Shifting the cybersecurity approach to prevention rather than one of recovery in the hotel sector.

Posted by John Kennedy on Apr 30, 2019 7:29:22 AM
John Kennedy

While businesses in the hospitality industry don’t have the same volume of transactions as sectors like retail, actually per customer they collect substantially more personal data and the transactions are generally larger.

The hospitality sector and cybersecurity

Facing a changing regulatory landscape designed to heighten responsibility by threatening fines since the introduction of the GDPR in May 2018, many hospitality companies are reconsidering their cybersecurity strategy.

Operators need to understand their vulnerabilities, as well as how to identify threats to their guests, property and data.

The rich personal data generated by guests is invaluable to cybercriminals as they look to combine it with information collected through social engineering and other sources for personal identity theft or to try to infiltrate and disrupt a business.

In 2017, for example, Holiday Inn parent company InterContinental Hotels discovered a breach lasting three months and affecting 1,200 properties.

The most recent and one of the largest attacks was the Marriott International breach which was an attempt to access the Starwood guest reservation database in the United States in November, 2018. This breach of the Starwood customer database accessed information on up to 500 million guests who had made a reservation at a Starwood property.

While hackers continue to gain access to hotel systems, the cybersecurity effort continues to be to chase attackers and secure compromised systems - blocking them from identical modes of attack.

The hospitality sector is as likely as any other to make the common mistake of thinking that an individual hotel as a business is too small to be considered a target for a cyberattack.

Whether an owner has one hotel or is part of a large network of hotels - when it comes to cybersecurity, there is a lack of investment and expert knowledge on how to manage the risks or spot the threat of an attack.

It is exactly this type of vulnerability that makes hotels an ideal target for cybercriminals looking for the “weak link” to allow them to attack an unprotected network or try to access a much bigger system that a hotel may be connected to.

The majority of cyber attacks are automated and indiscriminate, exploiting known vulnerabilities within hotel and supplier IT systems.

Free Cybersecurity guide

So, why hotels?

In short, hotels collect a lot of personal information, more than many other business sectors, information that is typically held at multiple locations and in an electronic format.

The hospitality sector has many variables that make it difficult for operators to manage and protect against cyberattacks.

For many they are managing hotels across multiple locations that have porous perimeters with multiple points of entry into a hotel’s IT system and infrastructure.

And with the drive to reduce costs, operators have taken on far more third-party vendors with network access to undertake tasks from managing back of house admin and guest facing services using the cloud to hotel operating systems.

And those systems tend to be in constant use throughout the hotel managing guests, vendors and ongoing hotel operations. A particularly common point of entry for a cyberattack has been through external vendors providing services to the hotel, for example such as POS for credit card payments.

The hospitality industry as a whole has been slow to invest in and keep pace with new technology. The priority of many hotel operators has been to hold operating costs to a minimum and put off new investments.

Today hotels are in the business of using data to understand trends, forecast business, manage and optimise revenue and personalise the services they offer guests. So, personal data and business intelligence have become the fuel that runs a hotel’s revenue engine.

In the Verizon 2018 Verizon Data Breach Report, analysis on more than 53,000 confirmed security incidents and more than 2,200 data breaches globally (that were officially reported) showed evidence of a growing number of hospitality companies being targeted.

So to prevent a breach what are some of the areas a hotel needs to focus on to keep its guests, staff and operation safe?

The digital challenges

In 2019, pretty much everyone and everything is online, always connected, in an environment that can be easily exploited because of a lack of security and oversight.

Hotels rely so much on technology now, for marketing, the facilitation of online bookings, the Point of Sale systems (POS) to the more recent advent of using cloud services and the Internet of Things (IoT).

Smart technology

A hotel is a 24 hour, 7-days a week operation, with computer systems and software in constant use across numerous terminals and devices throughout the hotel.

A hotel’s operating system is typically made up of a number of different endpoints and remote connections to manage the HVAC controls, Wi-Fi, alarms, lighting, security cameras, entertainment systems and electronic doors all connected and controlled over the network.

Each of these smart devices provides cybercriminals with an entry point into a hotel’s network. In a larger hospitality business, the risk is that a cyber-criminal need access just one hotel to be able then to compromise an entire network.

Legacy systems

Many hotels continue to use legacy systems and have been slow to patch or update the technology they use to ensure it is protected.

One major reason why computer systems and networks become insecure is because the technology itself has become outdated. Computers that are too old and should have been decommissioned may still be left in service, and it can become difficult to properly secure them.

Employee focus

With the cyclical nature of the hospitality business it means that many employees are only on a short-term contract, are new starters, agency personnel or part-timers that need to be on-boarded and removed from systems when they leave as well.

That means key staff who interface and interact with computers and hotels systems are unlikely to have had adequate cybersecurity training or have a full understanding of the consequences of their actions.

Cybersecurity cannot be achieved without addressing the human factor, and that many data breaches can be traced to human causes.

And even when systems have been designed to minimise risks, a hotel is vulnerable to a single point of failure such as a member of staff using their own personal devices at work or clicking on a link in a phishing email that may open the door to a cybercriminal.

How can Worktools help?

The Worktools Cybersecurity managed service plans utilise the latest in advanced cybersecurity technology. Monitored from our Security Operations Centre, they offer sophisticated protection for your business from all known types of cyber threats.

Let us help you look after your data, your reputation and legal compliance.

Worktools will undertake an initial security assessment and implement an appropriate plan that ensures your employees, internal data and guest data is secure, both locally and through remote access. We can also help create your cybersecurity response plan so your employees know what to do in response to an incident.

Take a tour of the Worktools Managed Service plans, and contact us to learn more about how we can help protect your business from the ever increasing threat of cyber crime.

Image source:

Topics: Data privacy, small business, cybersecurity, Hospitality

Follow our Blog