Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
ARRIVALS<br />
SPEAKING OUT<br />
Data security<br />
<strong>The</strong> numbers add up<br />
In a digital world that demands more<br />
rigorous requirements around data<br />
privacy and security, Elyes Mrad considers<br />
the challenges that organisations face<br />
when building more robust systems<br />
We have become accustomed to hearing<br />
about major data breaches in the travel<br />
industry, and although it may appear that<br />
cybercrime is increasingly prolific, it is a more<br />
complex picture than that.<br />
Europe’s General Data Protection Regulation<br />
(GDPR), which came into force last year,<br />
brought in universal breach notification<br />
obligations, while all US states have also<br />
passed breach notification laws. So to some<br />
degree, the apparent rise is because we have<br />
better visibility on cybercrime. But it’s also<br />
true that today those carrying out data<br />
attacks are increasingly better organised and<br />
resourced, so attacks are more sophisticated<br />
and harder to prevent.<br />
GDPR has reinforced the fact that we are<br />
an industry that cares for people on the<br />
move, and part of that care is protecting<br />
their data. So we all need to understand our<br />
responsibilities and what we can do to<br />
mitigate risk at individual, organisational and<br />
at industry level.<br />
When selecting a supplier, it’s vital you put<br />
them through their paces on their privacy<br />
ELYES MRAD<br />
Elyes Mrad is International Senior<br />
Vice President and Managing<br />
Director at American Express<br />
Global <strong>Business</strong> <strong>Travel</strong> (GBT). Elyes<br />
heads up commercial business in<br />
EMEA and APAC and is responsible<br />
for driving growth and client<br />
retention strategies in<br />
these regions.<br />
regime – and you should shine the spotlight<br />
on your TMC in particular. Your TMC needs to<br />
share traveller data with a vast network of<br />
travel partners all around the world, so it’s<br />
essential they have a highly robust thirdparty<br />
assessment programme to ensure<br />
those partners meet security standards.<br />
All your suppliers should be able to show<br />
expertise, transparency and a robust compliance<br />
framework. If they have a compliance<br />
regime such as Binding Corporate Rules,<br />
which are approved by the EU data<br />
A traveller's PNR<br />
reveals a lot of<br />
information, yet people often<br />
treat printed itineraries<br />
rather carelessly”<br />
protection authorities, you know you’re<br />
dealing with a company that takes it<br />
seriously. Your attitude with new suppliers<br />
should be: ‘Don’t just tell me what your policy<br />
is; show me and prove you have all the right<br />
controls in place.’<br />
Another area that needs attention is your<br />
strategy for managing a data breach. GDPR<br />
places breach notification obligations – to<br />
individuals and authorities – on the data<br />
‘controller’, rather than the ‘processor’.<br />
If your TMC is contracted as a controller,<br />
you’re in a good position because you have<br />
removed a source of liability from your own<br />
organisation. But if your TMC is contracted as<br />
a processor, the obligation to notify of a<br />
breach remains with you – and you need<br />
clear internal strategies for handling such<br />
notifications procedures.<br />
What else can we do to minimise risk?<br />
Insider threats are one of the biggest factors<br />
in data attacks, not usually because an<br />
employee is deliberately doing wrong, but<br />
because they inadvertently give access or<br />
information to the bad guys.<br />
<strong>The</strong>re is plenty that organisations of all<br />
sizes can do to mitigate this risk, such as<br />
building an identity and access management<br />
programme that minimises privileged access<br />
to sensitive data and monitors activity of<br />
those accessing it.<br />
Another vital area is education. For example,<br />
phishing – fraudulent emails disguised as<br />
genuine requests from trustworthy entities –<br />
is becoming more pervasive and convincing.<br />
So you should put rigorous, regular phishing<br />
training and testing in place, including<br />
sending sample phishing emails to employees.<br />
For organisations with limited resources,<br />
advice on phishing is freely available online<br />
and can be shared with employees.<br />
Another area where education can reduce<br />
risk is in training travellers to be more vigilant<br />
with their own data. A traveller’s passenger<br />
name record (PNR) reveals a lot of potentially<br />
sensitive information about that person, and<br />
where they are travelling from and to, yet<br />
people often treat printed itineraries carelessly<br />
rather than as confidential material. <strong>The</strong><br />
same awareness should be applied to<br />
working on laptops in public places.<br />
But while cybercrime makes the headlines,<br />
remember to look beyond the digital<br />
environment at traveller behaviour and<br />
vigilance. Think about this: long before the<br />
advent of the internet, how many company<br />
secrets have leaked out via lively discussions<br />
in planes, trains and bars? Safeguarding<br />
private and sensitive information should be<br />
everybody’s business.<br />
SARA KURFESS<br />
THEBUSINESSTRAVELMAG.COM<br />
11