With hotels, resorts, and other hospitality businesses relying more than ever on technology solutions for reservations, payments, and supply chain management etc... the industry has become a prime target of cyber-criminals.
The rigid security measures enforced by banks and financial institutions, simply do not come naturally for hotels. After all, the hospitality industry has been and continues to be focused on cultivating a user-friendly environment. Fortunately for hackers - this combination is nothing short of a gold mine.
Because there’s so much sensitive data and information circulating throughout the hospitality Industry including credit card information, personal identifiers, and passport numbers etc...it makes good business sense to deploy and maintain Security Standards that conform to industry best practices.
Sensitive Personal Data: Hotels collect and store large volumes of information including credit card details, passport numbers and personal preferences, making them rewarding targets for cybercriminals;
Multiple Points of Entry: From reservations systems and point-of-sale (POS) terminals to guest Wi-Fi networks etc... hotels have numerous vulnerabilities;
Third-Party Application Providers: Hotels often rely on cloud based services from third-party vendors, whose data protection measures may not be as meticulous creating additional vulnerabilities;
Staff turnover: High staff turnover rates in some hotels can lead to gaps in cybersecurity training and awareness;.
Interconnected Systems: The synchronization and interconnectivity of multiple hotel systems opens many vulnerabilities and opportunities that cyber criminals can target and exploit.
Point of Sale (POS) & Fraud: Hotels rely on digital payments to settle transactions, so Point-of- Sale (POS) systems are a prime target. Threats from malware, which install on these systems can steal credit card data, often going undetected for months.Hotels usually have POSs (terminals at restaurants, parking lots, etc.) offering many entry points for hackers to exploit.
Phishing Attacks: As easy as sending an email - these attacks involve tricking staff or guests into revealing sensitive information via fake emails or websites that appear legitimate.
Ransomware: This type of malware encrypts the hotel's data, and hackers demand a ransom to restore access.
Insider Threats: Most hotel staff will have entry to onsite and cloud based systems at one point or another. It's entirely possible that current and former staff can abuse their privileged access to access customer data or even deliberately compromise hotel systems. Moreover, hotels are known to employ seasonal workers and some properties have a reputation for quickly turning over staff (for whatever reason) which can make HR and cybersecurity an operational challenge;
Dark Hotel Hacking: Wi-Fi networks are a must-have for modern hotels. Hackers can try to install rogue access points (AP) wirelessly in a secure network, without administrator authorization. As a result, criminals can hack the network from inside the hotel or even from a nearby car.
3 main reasons why cyber criminals prefer to target hotels:
Financial Gain:
As hotels offer more services and stay options for guests and more ways to pay for these services they become a defector repository of sensitive personal information. Cybercriminals are motivated to exploit hotel systems to harvest the information for financial gains through nefarious activities.
System Interconnectivity & Exploit Opportunities
Hackers can breach one regional hotel and access the entire chain’s network. Each hotel provides many potential entry points for criminals including: electronic door locks, Wi-Fi access points, climate control systems, numerous Internet of Things (IoT) devices, and the list goes on.
Human Vulnerabilities:
High staff turnover and season staff deployment can pose security challenges when managing the login accessibility of users at different hierarchical levels and at different points in time. The problem is that one mistake by an unsuspecting employee can jeopardize the whole interconnected chain.
Below are 10 essential things you can do to safeguard your website and the on-line productivity applications you may use from 3rd party vendors:
Encrypt Your Data: Secure your website with HTTPS (Hypertext Transfer Protocol Secure) to encrypt data transmitted between your website and users’ browsers, enhancing security and building trust among visitors.
Additionally, use SSL encryption on your login pages to transmit sensitive information, such as credit card numbers and login credentials, securely. Encrypting this data ensures that it remains meaningless to any third party who might intercept it, preventing hackers from accessing your login credentials or other private information.
One password per application: If a site or software is compromised, the hacker has access to all accounts using the same password. That's why it's a good idea to set up a different password for each piece of software, using a password manager.
One login per employee: In a hotel, some software or systems don't always allow you to create multiple logins for each member of the hotel staff. Above all, not all employees always have a personal address (and share generic email addresses contact@, info@, reception@, etc.).
However, whenever possible, create as many accesses as there are employees. Not only will this give you greater control over security, but it will also make it easier to revoke access when an employee leaves - all you have to do is delete the access.
Install a VPN on team laptops: A VPN is a virtual private network that establishes a point-to-point relationship between a piece of equipment and a remote site, much like a secure tunnel between the network server and the computer. The information exchanged is encrypted. The VPN can therefore be used to protect a laptop connected to a public or unsecured wi-fi.
Manage access to applications and sort review credentials regularly: Software administrator rights should not be given to all employees if they have no use for them, as this is the highest status for modifying items (configuration modification or complete deletion rights).
Giving different access to different employees makes it easy to sort them out as soon as an employee leaves the company, without having to reset the password. All you have to do is delete the accesses from the account.
It may also be a good idea to create for the same person (with administrator rights), another account with fewer rights for everyday tasks that don't require full access.
Favour software with multi-factor authentication: Software that manages personal data (of guests or employees) must offer multi-factor authentication to secure access. Two/double-factor authentication (2FA) is a two-step verification process, and the most widely used. The best-known methods are: a unique code sent by SMS, an authentication application, facial or fingerprint recognition, a security key, etc.
Secure your wi-fi network: Never use a personal Internet box for your business, as it doesn't provide a sufficient level of security (in fact it is non-existent), both for your own safety and that of your guests. All the users are easily accessible to anyone who connects to it, including your in-house workstations. Always rely on wi-fi network providers to set up a secure network that allows you to separate connected devices. Remember not to connect printers to the guest network either.
Clearly name your wi-fi network: Tell your guests the name of your wi-fi network and how to connect to it. Malicious networks can be named with the hotel's name so inattentive guests connect to them.
Remember to regularly check the wi-fi networks around the hotel to detect those that have usurped the hotel's name (Nomdelhotel_GUEST, WIFI_NOMDELHOTEL, etc.).
Provide regular cybersecurity training: Including cybersecurity in team training is essential. The greatest weakness is human error, so raising awareness is essential to minimize risks and educate employees to be attentive on a daily basis. It is precisely on the most day-to-day tasks, when you are not paying as much attention, that attacks occur.
Regular reminders (e.g. about attack methods or how to detect attempts) help to keep attention focused. It may also be useful to provide training in alert detection and the procedure to follow in the event of suspicion. The first step could be to draw up documentation to provide training in basic cybersecurity techniques.
Practice good habits: It's important to adopt good habits that make cybersecurity an integral part of daily life: always lock your workstation as soon as you leave, it disconnect from tools, deploy password management software within your teams, alert employees who aren't paying attention, keep up to date with threats and intrusion attempts, keep yourself updated on industry news, etc.
Cybersecurity is no longer a luxury but a necessity for the hospitality industry. This is because the consequences of failure can be catastrophic. The most obvious is a blow to the hotel's brand reputation, negative press and the time it takes to recover whatever prestige it may have enjoyed. Hotel customers aren’t very forgiving and wouldn't resume their level of trust anytime soon.
The interconnectedness of the hotel’s tech stack means that a breach in one area can often have snowballing consequences elsewhere. By implementing a multi-layered approach to cybersecurity that includes network security, data protection, and physical security integration into consideration, hotels can establish trust, safeguard their sensitive information, and maintain their reputation.
In sum - continual monitoring, proactive risk assessments, and staying updated with emerging threats are the prerequisites to keeping a robust cybersecurity profile in an ever changing and dynamic hospitality landscape.
