Ransomware attacks have become more common and more sophisticated in recent years. In one memorable case from earlier this year, hackers were able to infiltrate the electronic key system at an Austrian hotel, effectively shutting out guests and hotel employees from guestrooms until hotel management paid the demanded ransom—two Bitcoins, or about $1,800. While that brand of attack isn’t common, it underlines the importance of security in an increasingly connected world.
No hotel is immune to ransomware attacks, says Scott McAfee, senior director of IT at VIPRE, an antivirus protection company. “One of the things that I hear a lot from the tech side is, ‘we’re not a big enough company that somebody wants our data.’ It’s a misconception that you’re not being targeted because you’re not a big company, or that you’re not being targeted because you don’t have enough valuable data,” he explains.
David Corlette, VIPRE’s director of product management, adds that the hospitality industry is particularly at risk for ransomware attacks because hotels often have outdated security for point-of-sales systems, and the hotel employees who use those systems may be unaware of the tactics hackers use today. “As a result, you’ve got a really ripe environment for hackers to come in with a phishing email and implant malware among those endpoints,” Corlette says.
Taking on the threat of ransomware has everything to do with preventing the attacks altogether through a combination of security systems and employee education, according to McAfee. “Making sure you have a solid utility, a solid endpoint protection system in place, inbound email security, anti-phishing, network monitoring, anomaly detection, and training the users on how to avoid getting ransomware and detonating ransomware is really your best bet,” he explains.
Protecting against ransomware is so important precisely because a hotel’s options for responding to an attack are limited. In a ransomware attack, a user unwittingly activates the ransomware, often by downloading an attachment or clicking on a link in a malicious email. When the user attempts to log in to access their data, a splash screen may appear explaining that in order to access locked or stolen data, the user will need to pay the specified amount. Corlette says that payment should be a last resort for a few reasons: there’s no guarantee that paying the ransom will help a user regain access to data; paying the ransom encourages the hackers to attack the hotel again; and succumbing to the hackers’ demands puts other businesses and users at risk for an attack.
Ransomware victims have few options for restoring data once an attack is underway. An IT team can try to isolate the device to slow or eliminate the attack’s spread, restore backups (assuming those exist), and try to reverse engineer the attack, which may only be effective against certain types of ransomware strains. “Once all the recovery options are exhausted, the last resort is to pay the ransom or to just forget about the lost data and start again from scratch,” Corlette says, admitting that the latter is not much of an option at all.
Ultimately, prevention is the best approach to tackling these threats, and that means going straight to the source of activation—the users and their systems. “By far, the most common way that people get ransomware is through a malicious email that has an attachment or a link that someone clicks on,” Corlette explains. “You’ve got a lot of people who are trying to do their jobs and make sure that people are happy in a hotel, and they aren’t as worried about the security of the computers they’re using to do their jobs.” For that reason, it’s important for hotels to train new hires on malicious attacks and anti-phishing, and renew that training with staff periodically. McAfee recommends quarterly training because more frequent training means more frequent reminders of what to look out for and the most recent tactics that attackers are using.
An up-to-date security solution is the second key to protecting hotels against ransomware attacks. The operational burden of updating software proves to be a frequent challenge for hoteliers. “If you don’t have the latest code, you don’t have the benefit of all the research and improvements and innovation that is going into the industry today, and you’re not as well protected,” Corlette explains. “Anybody purchasing a security solution needs to also be thinking about the cost to keep it up-to-date.” Some solutions will automatically patch themselves, while others will require a hotel to manually download and install patches. McAfee adds that when evaluating the total cost of ownership for a security solution, hotels should take into account the size of their staff and their ability to manage those patches and updates.
“Hackers are getting more and more aggressive,” Corlette says. “We’re seeing some progress to the defenses that are out there, but there’s a lot of ground to be made up. Hackers, right now, seem to have the edge.”