More than half (52%) of British businesses fell victim to cyber crime in 2016, at a cost of nearly £30 billion, according to a recent survey from Beaming. The specialist internet service provider also recorded a fivefold increase in the number of unique IP addresses used to launch attacks against UK businesses during 2016. More than 98% originated from outside of the UK.

Cyber security is important for all our members, whatever an agency’s size and focus. Larger organisations are more likely to become a victim of cyber crime due to being more valuable targets, but cyber attacks on smaller businesses can cause disproportionately more harm. A single attack could break a small agency.

It only takes one customer complaint for a business to be investigated. This was the case with TalkTalk recently, and they were subsequently fined £400,000.

One of our members recently found their supplier log-in details were compromised. Whoever obtained these passwords started to make accommodation bookings in the Dominican Republic. The IP address from where the bookings were made was also in the Dominican Republic and very quickly they racked up more than 20 false bookings.

The member changed their supplier passwords, but then the perpetrator had the audacity to contact suppliers directly via email to change the passwords again. We all know it’s easy to be fooled by an email that looks legitimate, even if the sender’s address should be ringing alarm bells.

Even Abta recently fell foul of cyber criminals, with a security breach affecting the data of 43,000 people. Strange as it may sound, Abta was lucky with the timing. The EU’s General Data Protection Regulations (GDPR) come into effect in May 2018.

The UK is unlikely to have left the EU by then, but even once we have, it’s likely that most GDPR regulations will be adopted by the ICO (Information Commissioner’s Office) after Brexit. There will be a significant rise in fines if organisations are non-compliant. The current maximum fine is £500,000, and the new maximum will be €20 million, or up to 4% of worldwide annual turnover (whichever is higher).

Your supplier/log-in details are a valuable asset, which must not end up in the wrong hands. Larger businesses should employ a data protection manager. But everyone should be running the latest software and ensuring third-party anti-virus software is up to date. Avoid storing supplier log-ins on a PC or a mobile device, linked to the cloud. Don’t share supplier log-ins over email, change passwords every three months and if a team member leaves, change them immediately.

It’s a challenge keeping track of various passwords – the days of using “password” or “travel” for every log-in are gone. But putting a proper process in place is a small price to pay to avoid a long-term headache.


Julia Lo Bue-Said is managing director of The Advantage Travel Partnership