Do you have $1.6 million left? That's the average amount security experts now estimate it would take to recover from a malware cyberattack.
Hotels are easy targets for hackers. Many hotels lack confidence in cybersecurity. "The two largest global data breach reports, Trustwave's Global Security Report and Verizon's Data Breach Investigation Report last year, both show that hospitality continues to struggle in this area. Verizon, reported that lodging, food and lodging accounted for nearly 54% of their caseload," says Bob Russo, GM of the PCI Security Standards Council."
Every time a hotel's guest records are breached, the hotel is hit with financial burdens and faces broken Trust your guests. As a hotelier, you don't have to be an expert in cybersecurity, but it's imperative that you understand the basics of protecting your business and your guests. Here are some ways you can address cybersecurity at your hotel and minimize your risk as much as possible.
Why ho tels are attractive targets for hackers
Hotels are easy – and profitable – targets for hackers. Hotels are attractive targets for two reasons: First, cybersecurity is lax in many hotels. "Only about 25% of all U.S. businesses, including hotel operators, are fully compliant with current data security best practices. This means that three out of four are not and potential disasters waiting to happen." says Russo.
Secondly, hotels process many transactions and store tons of guest data. A hacker can simultaneously attack a lodging's POS and property management systems to capture payment card information, as well as personal data such as passport numbers and email addresses. Malware can move between POS and PMS systems at different hotels under the same brand and affect guests at locations around the world without anyone getting the wiser. Likewise, there are many access points that a hacker can attack in a single capacity. "In February, it was reported that of the 21 most high-profile hotel data breaches since 2010, 20 were due to malware that affected POS systems at a hotel restaurant, bar and retail store." says Mark Voortman, Ph.D., Information technology program director at the Rowland School of Business in Pittsburgh.
A small hotel with 100 rooms and a 50-seat restaurant still processes hundreds of individual payments daily. These unique payments are virtually unprotected; few hotels have the necessary security protocols, infrastructure and training to ensure that interested parties are prevented from stealing guest information.
What is malware? Defined key cybersecurity concepts
Understanding key cybersecurity concepts is half the battle. Here are some common terms you'll encounter when improving security at your hotel:
Phishing: Phishing occurs when fraudsters send you an email, text message, or even call you to get you to divulge personal information information that they can then use to access your banking information or credit cards. A phishing email may look like a message from your bank warning you that your account will be closed unless you confirm your personal information.
Encryption: strong> Encryption is a security method in which data is scrambled so only parties authorized to read it can understand the information. The process takes readable data and alters it to make it appear random. The party receiving encrypted information needs a key to decrypt data and convert it into readable plaintext.
VPN: VPN stands for "virtual private network."A VPN masks your IP address and keeps your Internet activity largely undetectable. It is a great tool to make sure your internet connection is secure and private.
Malware: Malware is short for "malicious software."Malware is designed to gain access to your computer; spyware, ransomware, viruses and Trojans are all different types of malware.
Penetration testing: penetration testing is a process in which a cybersecurity expert attempts to identify vulnerabilities in a computer system. The expert simulates a malware or hacking attack to find vulnerabilities that attackers could exploit.
APT (Advanced Persistent Threat): an APT is the worst type of attack, where a malicious actor uses "continuous, stealthy and sophisticated hacking techniques to gain access to a system and remain in it for an extended period of time, with potentially destructive consequences."
Antivirus: a program designed to detect and destroy computer viruses on an operating system
Anti-malware: similar to antivirus software, but where antivirus focuses on older/known threats, anti-malware usually focuses on newer unknown threats. Malware protection focuses on detecting unknown threats before they fully develop with mature viruses. Malware removal is usually more difficult than antivirus because there are more unknowns.
Rootkit: A rootkit is a clandestine computer program designed by cybercriminals to grant continuous privileged access to a computer while actively concealing its presence.
Keylogger: A keylogger, sometimes referred to as a keylogger or system monitor, is a type of surveillance technology used to monitor and record every keystroke on a specific computer keyboard. Keylogger software is also available for use on mobile devices such as Apple's iPhone and Android devices. Keyloggers are legitimate software that can be used forever, but are often used as a scam to steal sensitive information such as credit card numbers and passwords.
Botnet: a network of private infected computers that contain malicious code and are controlled as a group without the owners' knowledge to z. B. Sending spam messages.
Using a VPN and encryption, as well as regular penetration testing, can protect your network from malware and APTs. You should also make sure your hotel's IT team regularly scans lodging computers for keystrokes and that your employees don't open strange email attachments. These are the absolute minimum security protocols you need to practice regularly to avoid disasters like these high-profile hacks in the hotel industry.
