Tourism and Hospitality

Jersey has more than 500+ tourism and hospitality businesses, employing more than 6000 people. (Figures correct as at June 2023.) This sector includes:

• pubs, restaurants, cafes, bars, and food vans
• catering companies and food delivery services
• hotels, guest houses, holiday rentals, campsites
• activity providers (including equipment hire and experiences)
• event venues, event planners

There are two main factors that make these businesses vulnerable to cyber attacks.

Firstly, tourism and hospitality business hold a lot of information. All businesses will hold personal and financial data about their staff and suppliers. Some businesses may also hold data about hundreds or thousands of customers. This data is attractive to cyber attackers.

Secondly, these business focus on front-of-house work. Any administration processes aim to support this work, rather than the security of the business. Smaller businesses are less likely to have staff who develop or monitor these processes, or check they are secure.

If a cyber attack on your business were successful, it could:

• reduce how many customers you can serve, or stop you serving customers at all
• damage your reputation with current and potential customers
• affect the reputation of Jersey as a tourist destination

Any of these effects would lead your business to lose money in the short term and medium term. Any loss would have consequences, but higher losses could put the future of your business at risk.

We’re here to offer information, advice and support. For more information, contact us, or check our Advice and Guidance page for the latest information.

If you have any questions, you can contact us:

• by phone on 01534 500050
• via email (hello@jcsc.je)
• or by booking a meeting with the team

How could a cyber attack affect my tourism and hospitality business?

A cyber attack could affect your tourism and hospitality business in several ways. How it affects you will depend on the type of attack, and what the attackers have managed to access.

This page gives examples of some of the issues you might face.

Generating business

A cyber attack could make it harder to generate business. You might lose access to your website and your social media channels. You might still be able to rely on traditional forms of advertising, but these are more expensive. They also reach fewer people, especially people living outside of Jersey.

This could make you less visible to potential customers, and could lead to a loss of business.

Taking bookings

Many tourism and hospitality organisations make use of online booking forms. This includes through forms in a website, a third-party app, or in-house software. A successful cyber attack could affect whichever system you use.

You may be able to find non-digital solutions to enable you to take bookings. But these will be more time-consuming for staff, and may be less user-friendly for customers. This could lead to fewer bookings, and a loss of income.

Taking payments

A cyber attack could stop you from taking payments from customers by stopping you from using traditional card machines. It could also stop you from using modern Point of Sale (POS) systems like SumUp, Square, or Zettle.

Whatever causes it, having no access to your payment systems will have an effect. Many customers don’t carry cash with them every day. While they’ll still be able to pay you, customers may find cash inconvenient, and may decide not to spend money with you.

Paying suppliers

A successful attack could also mean you are unable to pay your suppliers or your staff. It’s likely your tourism and hospitality businesses relies on regular fresh supplies. This is especially true if you sell food as part of your businesses. If you’re unable to buy supplies, you may have to remain closed for a few days, or even weeks.

If the attack affects your payroll systems, you may not be able to pay your staff in good time.

Loss of trust

Any element of a cyber attack is likely to lead to a loss of income of some form. But a cyber attack can also cause you to lose your customers’ trust. This loss of trust could have a long-term effect on income, even after you’ve dealt with the attack itself.

If your hospitality or tourism business focuses on visitors, it could cause a wider loss of trust in Jersey as a destination. This could have longer-term effects on the industry.

How to protect your tourism and hospitality business

Potential cyber criminals are always developing new techniques and approaches. This means that there’s no way to guarantee that your tourism or hospitality business is safe from every cyber attack.

However, there are several steps you can take to reduce how likely you are to be victim of a cyber threat.

Address your training challenges

• The tourism and hospitality sector has lots of staff working part-time. It also has a high number of staff who are working in Jersey on a temporary basis. All these staff need cyber security training.
• This should include training on setting strong passwords, managing access to accounts, and identifying phishing attempts.
• You should make sure that training is mandatory and happens on a regular basis. This will mean that you can ensure all staff get training, no matter what type of contract they’re on.

Backup important information

• Identify which information is critical and make sure that you have a segregated backup. This backup can be online, for example, through a cloud-based service. It can also be offline: on a USB stick, an external hard drive, or a computer which is not connected to the internet. You can also use cloud-based services to backup your information.
• Schedule regular backups of your data. This will mean that you have access to the most recent version of your critical information.
• Test your backups regularly. This will mean you know if the backups are working. It will also mean that you understand how to recover the information if you need to.

