The future is bright in travel. It is a digital, connected, seamless and hyper-personalized world that allows travelers to shed the headaches of constantly re-presenting credentials, sharing the same information repeatedly, installing dozens of apps for every provider and mode of transportation or lodging and still not getting personalized service or even relevant information in real time—especially when there is a disruption.

One would hope (or even expect) that systems being built for airlines, airports, cruise lines and more are using all of the new technologies available, such as encryption, distributed ledgers and biometrics. While one may hope for this, it isn’t necessarily happening because the travel industry operates on a landscape that is full of decades old legacy systems that were designed with the expectation that thick data center walls and a few dedicated holes drilled into firewalls for communication would be enough.

Now brace yourself: Not much has fundamentally changed in IT security, even as the use of new technology has taken off. Take for instance, bitcoin. This currency requires close to 35 million tons of CO² to be released into the atmosphere every year (that’s the full output of the country Denmark) consuming over 73 TWh of electrical energy, enough to power Austria for a year[1]. What is also new is that data that was contained in an individual application now gets pooled and consolidated in data lakes to potentially enable the use cases of the bright future.

Next stop: reality

The world is beginning to wake up to the fact that this data needs a different level of protection, manifesting in regulations like GDPR and threatening with real sanctions such as fines of up to 4% of an organization’s annual turnover[2]. But as the legislation evolves, data remains exposed and vulnerable.

Almost all travel companies use office software that is not equipped to delineate between enabling a fancy cell coloring macro in a spreadsheet and the undetected installation of first-class remote control software on the machine.

Many companies use office hardware that will allow an undetectable chip in a charging cable to use a USB port to load remote control software from the internet, install it as AutoStart and cover up every trace of it. If that software is used by a “professional”—not a child downloading it from the darknet—it is not based on typical malware toolkits and therefore won’t be identified by virus scanner pattern databases or even behavior analysis. I won’t even mention Internet of Things (IOT) devices that run small webservers that will also give you their password database if you know how to make the right request.

So, what do you do?

The travel industry must embrace a bright future—without a blindfold on. But how? Stop digitizing? Rewrite the full application core? This is not realistic and would actually be more likely to create a real problem from a low probability threat. Here is what is really required:

  1. Understand your vulnerabilities, including where you outsourced applications or business processes. A vulnerability check needs to be repeated if there is a change such as a cloud journey or increased level of automation, API enablement or alike.
  1. Know your enemy and the attack vectors—who may be competitors, political activists (e.g. based on Travels CO2 footprint), angry customers, etc. A deep understanding of the attack surface requires knowledge of the industry data architecture and communication topology and formats.

  2. Prioritize your actions because you won’t fix security completely. It is very important to make the right changes at the right time to make best use of security investments. And wherever security enables new revenue sources, e.g. as a prerequisite for commercializing your data, those investments are not a pure cost factor.

  3. Educate and support your people as social engineering is the easiest attack vector by far. If you ask people to identify malicious emails by criteria such as external URLs, etc. then please don’t use them in official emails just because someone in IT didn’t provide a Domain Name System (DNS) entry for a business partner or this partner lacks the ability to really provide a site for your employees using your DNS space.

  4. Prepare for the inevitable because it’s just a matter of when, not if, you will face a successful attack. When it happens, you are not in a position to look for help by submitting a Request for Proposal or educating a generic security firm on your application or data landscape. Every second will count in containing the damage. Work with a partner that knows your industry and that can identify remaining vulnerabilities to help quickly.

So, you see, this is a really complex topic and it is massively changing with digitalization and cloud migration as well as the API economy. It is a really bright future ripe with opportunities to provide the differentiated services that customers demand. Just don’t move forward with blinders on.

Copyright © 2020 Accenture. All rights reserved.

[1] https://digiconomist.net/bitcoin-energy-consumption

[2] https://www.gdpreu.org/compliance/fines-and-penalties/

Robert Zippel

Managing Director

Subscribe to Accenture's Compass Travel Blog Blog Subscribe to Accenture's Compass Travel Blog Blog