High-profile malware attacks in the hotel industry
Symantec's research found that hotels of all sizes were at risk. At HEI Hotels & Resort, Starwood/Marriott and more. Here are just a few high-profile events:
HEI Hotels & Resorts
In 2016, a data breach affected 20 U.S. hotels operated by HEI Hotels & Resorts. The attack exposed payment card data from tens of thousands of food and beverage transactions. Malware detected at hotels' payment systems used to process card information at restaurants, bars, spas, lobby stores and other on-site establishments. 'Experts have determined that hackers are likely to lock down customer names, account numbers, card expiration dates and confirmation codes'.
In January 2019, Starwood/Marriott discovered that a data breach had exposed the personal information of guests who had stayed at their accommodations since 2014. Guest data has been stolen from around 500 million people – including encrypted passport numbers and credit or debit card numbers. The New York Times reported that hackers may have collaborated with China's Ministry of State Finance, as an attack of this magnitude is notable.
Omni Hotels & Resorts
Omni was also targeted by a malware attack in 2016, from which 50.000 customers were affected. Debit and credit card information from 49 of the chain's 60 locations was stolen: including credit and debit card numbers, cardholder names, security codes and expiration dates.
Hackers gained unauthorized access to payment card information at 41 of Hyatt's hotels in the second attack since 2015, according to a security expert, "It is possible that the steps taken by the Hyatt Group in December 2015 are still being used throughout the company, especially if these systems are scattered around the globe and not connected via a shared network . When selecting your system management toolset, you must implement the solution that is secured with 2048-bit certificates and two-factor authentication also works regardless of where the endpoints are located."
Sabre processes reservations for approximately 100.000 hotels and more than 70 airlines worldwide. The company was targeted in 2017 by malicious actors who stole credentials for Sabre Hospitality Solutions' SynXis central reservation system. These credentials allowed access to customer data, including payment card information and reservation details – customers' names, email addresses, phone numbers and addresses.
These high-profile attacks make headlines, but there are hundreds of smaller attacks in hotels every month. Not long ago, a massive hack like the one at Fontainbleu in Miami went unnoticed by the mainstream media. Sources reported that Fontainbleu was subjected to a ransomware attack on its credit card system that forced the hotel to either compromise guest data by continuing to accept card payments or ask guests to pay in cash. Guests waited up to five hours for rooms while the front desk tried to alleviate the situation – a scene described by one person as "chaos." "The line was out the door into the lobby" a senior executive told Variety Magazine. For a five-star hotel like the Fontainebleau, an incident like this is absolutely brand-destroying.
How to protect your hotel from malware attacks & cyber threats
What's the best way to ensure your data stays secure and no guests are left in the lurch? First and foremost, take extra care when choosing a POS system and credit card processor. "Agreements with these entities should be reviewed and, if possible, modified to add protections and minimum data processing standards for the outside provider. Compliance with the Payment Card Industry Data Security Standard (PCI-DSS) not only helps make data security software, hardware and practices more secure, but also helps protect against fines and penalties if a breach occurs." writes an expert.
An enterprise-class vendor , like Oracle Hospitality, can secure the vulnerable link between your PMS and POS. Oracle OPERA is a cloud-based property management system that integrates with Micros' point-of-sale system and a number of other applications. Oracle offers sophisticated security protocols such as cloud security monitoring analytics to monitor the platform both on-premises and in the cloud. Oracle tools include:
Cloud Compliance Control (OMC CC) to check configurations against company requirements or external regulations;
Cloud Access Security Broker (Oracle CASB) to identify shadow IT in the cloud and address enterprise requirements regarding the use and configuration of Oracle and third-party cloud services such as AWS, Salesforce, Azure, Box, etc.;
Identity Cloud Service (Oracle IDCS) to provide a user management and authentication system for on-premises or cloud services.
These security protocols monitor what's happening on your internal network as well as any external attacks. Working with Oracle gives you multi-layered security , privacy, secure transactions and compliance with payment and privacy standards. But as the Sabre attack showed, sometimes even those measures aren't enough. With the right credentials, anyone can get past your security system.
The right technology is only half the equation; Over the years, security experts have also identified employees as part of the problem. Hotels need to train their employees to handle personal data security, comply with privacy policies and change user credentials regularly. This industry has high turnover, which is one of the reasons employees don't always meet safety standards. Your property should hold regular info section seminars to ensure all new employees are trained and veterans stay up to date on the latest threats.
Even with a great PMS/POS system and the right training, It's important to perform routine penetration testing and risk assessments. It no simple answer how often you should test your network by pen, but experts warn once a year probably not often enough. In addition to training your staff, updating your security software and investing in a platform like Oracle OPERA that is invested in cybersecurity, you can encourage your guests to use a VPN and log out of their WLAN when not in use.