Guest Post: The four crucial security checks that prevent cyber-attacks to your travel website

Guest Post: The four crucial security checks that prevent cyber-attacks to your travel website

RapidSpike’s Gav Winter look at how travel brands can futureproof their online presence so they don’t become the next victim of a malicious attack

The majority of travel professionals should be able to recall a high-profile data breach that’s impacted the industry over the past few years.

From easyJet’s January 2020 cybersecurity incident that affected nine million customers – and could result in an £18 billion class-action lawsuit – to British Airways’ 15-day long web skimming attack, there’s no question that having robust security procedures in place is a must-have in today’s digital-first world.

And as we progress through the summer months, more holidaymakers will be browsing their favourite travel websites and tapping their preferred apps for the latest deals to book the next getaway. So, with so much online traffic, travel brands have to enforce both preventative and reactive measures if they’re to combat serious threats from criminals who are ready to pounce.

In response, the best form of defence centres around depth. Malicious attack attempts look to exploit poor configuration from patching, cross-site scripting or injection vulnerabilities on the website, so you need to fine-tune every element of your website if it’s to run like clockwork. Even then, human error can undo it all in an instant.

A multi-layered approach – using a plethora of tools – can provide coverage across a variety of potential security issues. After all, attackers are coming up with new ways to disguise their techniques so a company must continuously analyse its site for vulnerabilities as well as monitor for present strikes.

And for the travel brands able to invest in keeping abreast of their website’s health, reliability, performance and overall security, they’re in a stronger position to protect customers’ data, prevent huge fines and avoid costly damage to their business’s reputation.

Here are four website security checks travel brands can make to battle threatening breaches and future-proof their online presence…

  1. Keep on top of IT infrastructure

Being proactive in preventative measures against security attacks is the first step to building a strong security foundation. Travel websites need to keep infrastructure up to date with the latest software versions and patch vulnerabilities before they are exploited. 

Vulnerability and port scans should be performed regularly to detect open and closed ports, out-of-date software, configuration issues and harmful vulnerabilities.

Google’s Safe Browsing list monitors sites for malware – including social engineering, phishing, and other security issues. Inclusion on this list results in websites being removed from the Google search engine results, and any direct visitors to a site will receive a warning message.

  1. Invest in the advantages of security headers

When a customer visits a website, the metadata sent in the HTTP headers tells their device how to act, how to respond and what rules to expect. On simple sites, the headers might just cover the basics, such as caching policies, but on more complex websites – often seen in the travel industry – the headers can become larger and larger, until the complexity starts to introduce risks.

A HTTP Strict Transport Security (HSTS) header lets a server declare to browsers that it will only interact with them over HTTPS. This provides a defence against man-in-the-middle-type attacks and ensures that all traffic and data types on sites are encrypted.

A strong Content Security Policy header can be used to control what the website interacts with, and where. Security headers form a good baseline defence against a range of attacks and, as such, they should be utilised.

  1. Ensure holiday booking payments go through unscathed

Online transactions can involve a huge amount of sensitive data. This is the point where web skimming attacks can target consumer payments – with Magecart being the number one threat to ecommerce sites today.

Therefore, technical teams must monitor these forms to ensure data isn’t being sent to a malicious host. Some heartening news for customers is that there’s a new revision to the Payment Card Industry Data Security Standard (PCI DSS v4.0). This means it’s compulsory for organisations – who process payments on their site – to monitor consistently and continuously, and also choose a responsible professional external payments service. 

While this isn’t a silver bullet, the PCI developments can go a long way towards travel brands treating their payment pages as secure environments that should be locked down. For example, this security standard requires organisations to audit the scripts on payment pages, define guardrails that prevent data being sent to untrusted locations and ensure nothing can be tampered with.

  1. Monitor all third-party activity

From advertising and analytics to fonts and image libraries, many travel brands will utilise third parties to manage their specialist areas. They do so at their own risk and therefore it’s important that this third-party activity is monitored to ensure they’re not damaging the security of a website. Any organisation is only as secure as their weakest third party.

Using attack detection software, third parties can be monitored and placed into a ‘Trusted List’. And any new host detected will be shown in an ‘Untrusted List’ where the host URL – and requests made – will be visible, as well as which step of the journey it was found on.

Data shown will include the host URL, the site discovered on, step discovered on (if applicable) and requests made, which can help with domain-spoofing/squatting attacks. To monitor security effectively, keeping this list up to date will ensure there is full visibility over hosts and get the most out of the data.

The impact of Covid pandemic has been monumental for the travel industry, and the strides brands have made to recoup some of the many billions lost on a global scale has been nothing short of incredible.

However, two years on, there is no time to waste as things return to some form of ‘normality’. And companies must capitalise on the consumers who are looking to book their first trip since 2020. That means their website must provide an exceptional online customer experience to not only deter cyber-attacks but continue to compete. Otherwise, they risk losing out on the $983 billion this industry is predicted to generate in 2027.