As if the blow dealt from the pandemic was not hard enough, hotels are dealing with a growing threat from cybercriminals. This data leakage could damage their reputation in addition to causing serious financial damage. Guests would hesitate re-visiting hotels that failed to protect sensitive information including their names, surnames, ID numbers, credit card information and addresses.
According to a recent Akamai report, the hospitality, travel and retail sectors are being bombarded with malicious cyber attacks. 63 billion credential stuffing and four billion web application attacks took place in these industries in the past two years. Cyber criminals especially tap loyalty programmes, which are a potential goldmine for them.
“Some top loyalty programmes targeted require nothing more than a mobile number and a numeric password, while others rely on easily obtained information as a means of authentication. There is an urgent need for better identity controls and countermeasures to prevent attacks against APIs and server resources,” said Steve Ragan, Akamai Security Researcher and report’s author.
This April, the Mira Bhayandar-Vasai Virar crime unit busted a pan-India online racket, involving booking of suites in five-star hotels. The criminals used stolen data of credit cards, which they sourced from the dark net.
According to Munish Pande, IT Head, Roseate Hotels & Resorts, the pandemic has presented unscrupulous cybercriminals and state actors with a new and topical leverage to increase the profitability of successfully exploiting their targets through fear and misinformation. “Thousands of new potentially suspicious domains are created daily and there has been a large shift towards phishing campaigns exploiting the public’s thirst for information related to the pandemic,” he noted.
Furthermore, as many hospitality organisations switched to remote working last year, employees were forced to use personal computers and mobile devices over poorly secured home networks. These devices and networks often lack the same levels of security that corporately managed devices have, which opens up a new attack surface for cybercriminals.
With the rising use of personal devices, a hotel’s IT team had to shift gears quickly to protect critical internal business data. Gaurav Varshney, Assistant IT Manager at Crowne Plaza New Delhi Mayur Vihar Noida recommends using a combination of Smart Access Management and multi-factor authentication solutions such as Biometric, Smart Single sign on (SSO), Grid and One-Time-Password (OTP). This guarantees that applications and resources are accessed only from devices issued by the organisation.
“Currently, we use only those remote applications that are prescribed by IHG i.e. IHG Bomgar and Cisco Webex. Both these remote applications are secure and require multifactor authentication to install and gain access to another person,” he added.
GOING WITH THE FLOW
While the IT team keeps user systems updated with the latest security patches, they should avoid sharing administrative passwords or permissions.
The recent curfews and lockdowns have highlighted that remote working is here to stay, even in the hospitality sector. This extends to their internal staff as well as guests who check into hotels for workations, staycations or even during quarantine.
Every company has its own policies and guidelines to restrict users from operating personal devices
for organisational work. However, if guests need to use personal devices under certain circumstances, the company’s IT department should seek assistance from a hotel’s cyber security expert to create a security layer and secure their system and data.
Pande suggests that organisations look at securing Secure Sockets Layer (SSL) keys inside Hardware Security Modules (HSM). “Moving to cloud is another solution and implementing Z-scaler cloud security and gateway is a must these days. The messaging platform, too, should have robust security features, which strike a balance between convenience and protection along with a built-in encryption system,” he pointed out.
They can include other basic, but critical, cybersecurity practices. These include updating systems regularly with security patches, avoiding connecting unsafe external USB devices, disallowing access of personal social media on business devices and turning off the network discovery function, webcam and microphone when not in use.
SELF HELP IS BEST HELP
Varshney suggested that hotels should also educate their employees about identifying phishing emails by scrutinising email addresses, look for incorrect spellings, grammatical errors and typing mistakes in the email body or id. To avoid phishing problems, Hyatt Regency Chennai uses software like BrandShield Anti-Phishing and Microsoft Office 365 Advanced Threat Protection.
Moreover, staffers should be trained on the pitfalls of disclosing any sensitive personal or business information over unauthorised apps or browsers. “It is the IT team’s responsibility to ensure that employees use updated antivirus, browsers and operating systems that have the latest patches. This will close any security loopholes that hackers could use,” Varshney advised.
