Travel companies need a disaster recovery plan geared for cybercrime – or could face a systems ‘meltdown’ for days or weeks after an attack.

Recovery plans should include specific insurance against cybercrime and a strategy on how to run the business afterwards, warned Barry Gooch, chairman of travel anti-fraud group Profit.

A cyberattack, such as a largescale data breach, could bring down a company’s computer system and stop it from trading as normal, impacting communication with customers, suppliers or business partners and staff.

Gooch said firms should also regularly test how the plan works – even if it is a ‘desktop’ exercise in which senior staff act out what they would do in this scenario.

In part five of the Travel Weekly-backed Secure Our Systems (SOS) campaign, companies have been urged to include all stakeholders in their disaster recovery plan and ensure technical, legal and public relations advisers as well as human resources staff are briefed.

A hard copy should also be kept by the company and all stakeholders.

Gooch said: “Typically a data breach can take a long time to resolve and for companies to get back on their feet.  If you have a plan and you are hit by ransomware attack, you would normally be up and running again within hours but if there is no plan it could take a week or two – that’s the difference. It could be fatal for some companies.”

Many companies may have computer-based telephone systems and will need to ensure there is a back-up system to communicate with staff and clients, he said.

He added: “You need to think about suppliers and how you will interact with them if your systems are down. Companies may need to allocate staff to other offices because they cannot work on their computers for a time.  Often cyber insurance will not pay out unless companies have a tried and tested plan in place.”

Larger companies with a number of offices could be more at risk because there are “more opportunities to find weaknesses and exploit it.”

There are criteria for reporting incidents to the police, via Action Fraud, and for reporting an attack to the Information Commission under GDPR. Having a plan will also ensure companies assess what data has been compromised and assess whether the crime needs to be formally reported, said Gooch.