• The tourism sector has a golden opportunity to make a qualitative leap in its offer. Cybersecurity offers a unique opportunity to differentiate ourselves from other destinations, why not display the security flag on the data.

The pandemic and the consequent crisis has caused many companies and sectors to ‘forget’ or leave aspects such as information security in another plane. Dingus’ commitment to cybersecurity, however, has not only remained one of the pillars of the business for us and our clients, but has also raised its position in the ranking of priorities. While we intend to continue applying the most demanding standards in the field (national and international), we have asked the experts to share their knowledge so that we can face the moment and the challenges of the future with more information and guarantees. This is the first talk – interview of a series with which we seek to learn to decide, to know to act and to know to strengthen ourselves.

How would you evaluate the crisis we are experiencing in terms of cybersecurity?

Whenever I can I use few statistics about the approximate number of cyber attacks, online fraud, recovery costs, etc. After all, they come from more or less reliable studies, many with the intention of selling products. So I’m going to give you a clear example of how it is… So far this year we have had more requests to resolve issues of online fraud than ever before. The perception of small and medium sized companies in the face of cyber-attacks is very far away. Logically, the media talk about attacks on large multinationals because of their relevance, but never about an incident that occurred in a small company. Curiously, this practice increases the danger of SMEs suffering attacks or online fraud, thinking that it is far away.

In a certain way we have seen it with the coronavirus, which began in China and we saw it so far away that we even gave our opinion in ignorance of what was happening. Well, cyber-criminals are taking advantage of the current situation to extort and steal from their victims more easily than ever. We constantly receive emails, sms or links to websites related to Covid-19. For example: self-assessment test from the Ministry of Health, advice from WhatsApp, purchase of face masks and even fake job offers. I can imagine the state in which many people find themselves and therefore, even if they are a little alert to it, they fall into one of these traps.

The worst thing is right now with the fake bill fraud. We receive an email from a supplier asking to deposit an outstanding invoice to a bank account located in another country. It scares the fineness with which they carry out the mail, using real contact names and companies, demonstrating knowledge of the company that is the victim of the fraud. It always hurts to lose money to fraud of this type, but these days it hurts more… So, in response to the initial question, cyber-attacks have increased significantly and are expected to get worse over this year and next.

What about data protection? Is the emergency serving as an excuse for the violation of rights or the relaxation of obligations?

The Spanish Data Protection Agency is certainly busy these months. We have never lived an era where the collision between fundamental rights and data privacy is so evident. Unfortunately we have to choose on this occasion between factors such as public health, duties as citizens, the state of emergency or the welfare of workers, and the protection of personal data, privacy and the right to privacy. In the end when there is a collision of rights, we must choose which one deserves greater protection and, in this sense, the Data Protection Agency has defended what it could the privacy and intimacy of people.

The use of tracking applications developed by both the central government and some regional governments has generated a lot of mistrust among citizens and privacy professionals. In fact, the Data Protection Agency complained about the lack of privacy in the design of the application (measures to guarantee privacy before, during and after the development of the application) but the government claimed lack of time. Imagine if it had been a private entity… In any case, I recognize that it is necessary to make an act of faith and think that the use of tracking and geolocation data is going to be safe. I am not confident that development will be carried out by private companies, but we must demand maximum control now and especially in the future. Let’s not forget that a lot of data is stored on the servers of these companies.

But, can the exponential increase in the use of health data for health security issues… be done by guaranteeing the confidentiality of the information? Is there an awareness of the value of preserving it now?

We have to differentiate between the necessity and legality of the treatment of health data, with the obligation to guarantee the confidentiality of such data. The General Data Protection Regulation already regulates the legitimacy of the processing of health data in pandemic situations, especially by the authorities. However, at no time does this legality avoid taking measures and guaranteeing the privacy of the data, however exceptional the situation may be. As I said before, tracking apps obviously analyze contacts and geolocate the mobile if necessary. The Radar Covid application, from the Ministry of Economic Affairs and Digital Transformation, explicitly states that it does not collect personal data of any kind, nor geolocation, nor the identity of people with whom you may have been in contact. It seems that in this sense the Ministry itself has guaranteed privacy in a tremendously “greedy” context. Note how much data we could extract and use for purposes other than the control of the pandemic itself (users’ habits, who we spend more time with, movement we make, etc.).

