Cyber Threats: Major Vulnerabilities Facing The Hotel Industry Today
By John Farley Managing Director - Cyber Liability Practice, Gallagher | December 01, 2019
Insurance consultants are helping the hotel industry design incident response strategies and leading cyberattack simulation tests that involve all key stakeholders. The ultimate goal is to make hotels a more attractive risk to insurers.
Too Many Cyber Threats
A research study by Symantec Corporation revealed at least 75% of hotel websites mistakenly leak booking details of their guests as well as personal data to third-party sites that can include advertisers, analytics companies and vendors. This vastly expands the attack surface to personal data that hackers can steal or manipulate…even canceling reservations. The hotel's bottom line, as well as the brand's reputation, are also at risk. And if you consider the long tail implications of such breaches, their effects can echo for years.
In fact, a 2019 Ponemon/IBM Security study across 507 companies around the world and more than 3,200 individuals interviewed revealed the average cost of lost business for these companies was $1.42 million, representing 36 percent of the average total cost of a data breach at $3.9 million. For the U.S., data breaches in 2019 on average were $8.19 million, a 130 percent increase from $3.54 million in 2006.
The Symantec study looked at more than 1,500 hotel websites in 54 countries from two-star to five-star properties and found that stolen personal data included: full names, email addresses, credit card details and passport numbers of guests that could be used by cybercriminals. Many of these malicious players are looking for the activities of influential business professionals and government employees. Symantec states that more than half (57 percent) of the sites tested send a confirmation email to customers with a direct access link to their booking.
What Malicious Players Are Stalking The Hotel Industry?
The 2019 Ponemon/IBM Security study reports the following: "…breaches originating from a malicious cyberattack were not only the most common, but also the most expensive. Since 2014, the share of breaches caused by malicious attacks surged by 21%." What are hotels facing? Here are the most common types of malware and attack vectors being used against the hotel industry:
Phishing: Emails look like they're coming from a familiar source. Hackers use phishing to get hotel employees to open malware-laden attachments or click on malicious links. In hospitality, time is money, so employees are often not well trained in cybersecurity. However, there are collections of templates commonly used by "phishers" and specific indicators that might reveal that an email may be dangerous. These can be employed as training materials to educate staff about this threat.
Ransomware: Hotels are prime targets for ransomware attacks. According to Lodging Daily News many have outdated security for point-of-sale systems. Small chains have been slow to beef up security measures, reasoning that they are not on the radar - a misconception. The industry is stepping up security and education to combat this growing problem.
Point-of-sale / payment card attacks.These attacks pose the biggest threat to the hospitality industry as a whole. Many are directed against vendors, who present an opportunistic weak link. Causes range from easy-to-hack passwords and insecure remote access to dated software and improper configuration. Hotels collect such vast amounts of customer data that they are juicy targets for criminal activity.
Denial of Service Attack (DDoS): Typically, hackers flood systems with so much bogus traffic, servers become overwhelmed and are unable to operate.
DarkHotel hacking: "DarkHotel" is actually the name of a cybercrime group that targets high-value individuals, often through hotel Wi-Fi. Common targets include hotel guests who are CEOs and other top-level company executives. Once access is gained, cybercriminals can spy and steal confidential information.
Customer data / identity theft: One of the biggest risks to hotel security and reputation is the hacking of customer credit card data. As such, network security upgrades and employee training are essential.
What Are The Legal Obligations For Hotel Owners And Operators?
All 50 U.S. states and several countries around the world have what is called "breach notification laws" that require the data owner to notify guests who have had their personally identifiable information accessed by unauthorized parties.
However, these laws vary by jurisdiction (with some requiring as little as 48 hours for notification). When the attack affects citizens from the EU, a new regulation comes into play. This is called the General Data Protection Regulation (GDPR), which mandates that victims be notified within 72 hours. Failure to comply in GDPR results in a fine that can be as high as 4 percent of the hotel chain's annual revenue. So far, GDPR has been enforced to a limited extent, but its very existence should cause concern for both hotel owners and operators.
