Why cyber-criminals want to visit Welsh tourism businesses



Wales Tourism Week is here once again, and this year it is focussed on helping to raise the profile of the tourism industry and the exciting opportunities it provides for jobs and careers across the region at a time when there is a large-scale skills shortage in the sector.


Over the last twelve months, the Cyber Resilience for Wales has been working with Welsh tourism businesses to help increase their cyber resilience and with so many operators now furiously recruiting to fill roles, it’s here that one of the many potential weaknesses lies when it comes to a cyber-attack.


Some businesses have even found themselves on the receiving end of social media scams with fake recruitment agencies claiming to help find people job openings, then encouraging them to share identification documents and pay for security checks.


WCRC Director, Detective Superintendent Paul Peters, says: “As we have all seen reported in the news last year, the number of vacancies across the UK tourism sector has significantly increased, with many businesses not able to find the staff – the World Travel and Tourism Council (WTTC) reported at the end of last year that in the UK alone, one out of every eight jobs advertised is in the travel and tourism sector.”


Paul continues; “Whilst recruitment remains a top priority, so should cyber security and safeguarding our online systems and private data. We have been speaking to many businesses in this sector and the worrying trend is that most still believe themselves to be too small and too regional to be a target. Yet, we know this not the case, as cyber-criminals will often target the more vulnerable, and size and location really doesn’t matter!


“Ensuring we are protected from such attacks is critical, and that needs to come from not only securing devices in a more effect way, but also looking to those we employ to help protect against threats, serving as a key frontline defence in identifying a cyber-attack and ensuring that your sensitive information is protected,” Paul adds.


And staying cyber resilient is important across every element of a business. Tourism organisations across Wales are constantly taking bookings online, collecting personal data from their customers, which comes with the expectation that this information will be kept safe, yet unless simple steps are taken to do so, such as awareness training on how to spot a fraudulent email, then you are vulnerable to being exploited.


“Recently one of our members was able to recognise that they had been contacted by an imposter pretending to be from a well-known online marketplace for homestays. Thankfully, they had made it their business to raise their awareness on how to recognise phishing attempts which ultimately prevented them falling victim to fraud.”


“Just last year there was a well-reported incident where a company that operated on Instagram found itself locked out of its account and therefore unable to keep running the business. Which is why it is so important to ensure you and your team have strong passwords and consider having two-factor authentication to protect your most important accounts.”


Jim Jones, CEO of North Wales Tourism, said: “Tourism is one of North Wales’s biggest economies and employers. Nearly all operators in our sector rely on computers and technology. With such a vast network, every business becomes vulnerable to a cyber-attack. We have experienced an attack previously, and it caused a lot of disruption and can result in a considerable loss of revenue and time to recover.”


Paul concludes: “We will all have seen the devastation that a fire or flood can do to a small business in Wales, but it is not so visible when it comes to cyber-crime. But these attacks can leave a devastating impact with far-reaching effects. Businesses can suffer from a long list of serious implications, including destruction, alteration, or loss of important files, unauthorised access to sensitive data, loss of billable hours, network access and website access, reputational damage, as well as potential closure, to name a few.”


We know there is so much to consider, but you can make real changes by taking simple steps which aren’t necessarily technical. Let’s start with a few basic points:


· Training! Will you and your staff recognise a phishing email? There was a time when these were easily recognisable, but today they can be extremely sophisticated so make sure you know the tell-tale signs. They may even be in Welsh!

· What have you got in place to protect your most important accounts? We recommend a strong password using three random words, in conjunction with two-factor authentication.

· Where are you storing your data and what have you got in place to protect it? Have you made a backup of your most important data, and ensured the backup is disconnected from your network or device?

· Have you reviewed and understood your obligations regarding the various privacy laws regulating your customer relationships?

· Have you tested your security? For example, are there any vulnerabilities on your website? It is surprising how often there are!


Here at the WCRC, we want you to take the small steps to protect your business this summer, and ensure it is both successful and able to provide your customers with a fantastic experience here in Wales.


We offer free membership which includes a meeting with someone from the centre to talk through basic cyber security options, but also some more technical services at a discounted rate that can help you understand where you need to address vulnerabilities.



The contents of this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of The Cyber Resilience Centre for Wales is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. The Cyber Resilience Centre for Wales provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us.

The Cyber Resilience Centre for Wales does not accept any responsibility for any loss which may arise from reliance on information or materials published on this document. The Cyber Resilience Centre for Wales is not responsible for the content of external internet sites that link to this site or which are linked from it.