What the 'phish'?

Vigilance is key for 2022, and pandemic times have added to the complexities faced in meetings and events (M&E) and travel planning. Heading straight to the top of the list is risk management, which is essential for managing Covid-19 and other travel-related issues.

Cybersecurity is one of the top issues to address. Over the last two years, there have been increasing news of organisations being hit by malware and ransomware attacks. These attacks are damaging, with far-reaching ripple effects on business continuity, brand reputation, customer confidence and finances.

In Singapore, the Personal Data Protection Act was recently revised in November last year to impose heavier penalties on data breaches. The maximum amount that a penalised organisation can be fined has been increased to 10 percent of its annual turnover in Singapore or $1 million, whichever is higher. Violators are also named in a ‘shame list’ on Personal Data Protection Commission’s website with details of the data breach and the fine amount. 

BCD Travel’s Neeraj Singhal, MD for Singapore & CFO for Asia Pacific, elaborated, “In recent years, cybercriminals and hackers have targeted a number of leading travel brands. These have affected all aspects of travel – airlines, hotel companies, IT companies, travel agencies, airports, fuel suppliers. 

“These headline-grabbing attacks distract from the large number of smaller-scale assaults. The transactional nature of the travel industry and the legacy systems on which many companies still rely heavily on make them attractive targets.” 

Just last year alone, leading national carriers in Asia and a luxury hotel chain in Thailand had suffered major data breaches. It is not a question of “if” but “when” a cyberattack will happen. 

Cybersecurity experts strongly advise implementing a multilayered defence management plan to counter the various sophisticated attacks used by cyber hackers. It includes IT vulnerability assessment; penetration testing of systems to identify security gaps; and even red teaming, which simulates a cyberattack, to root out the weak links in networks, web apps and user security.

Another weak link in many organisations are the employees, which cyber hackers exploit via social engineering. They take advantage of an employee’s ignorance or complacency to initiate actions that introduce malware into their devices or company networks. We have heard of phishing via fraudulent websites, emails and mobile messages. Now, thanks to Covid-19 and the need for ‘touchless’ technology, there is quishing via the many QR codes that we have to scan in our everyday lives. 

Not all cyberattacks involve sophisticated malware or ransomware. Sometimes, all it takes is an old-fashioned scam via high-tech means to exploit human weaknesses. 

What dangers lie in wait for the corporate traveller?

Frequent corporate travellers are constantly connected to devices such as laptops and mobile phones while on the move. But such mobility also means compromising on security. For instance, how many of us are quick to connect to free wi-fi networks? 

Evil twins exist, and it’s not sibling rivalry. They mimic legitimate networks and trick users into connecting to fake wi-fi access points. Once connected, hackers are able to access anything from their network traffic to private log-in credentials. 

For corporate travellers and MICE delegates, the threats are manifold. Some can be controlled; some cannot. “Hotels, airports, convention centres, and other major travel hubs provide greater opportunities for such malicious activities as they are able to hide easily in plain sight without raising suspicions,” said Richard Melick, director of product strategy of Zimperium, a developer of mobile threat defence software solutions. 

While laptops may be protected by firewalls and VPNs, which provide some level of security, mobile phones are often not protected. Yet, they contain a wealth of personal information that can be easily exploited by cyber hackers, especially amidst the rising popularity of using mobile wallets to make e-commerce transactions. 

“Phishing, fake and compromised networks, and mobile endpoint theft are all dangers to travellers, both corporate and personal. The corporate traveller’s dangers are amplified because it’s not just personal information at risk. Their ability to access corporate data such as financial information, customer information, and more from their mobile device makes them prime targets. 

Once a cyber hacker has digital control of a device, they will have access to the data and connections used every day. A single user password leak will place corporate data at risk – beyond what is saved in the mobile device.