The Payment Card Industry Data Security Standard (PCI DSS) is an information security requirement for organizations like hotels that transact business via credit cards. It is designed to reduce credit card fraud. Practices run the gamut, from limiting employee access to credit card data to how information is stored digitally and unique user IDs issued to those who do have wider access.
If a hotel has a security breach and is found to be non-compliant with PCI rules, it may be fined, and the fines can be high - and might range anywhere from $5K to $100K a month until the compliance issues are addressed.
Preventive measures: the all-important "Incident Response Plan"
With an incident response (IR) plan in place, your staff can more readily identify, respond to and recover from a cybersecurity attack. Critical to success is ensuring that you have the right people in place playing specified roles. For hotels, that needs to be a collaboration between stakeholders such as: the Chief Information Security Officer (CISO), general counsel, a risk manager to coordinate insurance, a PR or marketing lead, someone from operations (critical when there is a disruption of service due to ransomware), the CFO to allocate costs and the CEO who can address the media.
An IR plan for the hotel business requires that the team:
- Increase awareness of cybersecurity issues throughout the enterprise
- Identify and assign individual breach response roles and responsibilities
- Build-in business continuity measures
- Manage your vendors to assist in the investigation, evidence preservation, remediation and compliance.
- Have a plan to respond to specific types of cyberattacks
- Purchase the right cyber insurance
How much can an effective IR plan save hotel owners? According to the 2019 Ponemon study, cost analysis shows that a well-executed plan can reduce the average total cost between $320K and $360K per incident. Even better, testing the plan with the IR team can reduce the pain even more.
Here's what the study found: "Organizations that both formed an IR team and extensively tested the IR plan, saw the greatest savings - $1.23 million less than organizations that neither formed the IR team or tested the IR plan."
The Value Of Tabletop Exercises
At least once a year, members of the IR team should meet to run a tabletop exercise - a best-practice way to test the IR plan through a simulated attack. This collaborative approach helps to evaluate your organization's cyber-crisis preparedness. Tabletops provide the tools and proficiency needed to effectively respond from both a strategic and technical perspective.
Key to implementing a coordinated effort is to enlist the help of professionals who are well-schooled in these techniques. Your insurance broker can be the perfect ally in this endeavor. A knowledgeable broker can provide guidance in setting up IR plans, helping the team with simulated attacks (tabletops) and ensuring the business is qualified for cyber insurance. T
Too Few Employees
Compounding the problem posed by hackers is the dramatic lack of cybersecurity professionals, according to the Center for Strategic & International Studies: 82% of employers across eight countries report a shortage of these skilled people. And 71% of those interviewed say this gap is damaging their businesses. The U.S. alone has over 300K cybersecurity openings that are unfilled, and the shortage of skilled technical staff touches almost every position within the field. Businesses report that for every 1K skilled cyber jobs filled, there are nearly 30K job openings.
When it comes to the hotel industry, not only is the "store" under attack, but there's nobody there to mind it - let alone defend it!
6 Critical Steps Hotels Need To Take
Despite facing the dual challenges of cyberattacks and workforce shortages, hotels are not without strategies. Here are some important steps to mitigate risk:
- Put an Incident Response (IR) team in place that includes all key stakeholders: Chief Information Security Officer, general counsel, risk manager, PR or marketing lead, COO, CFO and CEO. The IR plan should assign individual roles and responsibilities designed to respond to specific types of cyberattacks
- Conduct tabletop exercises with you IR team at least once yearly to test preparedness.
- Make sure to implement employee training as part of IR readiness.
- Stay on top of hiring so that you have no shortage of cybersecurity professionals on your staff.
- Invest in the latest technology with data encryption, the latest anti-virus software and real-time intrusion detection systems.
- Tighten up processes by implementing multifactor authentication, conducting system patching on a regular basis, creating a formal password protection program and enforcing all privacy policies.
HotelExecutive retains the copyright to the articles published in the Hotel Business Review. Articles cannot be republished without prior written consent by HotelExecutive.