The hospitality industry is a magnet for cyber criminals. Hotel chains have global networks, large workforces, as well as complex and often decentralised IT infrastructures. On top of all this, they regularly store and process high volumes of personal and financial data. This data can include customer credit card details, names, driving license numbers, addresses, passport numbers, phone numbers and other personally identifiable information (PII).
When these documents end up in the wrong hands, the regulatory, financial and legal consequences can be crippling; not to mention the reputational damage that you simply cannot afford in such a competitive industry.
This is why securing the integrity of customer and other business-critical data is a top priority in the hospitality trade.
Although the hospitality industry is similar to retail in many ways, it has been slower to adopt advanced security solutions.
Many large hotel chains — Trump, Hilton, Hyatt, Starwood, Mandarin Oriental and others — have recently disclosed problems with cyber-attacks. In many cases, the exact number of records breached has not been made public, nevertheless the overall impact has to be significant.
Despite the breaches, many hospitality businesses keep making the same basic security mistakes. Here are the main steps they can take to reduce the risk:
1: Data security applies across the board
Many smaller hotels operate as franchises or small independent businesses. Often data security is not as high on the agenda as it should be. In some cases, they do not comply with recommended industry security standards, or have IT security teams or even use basic data protection tools.
- The reputation of the hospitality trade can only be improved if establishments take responsibility to protect customer PII seriously right across the board. This includes educating employees and adopting the right technology.
- Compliance with the PCI DSS standard is the bare minimum required. Other essentials are a firewall, regular system updates and patches, encryption, a strong password policy, PCI-compliant applications and POS systems, restricted access to POS computers, and anti-virus, anti-spyware and anti-malware software.
- IT systems also need to be regularly tested and assessed for vulnerabilities. When vulnerabilities are discovered, they need to be fixed immediately.
2: Insiders can be the biggest cyber security risk
Insider misuse is all too common in the hospitality sector. Contributing factors include high staff turnover rates, lack of appropriate security training, easy access to customer payment data, and lack of adequate controls and user behaviour monitoring.
Insider wrongdoing does not always result in a massive data breach. It can take the form of a few individual thefts or many small thefts over long periods of time.
The overall outcome is the same as for external attacks: lasting damage to customer perception and lost trade.
- No matter how much you trust your workforce, make sure access to sensitive data is restricted to individuals who need it to perform their daily duties.
- Monitor user activity — including privileged users – to see if they have tried to access critical files.
- Follow up any suspicious activity, such as multiple failed access attempts, because they could be a sign of insider misuse or hacking of user accounts by attackers.
- Implement a strong password policy.
3: Do not outsource everything
The hospitality industry is a highly competitive one that is always on the lookout for ways to cut costs.
It is hugely tempting to outsource parts of IT to external cloud services, and benefit from reduced hardware/software development costs and eliminating the need to retain a 24/7 in-house IT department.
But organisations who transition their business-critical data to a third party often forget to put strong security controls in place. For example, the 2016 Visibility Report found that as many as 75 per cent of organisations from various industries have no visibility into what is happening to their data in the cloud.
- Before outsourcing any sensitive data to the cloud make sure that data will be remain secure in its new environment.
- Carefully vet the cloud provider, holding them to the same standard as your internal security policies.
- Also implement user behaviour monitoring, strong multi-factor authentication, remote session monitoring and advanced encryption.
- Unless you have these security measures, you are not ready to move your critical data to the cloud.
In summary, hospitality businesses are responsible for all of the customer data they collect. Inevitably, this is a challenge, but there is no need to reinvent the wheel; numerous standards, solutions and best practices are available to help.
A lot of security mistakes happen because changes and anomalies in the network have gone unnoticed.
Use tools that help you stay aware of any abnormal or malicious activity in your IT network and in the cloud. Only by having clear insight into what is happening can you detect threats, minimise the risk of data exfiltration and secure your most valuable assets.
Dr. Alex Vovk, Ph.D has gained an impressive 15-years’ experience in software expertise, leadership and operational management. Prior to Netwrix, he worked at Aelita Software, where he served as the architect for the company’s key technologies. Dr. Vovk holds a master’s degree and a Ph.D in information security.