By Stuart Mundy, Senior Information Security Engineer at Equiom
With an increasingly complex cybersecurity landscape, I thought it fitting to talk about cybersecurity in one of the most vulnerable sectors, hospitality. 2019 saw a massive release of stolen credentials and hotel systems being breached. Choice Hotels lost more than 700,000 customer records to online criminals and Marriot hotels were fined £100 million for their 2018 breach. In 2020, hotels will continue to be a target for cybercriminals as the amount of information they store is a potential gold mine for online criminals. Today, it’s more important than ever for hotels to start engaging with cybersecurity solutions to ensure they are protecting themselves and their guests.
So what are the main threats facing hotels?
The simple attacks are almost always the most effective and require little effort on the part of an attacker. Phishing has been a well-known term among cybersecurity professionals for years and these types of attacks have been typically easy to spot. However; phishing has become increasingly more sophisticated and it is getting harder to identify malicious emails. More and more managers and hotel owners are being specially targeted and attackers are timing the release of an email to coincide with busy periods – hoping the recipient will action a request quickly and without giving it much thought.
Ransomware has been a persistent threat for a number of years and takes advantage of the fact that many hotels do not have dedicated technology support to ensure systems are patched and protected with anti-virus and anti-malware tools on a consistent basis. Ensuring strong patch management along with robust anti-malware controls is vital for any business; not just hoteliers.
3. Point of sale (POS) systems
One of the things sure to bring attention to any business is the breach of a POS system and subsequent loss of customers’ payment data. Many hoteliers do not understand the level of liability they may have to accept in the case of such a breach and that’s just from the credit card providers, never mind the Information Commissioner’s Office (ICO).
POS systems are usually attacked because typically they are looked after by third parties who are most likely not updating their systems on a regular basis or providing any meaningful level of configuration security; often using the default configurations and authentication.
65% of all hotel hacks have been initiated through POS systems.
4. Insider threat
It is not pleasant to think that your employees may be working against you – but it is all too common. From simply taking documents to be used in a new job to harvesting credit card details from guests – the insider threat is very real and must be taken seriously. Staff will often have access to guest records and cleaning teams will have direct access to rooms and belongings. Hoteliers have to consider what third parties have insider access to their systems and data, as well as employees. Having a robust incident management plan that covers insider threats is vital.
Hotels see a wide variety of guests spanning different age groups, cultures and political persuasions. As a hotel owner/operator, you never know who will be staying with you. Internet access is no longer a luxury but an essential for most guests. However, hoteliers must ensure the access is controlled; monitored and secure. Hotels may be liable for anything their guests do while using their network. It is also vital to ensure that a guest’s wireless network is segmented from the corporate network. Failure to do this can easily lead to guests browsing networks and potentially seeing systems and data they shouldn’t.
The digital world can be a dangerous place, but with the right controls to protect customer data and management systems, hotels will remain secure.
Contact Stuart Mundy for further information on the topics discussed in this article.
This article has been carefully prepared, but it has been written in general terms and should be seen as broad guidance only. The article cannot be relied upon to cover specific situations and you should not act, or refrain from acting, upon the information contained therein without obtaining specific professional advice. Please contact Equiom to discuss these matters in the context of your particular circumstance. Equiom Group, its partners, employees and agents do not accept or assume any liability or duty of care for any loss arising from any action taken or not taken by anyone in reliance on the information in this article or for any decision based on it.