As technology becomes more advanced, so does cybercrime. Maintaining cybersecurity is of critical importance for the hospitality industry, given the sensitive customer data, financial transactions and interconnected systems involved. Hotels sit on a vast amount of confidential guest data, which can potentially be used by cybercriminals looking to take over systems and steal identities, passwords and ultimately, money.
Hospitality is one of the most at-risk industries
A recent report by Accenture showed that just five industries account for more than 60% of all cyberattacks. Travel and hospitality is one of them, with 9% of all attacks targeting this sector. In many ways, data is the company’s most important asset. A breach could have enormous impact on consumer confidence and bookings.
In a joint study from Cornell and FreedomPay, apparently 31% of all retail and hospitality businesses have experienced some form of security or data breach. And the majority – 89% – have experienced more than one attack per year. This suggests that those with vulnerable networks or processes are likely to be targeted again.
In order to keep guest and client information secure and encrypted, the hospitality sector must stay ahead of evolving cyber threats. In this article, we cover the latest trends and practices to be aware of.
Social Engineering Threats
Cybercriminals use social engineering to manipulate individuals, such as tricking staff members or guests into revealing their information or clicking malicious links.
Ransomware is a type of malware that is designed to encrypt a victim’s data and demand payment in exchange for the decryption key.
In 2017, the Austrian hotel, Romantik Seehotel Jaegerwirt, was locked out of its computer systems as a result of a ransomware attack. Their keycard system was disabled, preventing guests from accessing their rooms, and their reservation system was taken offline. In this case, the hotel paid the ransom of $1,600 (two Bitcoins) to recover access to their systems.
Phishing is a very common social engineering attack and occurs mainly via email. These emails seem to come from a trusted source to trick you into clicking a link, transferring money or providing personal information.
Nordic Choice Hotels, a chain with more than 200 hotels across Scandinavia and the Baltic countries, was still dealing with technology problems and the fallout from a data leak several months after a December 2021 ransomware attack. An investigation found that hackers had infiltrated Nordic Choice’s systems 36 to 48 hours before launching the attack through a phishing email that appeared to be sent by a tour operator in frequent contact with the company.
Spear phishing is a variant on phishing, a hacking technique that involves tricking email recipients into clicking on malware-containing links or downloading malware files. Spear phishing uses impersonation to make the phishing emails harder to detect. Spear phishing emails might appear to come from coworkers or friends, and is the prime delivery vehicle for malicious ransomware code.
In the hospitality industry, ‘DarkHotel’ is targeted spear-phishing spyware that attacks high-profile business customers through the hotel’s in-house WiFi network. Most hotels now come with free Wi-Fi included, but it’s easy to assume that when you connect to the hotel network, your data is secure. To minimise this risk, guests should avoid updating software or clicking files when not on trusted networks. It’s also sensible to keep antivirus software up-to-date before leaving home. Infiltrators can trick the victim into downloading and installing a file which pretends to be an update for legitimate software, such as the Google Toolbar, Adobe Flash or Windows Messenger. The victim unknowingly downloads the hotel update, only to infect their device with Darkhotel’s software that is already operational.
In a ‘watering hole attack’, cybercriminals compromise your hotel website by injecting malware. This means that when guests use the website, their devices could be infected too.
Internet of Things Security
The Internet of Things (IoT) has the potential to transform the hospitality industry by profoundly altering how hotels, resorts, cruise ships, casinos, restaurants and other leisure service businesses gather data, interface with users and automate processes.
IoT devices are increasingly being used in hotels for guest amenities, energy management and other operational purposes. IoT can play an important role in ensuring the highest level of security at hotels, as smart locks and security solutions can detect any suspicious activities and unauthorised movements.
However, the proliferation of IoT devices also introduces new security risks. Because the many networked devices and sensors in the IoT lead to a corresponding abundance of potential attack vectors, security is critical for mitigating risks of cybercrime.
