Are we applying the same duty-of-care standards to IT security as we do to our travellers?
Recent events have shown how cybercrime really has become a global challenge – and that the travel industry remains the go-to target.
In the US, Uber has just reached a US$148 million out-of-court settlement after it failed to report – for a whole year – that its systems had been hacked to the potential detriment of 600,000 US-based drivers and 57 million “riders” worldwide.
Hotel companies large and small have also come under repeated cyber attacks and, most recently, British Airways’ systems were compromised, with 380,000 transactions affected.
Most of the victim companies assure us the personal information “harvested” is incomplete – hackers may have gleaned our email addresses or phone numbers, some (but not all) credit card details, and other snippets of information. Keep a watchful eye on your account, the advice goes, and report any suspicious transactions without delay.
This rather overlooks the fact that the hackers wouldn’t bother to steal this information if they felt it was of no possible use. But what would happen if several hackers conspired together to get a fuller picture?
Those of us working in the financial sector can take some comfort from the knowledge that our employers’ systems are mostly about as robust as they come. And our travellers’ personal and financial details are as closely guarded as those of our customers. However, whatever industry we work in, we’re all vulnerable.
Securing travellers’ data
No system is 100 per cent secure, and even if the perpetrators are eventually brought to justice, who knows what information has been passed on. As travel buyers, we have to process huge amounts of data – who goes where, how often, for how long, what their names are, where they live, where they stay and how they pay – and, historically, we have assumed that the systems in place will somehow keep the lid on all that information.
In recent years, partly for legal reasons, partly for commercial reasons, and partly for altruistic reasons, duty-of-care has become the travel manager’s watchword. However, the focus has been on looking after our travellers while comparatively little has been said about looking after our travellers’ data.
For most corporates, “travel” is an add-on – a necessary evil that costs money and merely facilitates the core business. And most employers would likely expect their travel managers to simply piggy-back existing security systems.
As always, one size does not fit all. A bank’s cybersecurity system may not be appropriate for an airline, a supermarket chain or a freight forwarding company. Furthermore, it may not be an ideal solution for the corporate travel sector – even within the same organisation.
However, there are inevitable areas of commonality, and it is increasingly clear we need some sort of forum whereby best practice can be shared across commercial and sectoral boundaries. If my security system is better than yours, do I just sit back and feel smug, or do I put my IT people in touch with your IT people? It’s not about individual companies; it’s about the integrity of the corporate travel sector as a whole.