A guest blog by Sherron Burgess, Senior Vice President and Chief Information Security Officer, BCD Travel
BCD’s Travel Risk Outlook report identified cybercrime as a top concern our industry should monitor. The transactional nature of the travel industry and the legacy systems on which many companies still rely make it an attractive target. In recent years, cybercriminals and hackers launched large and small attacks against several leading travel brands and all aspects of travel – airlines, hotel companies, IT companies, travel agencies, airports, fuel suppliers. As the industry recovers, hackers may again see us a lucrative target. BCD’s data security strategy drives toward three core objectives to safeguard customer data and their interests.
BCD Travel’s data security strategy
The first objective is ensuring our employees are trained, competent and aware of how to identify and respond to suspected security events. Global Security Awareness Training is made available to staff in nine different languages. We employ mechanisms to report phishing attempts, crowdsource information to enhance detection and push real-time security alerts to employees. We also conduct role-specific training to ensure data is handled properly throughout the data lifecycle.
Key audits and certifications
Second, we validate the security and compliance of data in our care through key audits and certifications. Our information security program is annually tested by reputable third-party auditors and qualified internal auditors against industry standards and regulations.
We hold certifications that help assure travel information is secured. Our ISO 27001:2013 Information Security Management System [ISMS] certification demonstrates that BCD follows an international standard for information security best practices. We leverage our certified Risk Management processes to assess supplier products and services based on the scope and provision of services within the organization. Our data centers are ISO 9001:2015 and ISO 27001:2013 certified for security, redundancy and disaster recovery controls.
SSAE18 SOC 1 Type 1 and SOC 2 Type 2, standards arising from the financial services industry, validate the presence and prolonged maintenance of security control activity throughout our Travel Management Services.
Our Payment Card Industry Data Security Standard [PCI DSS] attestation validates that we comply with requirements for protecting cardholder data and include extensive testing and scanning of our systems and networks.
NIST SP 800-171 and the Cybersecurity Maturity Modeling Certification (CMMC) serve as verification mechanisms to ensure appropriate levels of cybersecurity controls and processes are adequate and in place to protect controlled unclassified information (CUI) residing within government industry partners’ environments.
ISO 9001:2015 Quality Management System [QMS] certifies international rigor for data quality. The certification covers bookings and reservations, as well as the customer data we collect, including from third parties. We have a proprietary, standalone Global Data Quality Tool that checks all incoming data before it goes to the database. If the data does not pass the quality standards set by us and our clients, it’s returned to the data provider for correction. Our quality control ensures we input clean data so reliable reports come out the other side. ISO 14001:2015 Environmental Management System [EMS] validates progress on our sustainability commitments.
Our third objective is to operationalize technology and processes to identify, detect, protect, respond and recover security events that may affect the services BCD provides. Our global team maintains operations 24×7 to monitor, detect and respond to suspected security events. We integrate robust incident management procedures, apply leading security technologies, and utilize world class security service providers to support continuous application of security protections.
Protecting travelers’ right to privacy
BCD takes very seriously the responsibility to protect the client, traveler and employee data that we hold. We comply with applicable privacy laws in the jurisdictions where we operate. We built our privacy program around the requirements of the General Data Protection Regulation (GDPR) because it has global reach and impact. GDPR also offers one of the highest standards in data protection and privacy and serves as a model for privacy laws around the world. Because we operate globally, we follow international security standards, apply appropriate technical and organizational measures and adapt our program as necessary to comply with other national and local laws and regulations.
BCD clients can contact their program managers for support and information. If you’re not a client but want to learn more, click the button below.
Meet Sherron Burgess at GBTA 2022
Cybersecurity: More than a Matter for IT
Ensuring the cyberworld is secure is essential for protecting people, organizations, and infrastructure. As threats escalate, travelers are particularly vulnerable. In this session, BCD SVP and Chief Information Security Officer Sherron Burgess will discuss ways to keep your traveler and company data safe. Spoiler alert: security training refreshers for returning travelers are strongly advised. Check out our full show lineup here.