Hospitality businesses need a network infrastructure that securely handles vast flows of data and is also simple to manage and operate. An expert IT service provider like Securus can help implement robust IoT security protocols, for example, network segmentation, strong authentication mechanisms and regular firmware updates, to protect against potential IoT-related vulnerabilities and breaches.
Human error remains one of the leading causes of cybersecurity incidents. Hospitality organisations need to prioritise employee training and awareness programmes to educate employees about cybersecurity best practices, such as recognising phishing attempts, setting a minimum 2FA password strategy and reporting suspicious activities promptly.
Cybercrime can originate from employees, either intentionally (by exploiting their authorised access to steal sensitive information, installing malware or deleting files) or unintentionally (such as an employee could leave their computer unlocked or fail to follow security procedures, resulting in a security breach).
The hospitality industry experiences extremely high turnover rates and this can pose a serious cybersecurity threat. Employees could take sensitive data with them when they leave, or retain access to hotel systems and data. To avoid data breaches or other security issues, hotels must take steps to mitigate risk when employees leave, by immediately disabling system access, but also ensuring that system access is limited in the first place.
Hospitality businesses often rely on third-party vendors for their services, including payment processing, reservation systems and guest Wi-Fi. Third-party contractors can also pose a risk especially if they do not follow security protocols. Comprehensive vendor risk management programmes should be deployed, by conducting thorough due diligence on vendors’ security practices and incorporating stringent contractual obligations to ensure the security of customer data and systems.
Regular training sessions and comprehensive penetration testing, such as simulated phishing exercises, should be employed to improve overall security awareness. In addition, it’s important to create an internal security policy, offering defined roles and responsibilities and creating a security-first culture.
Data Protection and Privacy
With the implementation of regulations like the General Data Protection Regulation (GDPR), data protection and privacy have become significant priorities. Organisations must focus on securing customer data, implementing robust data encryption and adopting strict data retention and deletion policies to ensure full data security and compliance.
Cloud computing offers scalability and flexibility, making it an attractive option for the hospitality industry. However, securing cloud environments is crucial, and hospitality businesses must adopt advanced security measures like encryption, multi-factor authentication and regular vulnerability assessments to protect data stored in the cloud and secure cloud-based applications.
Payment Card Cybercrime
The popularity of payment cards has led to data theft, a common crime with immediate monetary benefits to the cybercriminal. The objective of point-of-sale (PoS) malware is for attackers to maliciously steal the data stored in payment cards’ magnetic stripes, clone the cards and charge the accounts connected with the victim.
Other forms of malware attacks include Man-in-the-Middle (MITM) attacks (where cybercriminals intercept and alter the communication between the hotel and the payment processor, also stealing payment information); or skimming (where hackers use a small electronic device to steal payment details).
One of the best ways to protect guest and client data is to maintain Payment Card Industry Data Security Standard (PCI DSS) compliance. This is a requirement for all businesses that handle payment card data and ensures the organisation taking credit card payments complies with a stringent set of rules and regulations. There are many tasks and processes that go into becoming and staying compliant, including:
- Creating an internal data security policy
- Creating a cyber incident response plan
- Performing regular penetration testing for risk assessment
- Implementing an employee-wide security awareness programme
Endpoints, including hotel computers, PoS systems and mobile devices, are common targets for cyberattacks. Hotels need to adopt advanced endpoint protection solutions that detect and block endpoint device-level threats. This keeps track of who has accessed data, as well as what changes were made. They often combine antivirus capability with firewalls, anti-malware, Virtual Private Network (VPN) data encryption and Data Loss Prevention (DLP).
Despite robust preventive measures, cyberattacks may still occur. Hospitality organisations need to focus on proactive threat intelligence and monitoring to identify and mitigate against cybersecurity risks early, ensuring business continuity.
Methods to avoid breaches include maintaining PCI DSS compliance, implementing physical security measures, creating a cybersecurity awareness training for employees and implementing a robust internal security policy.
From anti-malware, anti-phishing, SEO poisoning, and 2FA to SASE and cloud-based air-gap immutable backup storage, Securus has a security solution to suit your requirement and budget.
To find out more, call us today on 03451 283457.