Laurie Graham, Cyber Intelligence Director at technology consultancy 6point6, pictured, writes of how the hospitality industry can ensure it’s match-fit.
In recent years, high-profile breaches of major hospitality companies have made headlines, with the likes of British Airways and Marriott International facing fines totalling £282m for cyber incidents in 2018 alone.
During the current coronavirus climate, all industries are at risk of cyber-attack as criminals typically take advantage of chaotic events to obtain valuable data- and the hospitality industry is no exception.
Whilst business leaders may have a focus on the immediate survival of their companies, regulators and attackers aren’t going away, meaning cyber security can’t be ignored as something to do later. As such, business leaders must consider how to best protect their companies now and for the future. There should be an industry-wide initiative to ensure both SMEs and large hospitality companies receive the support they need to develop robust cyber strategies. Meanwhile, there are some clear steps companies can take to begin their cyber journey and ensure they are match-fit for the future once the global pandemic is over.
The lure of rich data
Historically, the most common industries targeted by hackers were those that handled large sums of money regularly, such as the financial services or the public sector. However, over the past decade, the hospitality industry has also become a prime target.
Luxury resorts and hotels host millions of high net-worth individuals who make the perfect focus for cyber criminals. Hospitality is also rich in data and presents an increasing number of access points for hackers to take advantage of through the growing use of technology. For instance, hotels gather the data of millions of customers who use and connect their devices, including mobile phones, tablets and laptops, to networks within the premises. Hackers also harvest banking details through card payments.
The vulnerabilities of the industry
Hotels have evolved into complex, widely inter-connected digital environments, as market competition drives companies to deliver the most innovative digital experiences to their customers. Hotels also run a huge number of endpoints and remote connections, with Wi-Fi systems, alarms and electronic doors all forming common features in most. Cybercriminals can gain entry at all these points.
Hotel computer systems are also in regular use from numerous terminals, manned by employees who are not trained IT employees who can deal with large-scale cyber attacks. Many hotels are also hampered by legacy systems and out-of-date software, while lots of large-scale breaches have come from attacks on hotels’ Point of Sale (POS) systems and other external vendors. What is more, individual hotels are also often connected to the company’s national or international network, so only one hotel needs to be breached for the company to haemorrhage large amounts of its data.The data such hotels store is also vast and often goes back years, including payment information, contact details, and even passport data in some cases.
Cyber metrics
Many organisations might not even know what their risk appetite is, or what cyber threats their business is exposed to. Consequently, companies must carry out a cyber maturity assessment to discover the company’s vulnerabilities. When these weaknesses are located, a tailored strategy can be put together to improve cyber security for these areas.
Penetration testing can also be carried out. This is a cost-effective way of understanding how exposed your business is to a cyber attack. Experts can identify security vulnerabilities across the business and exploit them in a controlled manner to show the impact this would have on the business. This helps companies learn how to minimise the effects of these risks, evaluate how exposed assets are and take steps to defend vulnerabilities.
Plan for incidents
A cyber security strategy must include planning for Business Continuity and Disaster Recovery, to prepare for any possible incidents that could affect the business- as the current situation with Covid-19 demonstrates. A large-scale data breach is likely to affect business operations, as well as company’s reputation, particularly if customer data is obtained. Positioning a cyber security leader within the business can be crucial in creating a proactive policy to deal with such an incident, where they are able to reassure customers and move to protect the company’s reputation.
The need for a risk management approach
Businesses must empower a Chief Information Security Officer (CISO) with the authority to carry out real change and ensure a consistent approach to risk management. Strong governance is likely to lower costs, since incidents will decrease. In addition, the CISO function creates the required evidence to back up any investigation that will take place in the event of a data breach.
Although cyber incidents cannot always be prevented, the number and scale of such attacks can be driven down if the CISO function is operating successfully. This will also prove to the Information Commissioner’s Office (ICO) or other regulatory bodies that the company has been observing correct procedure, thereby reducing or removing any fine levied if a breach occurs.
In an increasingly innovative and fast-paced environment, cyber security often lags behind. Regular penetration testing and robust cyber security strategies are needed to understand security weaknesses and defend against them. This, in conjunction with the education of employees and customers about security measures, can help keep the hospitality industry safe moving forward, and ensure businesses are in the best possible position to compete once the Coronavirus pandemic is over.