While employees do their bit, the onus is equally on the IT team. They need to configure firewalls and routers to reject bad traffic and update these with the latest security patches to thwart malicious IPs. Moreover, they need to review and upgrade inbound and outbound firewall rules.
It is just as imperative to ensure all the business data backup files are updated regularly in brand specific IT tools. Rajan Pandey, IT Manager at Hyatt Regency Chennai added that only licensed and authorised software should be used, as it will help plug any security loopholes used by hackers. “It is also important to install antivirus across all the systems including servers, laptops, desktops and POS workstations. We should review running services on the servers as well as on user’s systems.
On discovering any discrepancy, the management should certainly be briefed and then further share it with cyber security experts for review,” he recommended.
KEEPING THE VIRTUAL EYES PEELED
While the IT team keeps user systems updated with the latest security patches, they should avoid sharing administrative passwords or permissions. Pandey recommended that hotels should be Payment Card
Industry (PCI) and Data Security Standard (DSS) compliant across all card readers, networks, routers and servers.
They should monitor all PCI and DSS points regularly; for instance, conduct monthly audits of all EDC
card machine with Finance Account receivable. “The IT team should coordinate with the hotel’s cyber security team to explore vulnerabilities in the network and resolve this every week,” he advocated.
For a while now, cybersecurity experts have been urging companies to employ a ‘Zero Trust Security’ policy. This requires all users, even inside the organisation’s enterprise, to go through authorisation and authentication before getting any access. It leverages technologies including multifactor authentication as well as identity and access management. According to experts, given that 80% of attacks occur from internal sources, this modus operandi can bring down its incidence.
Pande rooted for this approach, since it has reduces a hotel’s vulnerability, strengthens their data protection with a good security composition along with smart segmentation of data by adopting a strong policy for user identification and access. Varshney seconded his opinion.
Elaborating on it, Pandey stated that hotel employees have limited technical knowledge or information regarding cybercrimes. A zero-trust security policy is, therefore, required, highlighting the dos and don’ts. “This should be part of process a new recruit’s orientation, while the IT head should initiate and conduct a training of Data Security and PCI & DSS for employees to gain knowledge about it,” he stated. He added that external devices like laptops and storage devices should not have authorisation within the network and the IT and finance department should conduct a surprise audits every month.
While this looks like a utopian virtual environment, there are reasons why many companies have not embraced it openly. For starters, it takes lots of time and effort to setup with increased involvement of various users and their devices. Moreover, it can spiral into complicated application management with deepdiving into careful data security.
Varshney explained, “It will be strenuous for users to perform daily technical tasks when we restrict the network. However, with regular training we can help comprehend the use of trusted process. Organisations are encouraged to contract with trusted paid services such as, Microsoft-One Drive to save backup data.”
WISE UP TO VPN
As remote working becomes the de facto business standard, IT experts recommend deployment of next-generation identity and access controls. However, are hotels willing to invest on these in current times when business prospects are tremulous at best?
Pandey agreed that the current situation is not favourable for most hotels to spend heavily. However, some investments are non-avoidable like investment towards data security. Else, at the end of the day, the organisation can lose a higher amount as that what the investment entailed.
Varshney also pointed out that next-gen identity and access control are good investments as they improve security while reducing IT costs. “In current time, when hotel business is just picking up, they need to invest in necessary solutions that ensure ease of operation and reduce cost.”
Citing an example, he explained how Crowne Plaza New Delhi Mayur Vihar Noida has integrated Rapid 7 management console to its network to monitor all systems and servers patches on the network. “This solution gives notifications to uninstall all obsolete version of software like Adobe Flash Player or Adobe Reader and to update the latest version of software i.e. Java JDK or Google Chrome versions. Also, our hotel has updated Malicious IP’s on its firewall configuration, so that unnecessary traffic is blocked,” he stated.
Pande suggested that hotels can get their framework and pre-deployment strategies to place and review processes and procedures reviewed to fill any gaps. This could include the live kitchen camera, contactless and online ordering or review of ISO27001 and PCI DSS standards in systems.
Cyberattacks are a serious concern for the hospitality industry, especially when business is limping back to normal. However, with a little help from their IT experts, they can devise a proper plan that can plug all security holes to protect their guests and their internal assets.
