Mitigating cyber risks to the hospitality industry

The following post is a paid partnership between Spectrum Enterprise and Chuck Brooks.

The hospitality industry is not monolithic: it is comprised of hotels, restaurants, casinos, events, bars and many ancillary supporting businesses. While diverse in size, services, and operations, they all face one common threat — being breached and victimized by criminal hackers. 

A data breach can ruin a business and certainly undermine its reputation. For this reason, the importance of cybersecurity in the hospitality sector cannot be understated. They all are facing increasingly sophisticated attacks. Improving cybersecurity in the hospitality sector is a constant process that calls for regular vigilance and evaluation, use of best practices, new security technologies and adjustment to new threats.

The hospitality industry is a preferred target for organized criminals and even nation-states for breaching data. According to Hotel Management, nearly 31% of hospitality organizations have reported a data breach and 89% report having been affected by various types of breaches more than once a year.

Types of data breach vulnerabilities

There are many attack vectors aimed at the hospitality industry. They include Identity theft, Point of Sale (POS) attacks, social engineering; malware and ransomware phishing infections, Wi-Fi network hacks, and Distributed Denial of Service (DDoS) attacks. These are all examples of frequent causes of data breaches in the hospitality sector.

Identity theft is a common cyber threat. It involves the illicit acquisition and exploitation of a person's private identifying information, typically for financial advantage, and is an increasingly widespread issue within the hospitality industry worldwide. For any hospitality business to succeed, safeguarding a customer's identity and personal data is essential. Guest information hacking is one of the major threats. Network security and cybersecurity are crucial as a result. particularly when there are experienced thieves stealing credit card information and identities.

Of significant danger to the hospitality sector are POS attacks. They are a third-party crime, which means they target the provider rather than the hospitality entity itself. POS systems are particularly important targets as they can handle orders and inventory in addition to processing transactions.

Social engineering these days can be intricate and increasingly clever. The tools for phishing, which are available on the Dark Web, are more advanced than the badly typed attempts from a decade ago. The fake photos are used to mimic emails or texts from banks, businesses, employment and even friends.

Another common outcome of social engineering is ransomware. Hackers encrypt crucial files in ransomware attacks so the victim cannot access their data. The hackers will extort their victims using this illegal method, promising to restore computers and data in exchange for a ransom. 

In addition to regularly destroying a company's networks and systems, a ransomware assault can also propagate uncertainty and panic. 

Some enterprises are more at risk than others

Businesses and organizations whose operations depend on logistics planning and supply chain coordination (which exemplify the hospitality industry) are especially vulnerable. Ransomware software's goal is to spread swiftly throughout an organization's computer networks and systems. For hospitality organizations, ransomware is becoming increasingly frequent. 

Public Wi-Fi networks and hardware components, like access points, are also full of vulnerabilities. Installing a rogue access point (AP) such as a wireless AP in a protected network - without an administrator's permission - is one way that hackers attempt to compromise Wi-Fi networks. With this, thieves can access the network from within the venue or even from a neighboring vehicle.

A distributed denial-of-service (DDoS) attack involves flooding a server or network with too much traffic in an attempt to stop it from operating. Hackers use botnets in infiltrated networks to create a formidable traffic flood. Botnets are a type of hacker-controlled network that can propagate malware and/or ransomware to targets that have the potential to self-replicate and cause havoc, similar to a biological infection.

With all these threats and risks, everyone in the hospitality industry must take notice and act. Creating a plan or a cybersecurity risk management strategy is imperative to stay safe.

The urgency of a risk management strategy

All hospitality businesses, no matter how big or small, should have a risk management strategy in place. Each hotel, casino, restaurant, or event site has a distinct set of challenges and requirements. It is critical to customize cybersecurity procedures to successfully handle the unique threats they face. Using a risk-based approach can help prioritize resources where they are most needed.

The strategy should include the following fundamentals: 

• Which assets are most important to safeguard?
• Potential threats
• Corporate responsibilities for mitigation
• Techniques for incident response and mitigation 

Create a risk management framework with operational cybersecurity: This should include layered vigilance (awareness, intelligence, and surveillance); Readiness (operational capabilities, visual command center, and interdiction technologies); and Resilience (coordinated response, mitigation, and recovery). All those components are the fundamentals of informed risk management, which define cybersecurity.

