cloud-based backups lessens the likelihood of irrecoverable losses. The shared storage should have a firewall installed to protect all documents within it, with regular security measures taken to ensure that confidential data is safe. If a malicious third party finds a security hole in one of these cloud-based services, a lot of information is simultaneously at risk, so make sure to add extra security through encrypted cloud storage.