American Express Global Business Travel (GBT, No. 3 on Travel Weekly's 2019 Power List) recently named David Levin its chief information security officer. Levin is a 20-year veteran of the information security and risk-management space. Senior editor Jamie Biesiada spoke to Levin about the biggest challenges travel agencies and travel management companies (TMCs) face when it comes to keeping data secure.
Q: What are the biggest security challenges for a TMC like GBT, or an agency?
A: We all have a lot of sensitive traveler data. One of the challenges is: How do we continue to protect that data throughout all the different systems that we might use to service our customers? ... I think it's really about the data being potentially compromised, and a lot of these TMCs might not have a dedicated security team, and they may struggle with protecting that data. They could be easily phished. They could easily be socially engineered.
A big part of that is all the third parties that come into play with travel. You're sharing information with multiple third parties, and you have to ensure: Is that data now protected over there? The customer assumes that they're working with you, but you're also now working with these other third parties. And the value of data, especially on the traveler side, [is increasing].
Q: What kind of safeguards would you recommend to mitigate the chances of data leaking?
A: I would definitely start with employee training. They seem to be the weakest link.
If you're able to build a dedicated security team and focus on that, that's a big part of a safeguard. Bring in someone who knows how to implement these controls. There are lots of technologies. Invest in a high-end, endpoint security solution. And if you need to, leverage a third party to help you manage that.
You're always going to want to update systems and security software regularly. These are some of the basics: You're fixing your vulnerabilities, you're updating your systems on the back end and ensuring you're doing the most you can to prevent some kind of attack.
If you're using WiFi, make sure you have good security controls within your WiFi network. Use strong passwords where necessary, although passwords are not really strong enough. You should enable multifactor authentication wherever you can, maybe on your travel agency booking system for your employees and your customers.
Q: Let's say something happens, and data gets out. What do you do?
A: You have to have a plan, and you want to implement the plan by testing it regularly. The plan has to be very comprehensive, and everybody it involves should be trained on it. Ensure you've implemented the controls to identify, if something does happen, how bad it has gotten, where else the bad actor may have been. How do you quickly close the breach?
Q: What's in GBT's future, security-wise?
A: Security is a hot topic right now, and it's hard to find talent, so we want to position ourselves to continue to tell people to work for GBT, especially in our security teams, and continue to drive new technologies and new solutions to protect our customers.