Protect against malware

• Make sure that all your computers have antivirus software installed.
• Update all your IT devices regularly. This process is called patching. It means that the developer of your device has identified security issues and fixed them. Your staff should also patch any personal devices they use for work.
• We recommend that you aim to install patches no more than 14 days after they’re released by the developer.
• You should install antivirus software and firewalls on all devices. This includes any personal devices that staff use as part of their work. Antivirus software detects and removes any malicious software or viruses from your computer. Firewalls create a protective barrier between your network and external networks.

Use strong passwords

• Turn on password protection wherever it is available: this includes across all the devices and services you use.
• Make sure that all staff are using strong passwords. The National Cyber Security Centre (NCSC) suggests using a combination of three random words.
• Use extra security protections, including 2 step verification, wherever it is available. You can find more guidance on this via the National Cyber Security Centre (NCSC).

Be wary of phishing attacks

• Cyber attackers use phishing as a way into a system or network. They will often send an email to trick a user into clicking a link or downloading an attachment. The attachment or link will allow the attackers to steal the user’s information.
• Ensure that staff are aware of this risk, and that they remain vigilant.
• You can limit the damage a successful phishing attack can cause by making sure that only a few users have admin access to your systems and accounts. This is referred to as the principle of “least privilege.”

Have a plan

• If you develop and test an incident response plan, it won’t prevent a cyber security attack. But if you have an incident response plan, it’ll help you respond if you do experience an attack.
• An incident response plan sets out what you would do in the event of a cyber attack. This includes who will make decisions, how you can contact them, and what process you will follow.
• An incident report will also set out when to seek legal or HR support.
• You can find more information about incident response plans via the UK’s National Cyber Security Centre (NCSC).

Cyber Essentials

Cyber Essentials aims to protect organisations against a range of cyber attacks. The scheme is backed by the UK Government and is available in Jersey.

Cyber Essentials is a certification scheme. To be certified, you need to have basic cyber security measures in place. This scheme focuses on preventing the most common types of cyber attacks. These attacks are usually targeted at organisations that have no basic protections.

Once you’ve introduced these measures, then you can become certified. There are two different levels of certification.

Cyber Essentials (CE). To reach this level, you take part in a self-assessment. This process is easy-to-follow so that even small organisations can take part. This level of certification costs from £320 (from 2 April 2024).

Cyber Essentials Plus (CE+). This level builds on the CE accreditation. We recommend this certification if your organisation uses technology to deliver your service. We also recommend this for organisations that process confidential data. What you pay for CE+ will depend on how big your organisation is.

Find out more about on-Island providers of Cyber Essentials.

Jersey Cyber Shield

Jersey Cyber Shield is a free service offered by JCSC for organisations. We have designed it to give you extra protection by working with the security measures you already have in place.

We use four methods to find security weaknesses which an attacker could target. If we find weaknesses, we tell you what they are so that you can address them.

Jersey Cyber Shield is suitable for different sizes of organisation and is free to join. (There are some optional elements which are more complex. Because of this, we may need to request a contribution if you want access to these services.)

You can find out more about Jersey Cyber Shield on this page.

Useful resources

If you need more information about cyber security, your IT provider should be your first contact.

The UK’s National Cyber Security Centre (NCSC) has produced advice and guidance that can support you.

• Guidance for small businesses. The guidance includes details on backing up data, multi-factor authentication and using strong passwords.
• This tool cam help you develop a cyber action plan. The tool is free, and requires you answer some questions about your businesses.
• Exercise in a Box. This online tool allows you to test and practice your response to a cyber attack. There are exercises of different types and sizes which you can use for free.

You can also find more advice and guidance on our website.

Reporting an Incident

If you experience a major cyber security incident and report it to us, we can help you in several ways. We can provide technical advice and guidance to help you respond. We can also use our access to intelligence and expertise to help inform how you respond.

In some circumstances, we can provide direct technical support, and help you communicate.

You can also report an incident by phone on 01534 500050, via email (incidentreports@jcsc.je) or online via this form.

Find out more about how we can help.

Who you need to contact will depend on the type of attack, and the organisation.

The States of Jersey Police (SoJP). You should contact the SoJP where a crime has taken place, or if you suspect that a crime has taken place. They have the ability to handle digital forensic investigations. More information on how to report a crime is available via the SoJP website.

Jersey Office of the Information Commissioner (JOIC). You should report the incident to JOIC if the cyber attack has led to a personal data breach. You can find more information on when and how to report a breach via the JOIC website.

Action Fraud. Action Fraud is the UK reporting centre for fraud and cyber crime. You can make a report via the Action Fraud website.