The hospitality industry, like all businesses, needs firewalls, intrusion detection systems, anti-virus software, and encryption techniques to guard against unwanted network access and guarantee the integrity of personal data. Regularly updating and patching software is also especially important.

Employ cyber hygiene: Employees in the hospitality sector are frequently the victim of phishing emails that are inquiries, booking confirmations, or customer complaints. These emails can have links that lead to the download of malware. Cyber hygiene is a duty that falls on every employee in a company. Humans continue to pose the greatest risk. Using multifactor authentication, creating strong passwords, and knowing when not to click on a hoax are ways to achieve the essentials.

Keep a low profile, especially when you travel: Social networking platforms are frequently used by fraudsters and criminal hacking groups to plan their malware and phishing assaults. To customize their attacks, they can obtain a lot of information from social media posts, including birthdates and personal histories. Social engineering assaults have advanced significantly with the advent of machine learning algorithms and artificial intelligence.

Use multifactor authentication (MFA): This component of fundamental cyber hygiene helps reduce the risk of unwanted access. Use a password manager and/or strong, difficult-to-guess passwords. Employing MFA raises the bar for password theft by requiring two or three steps to access data, making it a crucial element in combating identity theft. Hacker tasks can also be complicated by using strong passwords and changing them frequently. Additionally, to provide an extra layer of security, you can employ biometrics like fingerprints, eye scans and facial recognition.

Implement strong identity and access management: Identity Access Management or "IAM," to guarantee that the tools required for work performance are only accessible to the appropriate individuals and job positions within a company. This is especially important for hotels where employees have access to records and rooms. 

Back up sensitive data: A hotel's IT stack is interdependent, thus a breach in one part can have repercussions in other parts. Because of this interconnectivity, threats frequently require a complete shutdown. Hospitality businesses should put resilient systems in place and prioritize segmenting and backing up sensitive data. If sensitive information has to be protected, think about utilizing encryption software as well.

Create an incident response plan: Cyberattacks can be reduced in impact by creating and routinely testing incident response protocols.  It is important to have a plan in place for fast communication with your important suppliers and contacts in the event of a breach. The management should have a public relations plan to mitigate panic.  Also, If the breach is severe, do contact law enforcement since it may be a component of a bigger criminal operation.

Cybersecurity training: Staff members must make this an ongoing effort, particularly to identify phishing and social engineering attempts. Phishing simulations can be used to find organizational weaknesses and assess workers' preparedness for social engineering techniques. Employees need to be aware of the risks and the security procedures that they must follow to ensure better safety.

A valuable guide for hospitality

For hotels, which have been one of the most targeted sectors by cyber-attacks, there is a National Institute of Standards and Technology (NIST) guide created to assist in lowering the risks associated with a very susceptible and alluring target for hackers: the hotel's property management system (PMS), which houses credit card information and personal information about its visitors.

Named “Securing Property Management Systems,” the guide outlines a method for securing a PMS. It gives hotel owners instructions on how to use commercially available tools to monitor and restrict access to their PMS, safeguard credit card information, and preserve guest privacy. 

Having a partner you can trust

Risk management, which is at the heart of cybersecurity, is accelerated by technology, leadership, and a staff of informed and experienced information security professionals. Although there will always be security lapses, the risks to systems can be reduced with preparation and collaboration. 

Managed Security Services (MSS) and Managed Service Providers (MSP) are choices to think about using for both prevention and incident response for hospitality businesses with limited resources. MSS and MSP can offer threat assessments, enable cybersecurity solutions and monitor networks. They are cost-effective because many businesses lack the internal subject matter expertise or resources to tackle increasingly complex cyber breaches. 

While each hospitality organization has its unique culture, objectives, and skill set, employees, management, and board members are responsible for supervising the company's cybersecurity operations. Making sure that cybersecurity is the organization's top priority should fall on all shoulders.