.png?width=220&height=44&name=Nuc-logo-sketched-1%20(1).png "Nuc-logo-sketched-1 (1)"){kind=logo}
Hotels collect and store a ton of highly sensitive and valuable information ranging from financial records to credit card details to the personal information of employees and guests making the industry a lucrative target for hackers. In recent years, there have been a handful of data breaches impacting large hotel chains, such as the Marriott, Ritz, Hyatt and just last month, the Intercontinental Hotels Group (IHG). These breaches have drawn attention to the unique risks hotels face which has resulted in greater investment in cybersecurity tools and best practices by larger chains. However, smaller hotel chains with lower IT budgets have been slower to adopt industry standards best practices and tools. Understanding the risks and implementing strong cybersecurity is critical in protecting a hotel’s business from ever-evolving cyber threats.
Common Threats in the Hospitality Industry
Hotels are vulnerable to a range of cyber attacks, the three most common being ransomware, email phishing, and Point of Sale (POS) attacks. Ransomware depicts a type of malware that infects the computer systems of users, taking control of the hotel’s network, preventing users from accessing data stored on it. The victim usually receives a blackmail note by pop-up, instructing the victim to pay a ransom to regain full access to system and files.
Another common type of cyber risk at hotels is email phishing and spear phishing. Email phishing is an attempt to acquire sensitive information such as usernames, passwords and credit card details by pretending to be a trustworthy contact. Emails appearing to be from popular companies, are sent to lure the unsuspecting user. Unlike bulk email phishing attempts, spear phishing attacks are highly targeted attacks that appear to be from a senior leader and generally include an urgent request to process a transaction.
The likelihood of a successful email phishing or spear phishing attack increase in workplace environments where team members share accounts, this is what is known as credential sharing. Unfortunately, sharing user accounts is practiced at hotels to reduce costs but substantially increases the risk of a compromise by an external threat actor and should be avoided.
The hospitality industry has second-largest number of cybersecurity breaches after the retail sector. PwC's Hotels Outlook report 2018-2022
POS attacks are also very common at hotels and while POS security is generally the responsibility of a third-party vendor, POS systems offer many entry points for hackers and must be protected with the highest level of data security. Once malware has found its way into a POS system, hackers can steal unencrypted clear-text credit card numbers and customer names. According to experts, POS data breaches are the “single biggest” cyber threat to the hospitality industry.
The Marriott Breach
Mathieu Gorge, CEO of VigiTrust shares why hotels are at risk highlighting the June 2022 Marriott International data breach. While the breach wasn’t necessarily massive, it garnered a lot of attention because of previous incidents that affected millions of people. It might come as a surprise to some, but these attacks actually happen frequently to hotels because of the type of data that is collected – addresses, payment information, driver’s licenses, passport details and more.
“This breach highlighted the distributed makeup of hotel groups, where you have headquarters, regional offices and individual properties. In this situation, a small property was hacked, but with it being connected to all of the others, the overall group reputation is put at risk. So, you have to develop a strategy that protects at all levels." Mathieu Gorge, CEO of VigiTrust
How can Hotels Mitigate the Cyber Risks?
- Comply with PCI standards across all card readers, networks, routers and servers.
- Partner with a Managed IT Service Provider (MSP). An MSP will provide layers of IT security, including anti-virus, Managed Detection Response (MDR), software patching, managed backup and much more. Choose an IT vendor that adheres to security frameworks, like the National Institute of Standards and Technology (NIST 800-53), CIS Controls V8.1 that outline how organizations can prevent, detect and respond to cyber attacks and MITRE ATT&CK Matrix.
- Invest in employee security awareness. The human firewall is often overlooked as an important part of a hotel’s cybersecurity strategy. High employee turnover at hotels poses further challenges to maintaining security awareness. However, given the volume of personal information collected at hotels, employees should be aware of common types of cyber threats, like email phishing and how to handle personal information. New employees are particularly susceptible to phishing and social engineering attacks.
- Develop Protocol/Process: We often uncover a lack of protocol when investigating cyber incidents at hotels. For instance, if a shared account gets compromised, a business continuity disaster recovery plan needs to be in place. Even simple processes around verifying suspicious requests can help prevent cyber incidents. We recommend all hotels implement a process for verifying requests that involve financial transactions and implement a “zero trust” security framework.
- Cybersecurity insurance is not optional. Cyber attacks can result in expensive data breaches, downtime and lost business. A cybersecurity policy will offer your hotel third-party coverages against losses to customer systems and data and first-party coverage resulting from a compromise.
- Develop a business continuity and disaster recovery plan. Despite the best protections your hotel may have in place, if you are faced with a data breach a solid plan can help mitigate damage to your hotel’s reputation and reduce overall downtime.
The hospitality industry has emerged as an attractive target for cyber criminals. Understanding the risks and investing in a multi-layered cybersecurity solution with the strategic guidance of an MSP is your best defense. However, no strategy is a ‘set and forget’ solution, but instead becomes an evolving plan that is reviewed and renewed over the years.
Interested in learning more about our Managed Security Services for the hospitality industry? Reach out to us.
