Your Weakest Link in Data Security? Your Employees
Why the people inside of your business are your biggest threat and how to train them to better protect your guest's data
By James Lefcakis President, LEFCON, LLC | November 01, 2020
No matter the industry, there are a few things that remain constant. Data is represented in 0's and 1's, and can be transmitted over a little wire into the back of the computer, or a cool fancy Wi-Fi connection on a network labeled "ADMIN ONLY" or "BACK OF HOUSE NETWORK". What we call our "secure network" is only a click away from being exposed by someone in a department within the hotel just trying to do their job. This could come from a housekeeping staff member shopping for vacuum bags or a senior sales associate confirming a group reservation via email.
It's never our associate's intent to be the threat, it's just a factor of our business. Let's use the home security analogy, you spend hundreds if not thousands of dollars on a security system for your home, cameras, alarms, apps, etc. When someone knocks on your front door, you tend to open it, and sometimes you let that person right in. That's how security is at risk in hospitality, we kindly open our doors to strangers in many different ways. We spend thousands of dollars on PII/PCI and data security and we may not know what it all means.
It's also easy to think of this issue from the heart of a hotelier. This is an industry of people who are pre-conditioned to help. If a client asks us to click on a link to help them plan an event, if a guest needs the front desk to click on a link to receive payment, or if an associate sees a note from a person they trust asking them to do something, all of these things are opportunities for a scam. But hospitality is not an industry that questions before they help, they just help. This is both what makes this industry so special and so at risk. But no one is immune, in 2019, 65 percent of organizations in the United States experienced a successful phishing attack. (ProofPoint 2020 )
It's easy to assume if you are one of the larger hospitality companies that you are receiving threats on a regular basis to your data security, but the further you dial into individual properties, specifically unaffiliated independents, the more at risk you become of your own associates not knowing how to handle a data threat. Scam artists know that line-level associates are often overlooked while corporate systems, finance and operational managers are trained to recognize larger dangers. The more people in your company, no matter how large or small, who are trained on compliance and Safety Awareness Training, the safer your data will be.
Compliance training for all associates can seem costly up front. Often times hotels will choose to only train a portion of their employees to save incremental dollars. But before you cut back on training associates, consider who interacts with data. It's not just the front desk and the sales team, your housekeeping staff needs to access the system to check in rooms, your director of finance has purchase records, your general manager's assistant sees guest information when they send a VIP gift. Also, does your hotel feature communal computers for employees?
If so, each person uses that computer with their personal email address, which exists outside of your secure firewall. No matter what systems you've put in place to protect your company email systems, those outside systems don't feature the same protection, so teaching employees to recognize when their own email looks dangerous is one of the best things you can do for your business.
Truly the investment up front of training a full staff outweighs the costs of recovery if your data is hacked. The costs alone of a data breach can be staggering, from legal fees to the investigation process to public relations if or when it's made public. While cyber insurance covers some, it doesn't cover all and this is not a time for extra expense in the hospitality industry. In 2019 the cost per record stolen was $150 per record, which if that sounds small to you, go pull how many guest records you have stored in your system. The average cost of a data breach currently for a medium sized company is $3.9 million. This number continues to grow year over year.
The investment in training all employees of a company in PCI compliance is not only an investment in your hotels' safety, but an investment in the staff themselves. Compliance training teaches a person to be savvy in the way they handle their own credit cards and email, creating a better environment for their own lives in a climate where hacking is a regular problem for us all. COVID-19 also created a unique spike in hacking as many corporate employees worked from home, outside of the secure company firewall, putting them at risk of low virus protection while still connected to the cloud or data systems needed to do their jobs.
Both on a personal and professional scale, the main target of all phishing efforts is login credentials. A majority of people use the same passwords for business and personal logins, such as email logins or bank accounts. Once a scammer is able to access a user password, they'll try a multitude of larger sites related to email, banking and shopping to see if the user has used the same password, gaining easy access to any of those accounts.
This is why technology security systems should be an overall strategic effort rather than a set it and forget it plan. Technology solutions should be able to not only administer your compliance training for associates but also continue to test their knowledge and your system's capabilities on an ongoing basis. Cyber threats evolve daily and your system needs to be tested regularly to keep up. You need a yearly plan with consistent testing on different levels to keep up with the evolution of ever-changing scams in the industry. This includes random testing on your associates with fake phishing emails. This might seem a little extensive, but it helps you identify potential threats and teach your employees with real life situations how to protect the hotel and themselves.
A good solution is knowledgeable in controlling your firewall, but also fully versed in GDPR which is a fast-growing extension of your guest's personal information. It's not just an email with a link that says "click here" anymore, these phishing emails are specific and look real to the untrained eye. A standard spam scan should always happen before emails are delivered, but methods have evolved so much in the past few years that they have become specific and smart. In cases of growing CEO fraud as I explain below, 96 percent of these efforts were motivated by intelligence gathering, not just blanket outreach.
A fast-growing and very concerning phishing scam called CEO fraud will take a CEO or high-ranking individual within the company and send a request via what looks like their email address, but it comes from outside of the firewall. The most common of these scams asks the associate to go purchase a few gift cards for them using their corporate credit card, then to take a photo of those gift cards so the card number can be seen. Because gift cards are often common in hotels for guest and associate appreciation, this is a task that isn't typically questioned by associates. The only way to identify the validity of these emails is an alert that lets them know that the email is not coming from "inside of the house". An alert at the top of the email that notifies the user that the email is not from within should be programed in an attempt to stop this form of phishing.
As we know, the more personalized an email looks the more likely we are to trust them. When you receive an email, even if it's from a large company, to see your name in the "Dear ______," it makes you feel like they must be tailoring it to you and not blanket-emailing everyone. This tactic is used commonly by phishing scams more and more as 76 percent of businesses reported being a victim of a phishing attack within the last year and 30 percent of phishing messages are opened by specifically targeted users.
Knowing the different ways in which your business can be at risk is incredibly important. An effective solution should be able to not only create and set up a collection of systems for your hotel that help associates identify potential risks, but should continue to work with you day in and day out to test, prevent and recover when a threat arises. In our time it's not a matter of when, give your associates the tools to prevent phishing scams from coming into your house.
HotelExecutive retains the copyright to the articles published in the Hotel Business Review. Articles cannot be republished without prior written consent by HotelExecutive.