The most worrying thing is the register of clients who go to leisure premises, also used in stores, premises, etc. This is an example of the application of a regulatory obligation as a result of the pandemic, in breach of several data privacy principles. For example, as the Data Protection Agency itself says, is it necessary to fill in the name, surname, ID card, telephone number, etc. in order to comply with this obligation? Obviously not, it would be enough with the telephone number, date and time of entry and exit, to be able to carry out a tracking work in case of necessity. A few weeks ago I went to a store and they asked me for the identification data, ID and signature for the customer registration. Apart from not complying with the principle of minimizing data, I could see on the sheet all the people who went to the premises in the last few days. Honestly, it is not so complicated to respect the customer’s privacy by eliminating the possibility of identifying him so clearly.

The effect of using cell phone tracking techniques for coronavirus control has made people more aware. Moreover, giving the data to companies for visitor control (for an eventual contact tracking) causes confusion and suspicion. About how does it affect the tourism sector, continuing what I said before, I think in recent years that the tourism sector has a golden opportunity to make a qualitative leap in its offer. Let me explain: we have an abundance of obligations to guarantee health safety, such as controls of origin, action protocols, physical protection measures or customer tracking. The tourism sector has made a great effort to comply with all regulations and has probably done so in the case of the Balearic Islands before anyone else. What am I missing? Well, precisely to put in value the security and privacy of the data. I recognize that I don’t give much confidence in the treatment of data by third parties, such as the latest application that helps register customers, and that distrust increases when I go to another country. Why don’t we display the security flag on the data?. I believe this is a very important factor in promoting the arrival of tourists, guaranteeing not only the reliable and transparent use of data, but also security against cyber-threats. I believe that the drive for cyber-security in the tourism sector has increased in recent years, without reaching a desirable level, but it offers a unique opportunity to differentiate ourselves from other destinations. I don’t want to name other countries, but imagine how much confidence you can have in using applications that track your movements and contacts, in some not-so-developed destination.

It is precisely the issuing markets in the tourism sector that are increasingly demanding information security from the inbound or intermediary markets. How do they cope with this and in particular what does Hitt Group (Dingus and Etoolinnovation) do?

Since the coming into force of the GDPR there has been an increase in the control by customers, about the use and security measures applied to the data. In most cases this is done by means of questionnaires, some of which are long and tedious, where a third degree is given to the provider in order to guarantee how the data is used. From the first moment we have defended the certification in international standards, such as ISO 27001, so that this audit is not necessary. If we have such certification, it is because a third independent body or certifying entity (SGS, AENOR, Tüv-Nord, etc.) already verifies and certifies that you comply with an information security standard. This practice has been widespread for many years on the American continent and to a lesser extent in Asia, where international certifications enjoy great prestige and make you play, literally, in one league or another.

Obviously, the issuing markets in Northern and Central Europe also verify safety through standards such as ISO 27001, although I must say that this is less widespread in our country. Parallel standards such as TISAX have emerged to guarantee information security in the automotive sector, and let’s not forget the PCI DSS for payment card security. Well, with the ISO 27001 standard you have in all cases between 85% and 90% compliance with the aforementioned standards. In the case of Dingus, the certification for years in the ISO 27001 standard has allowed it to face climbing in real mountains like the PCI DSS, in variables such as the culture of information security in the company, its management from the management of the company or the application of security controls in their systems and physical headquarters. You can imagine the efficiency that the implementation of other standards has meant for Dingus, minimizing global costs and allowing them to achieve new strategic objectives.

Xavier Ferretjans 

New Technologies Responsible Binaura Monlex 

Information Security Advisor at Dingus 










“I have been contributing with my experience and work in Dingus for many years, supporting them in information security matters, and I have to say that it is gratifying to see how they have been growing in this sense. It was not easy to start the implementation of ISO 27001, but the conviction they have of its usefulness has allowed them to increase their reach to markets more experienced in the use of international standards. Although the most important factor, and one on which I insist very much from the first moment, is the conviction of its internal and external usefulness. Dingus chose to become certified with the standard, but their objective was always to improve information security in all their processes and, since they have made the effort, they certified themselves to be able to demonstrate it. Thus, this commitment was born from the management itself and extends to the workers, transmitting it to their clients, suppliers and allies. Believe me, it has not been an easy or simple path…”