One phishing attack could expose your entire hospitality network
What's missing from your hospitality training? Regular security awareness training, and it's putting your organization's reputation on the line.
The hospitality industry is built on highly distributed networks. There are headquarters (HQ), regional hubs, smaller subsidiaries, and a great many franchises operating in the U.S. and overseas.
If a user account in one small property is hacked, it can compromise all others within the chain — providing access to information that guests trust is being securely shared.
“The hotel industry is one of the most hacked in the world because of the type of data they get, such as driver’s licenses, passports, loyalty information, home addresses, phone numbers, credit card info, flight data, itineraries and more,” said Mathieu Gorge, CEO of VigiTrust, on a recent Cyber Work Podcast. “It is one big playground for hackers.”
How to keep your entire hospitality network secure
Those managing corporate security can’t just decide that all they need to protect are the HQ and the various regional hubs. They have to protect everyone at all access points along the informational network.
It serves no purpose to protect only a part of a network when it is susceptible to attacks.
Adding to the complexity of this issue is the dynamic nature of the hotel industry. A property might belong to Marriott one day and be sold to another hospitality chain the next day, and vice versa.
Each chain has different systems, policies and procedures that revolve around its property management systems. There are also distinct payment terminals and methods of taking personal identification information (PII) and credit card payments. When a property moves from one brand to the other, there is, by nature, an added risk created for a data breach to occur.
Cybersecurity in the hospitality industry is essential
Social engineering methods are often used to breach user accounts. Once credentials are compromised, hackers can move into other systems within the connected network.
Some techniques bad actors utilize to gain access to hospitality networks include phishing, spearphishing, business email compromise and others. But keep in mind that cybercriminals are constantly adjusting and developing new tactics.
Once employees learn not to open a scam email or not to click on a particular kind of malicious link, the approach to gaining malicious access changes.
Gorge said regular security awareness training is key to keeping employees sharp and reducing their likelihood of falling prey to the latest phishing techniques.
Should you pay the ransom?
He noted that the Payment Card Industry Data Security Standard (PCI-DSS) says organizations must be in compliance at all times and train employees on credit card data security upon hire and once a year. But he doesn’t think that goes nearly far enough.
“You need to do a lot more security awareness training than that,” said Gorge. “Most organizations find it to be cost-effective to do e-learning training videos, awareness campaigns and quizzes — yet many organizations still do little or no employee training.”
Handling personal identification information in hospitality
One of the biggest challenges for those in the hospitality security industry is people. The security system can be as tight and comprehensive as possible, yet all it takes is one person not paying attention to allow bad actors access to your company's data.
People in hospitality work all hours of the day and night. Employee fatigue is an important issue within the industry.
Imagine approaching a check-in desk where a hotel employee is facing a line of people, an irate guest and several impatiently waiting callers currently on hold. When a person is stretched thin, it is easy to forget known security protocols, allow unauthorized individuals access to a secure system or inadvertently violate security best practices.
If seasoned, well-trained employees have the potential to make such mistakes, what about seasonal staff?
By necessity, the hospitality industry is a notable employer of seasonal staff, after all. Some such individuals may start right after the annual security awareness training update or may be allowed to skip security training in the rush to put them to work to cover obvious staffing shortages.
Critical hospitality training topics, such as cybersecurity training, can easily be deferred in such cases.
“Once the staff is recruited, the priority is often to get them operational,” said Gorge. “Security and compliance, unfortunately, are not top of mind.”
Are hotels following secure data collection and privacy regulations?
Data collection and privacy regulations, regardless of industry, are widespread concerns. What does Gorge recommend the hospitality industry adopt to mitigate this worry? The EU’s General Data Protection Regulation (GDPR).
GDPR applies to any organization that touches an individual's information in the EU. Therefore, major hotel brands dealing with international travelers must take the time to become fully familiar with the finer points of GDPR.
Gorge encourages those hotels outside of the EU to use the GDPR framework to address data protection and privacy, as it is comprehensive.
GDPR forces organizations to do a privacy impact assessment, which looks at data flows and analyzes the risks related to PII. From that assessment, the hotel can review the technical solutions they have in place, the training they require and update policies and procedures as needed.
“With GDPR, you don’t have any consent to use my data unless you tell me what you’re going to do it for and why,” said Gorge. “And in terms of technical security, PCI is the best framework to use because it is super prescriptive.”
Phishing simulations & training
Ongoing cybersecurity education is key
Gorge's recommended key takeaway: The importance of training — both cybersecurity and IT personnel, as well as every single person employed.
“Cybersecurity is a great industry because you keep learning, and there’s always a new type of attack, another company that’s been hacked and so on,” he said. “But it is vital to provide all employees with regular security awareness training. Once a year just isn’t enough.”