"A solution which does not prepare for the next round with some increased insight is hardly a solution at all." - Richard W. Hamming, "The Art of Doing Science and Engineering: Learning to Learn" (1997)
Continual security risk assessments and predictive threat identification tools are now table stakes for travel industry enterprises to address the wide spectrum of potential attacks.
According to Phocuswright’s travel research report Cybersecurity in Travel Goes Beyond Technology, there are countless tactical solutions available to enhance cyber defenses such as zero-trust architecture, homomorphic encryption, elastic log monitoring and behavioral analytics to authorize access, protect data, streamline monitoring and identify atypical device activity. This is a continual iterative process.
To seriously address the threats created by the exploitation of cybersecurity vulnerabilities, travel industry C-suites need to change corporate objectives and align incentives with desired outcomes.
First, cybersecurity resilience must be integrated into business strategy conception, as opposed to being assessed as a separate, secondary process. It should be noted that risk assessments typically evaluate known threats, but an emergent challenge for executive leadership will be adequately resourcing defenses against potential future risks.
Second, clear metrics should be defined that assess cybersecurity performance. Four examples might be:
- Hinderance - The number of breaches relative to the number of attempts
- Identification - The average length of time required to identify a breach
- Resolution - The length of time needed to repair the breach
- Impact - The number of records involved and/or monetary impact
Next, the best front line of defense is always a well-informed staff. Cybersecurity training needs to be transformed beyond an annual review of a policy slide deck. Engaging employees in awareness exercises and soliciting process improvement recommendations to identify risks or enhance security taps into specific subject matter expertise that can escape traditional top-down audits.
Finally, C-level compensation should contain cybersecurity risk-related performance requirements. By 2026, Gartner predicts 50% of C-suite employment contracts will do so. Currently, only 13% of boards have instituted cybersecurity-focused board committees headed by a dedicated director. Board-directed oversight and compensation alignment will ensure "sufficient" resourcing of travel industry cybersecurity initiatives.
The rapid acceleration of technological advancement and the travel industry's growing reliance on technology to lower costs, improve productivity and drive profitability will only broaden the potential scope, frequency and severity of cybersecurity threats. Taking proactive steps to make cybersecurity a foundation of corporate business strategy will help travel-related organizations deploy more efficient and effective methods to reduce exposure to cybersecurity risks.
It’s imperative for any executive to understand how safety and security vulnerabilities can exist in all parts of the journey and how to address them. Highlighting systemic challenges, legendary security hacks of the past and possible solutions, this report addresses the key issues associated with digital protection in the increasingly complex travel ecosystem.
This report is available to Phocuswright Open Access subscribers.