Social engineering, AI advancements, and new tech streaming devices are among the top hospitality trends that have made hotels more susceptible than ever to cyberattacks, according to industry insiders. Nevertheless, hotel companies have dramatically increased their focus, as well as their investment, to fight back aggressively against cybercrime.
LODGING recently interviewed a pair of prominent third-party management executives, as well as a major brand representative, to get their outlook on the current state of cybersecurity within hotels. Paul Bushman, senior vice president of technology & enterprise solutions, Crescent Hotels & Resorts; Keryn McNamara, chief information officer, Aimbridge Hospitality; and Jason Stead, chief information security officer, Choice Hotels International, offered their insights on the topic. The following Q&A represents a portion of those interviews.
LODGING: What are some of the top concerns for your company’s hotels around cybersecurity, and how are you working to alleviate them?
Paul Bushman: Many concerns include but are not limited to ransomware, phishing (email and voice), DDOS attacks, hacks (network), PMS, POS, and other systems, and the advancement of AI to conduct sophisticated attacks and hacks. Additionally, social engineering is at the very top of the list of concerns. According to many reports, as much as 98 percent of cyberattacks involve some type of social engineering. As much as 90 percent of data breaches target people to gain access to sensitive information and personally identifiable information (PII) that can be used for the financial gain of the attacker and other malicious intentions.
Training is the key to prevention. People need to know what to look for and what to do when they find themselves in these situations. It is not an IT system that is going to give a bad actor access to personal and company information; it is the human that is going to unlock and open the door.
Keryn McNamara: For our hotel owners, top concerns are always about the security, safety, and privacy of their guests, including their information. Ensuring we protect that information—along with hotel owners’ financial and technology operations and systems—is paramount to our cybersecurity management program.
At Aimbridge, cybersecurity remains a constant priority. We are dedicated to staying ahead of potential threats by implementing advanced security measures and continuously monitoring for vulnerabilities, emerging threats, and changes in the tactics, techniques, and procedures that are used by threat actors targeting hospitality. Our cybersecurity strategy includes top-tier tools and technologies, as well as strong partnerships with the brand’s cybersecurity teams, with industry leaders, and with government entities and law enforcement to ensure our guests’ data remains secure and our properties are protected.
Jason Stead: The lodging industry has been very highly targeted over the years. It kind of ebbs and flows, but it’s definitely at the forefront these days for the hackers. It’s a little bit like a shark where they smell blood in the water and so unfortunately, when the hackers have success in one area that success brings others as well. A lot of what we do is really to not only safeguard Choice’s corporate assets, but also to help our franchisees have the right controls in place to help protect that guest information as well.
LM: What kind of investments has the company made in cybersecurity technology and/or personnel in recent years?
PB: Crescent has made a strong and intentional investment in cybersecurity in recent years. We believe in diversity of protection and segregation of pathways to ensure we are creating islands of protection throughout our portfolio. This includes our physical, virtual, logical, and human protection layers. Cybersecurity awareness training needs to happen on an annual basis to continue to remind people to not only remain vigilant, but know how to identify a potential risk, and what to do when that happens.
Managed detection and response (MDR) systems must be implemented to help keep the environment safe and continually monitored to alert cybersecurity staff to potential risks and be able to investigate those events as quickly and close to real-time as possible.
KM: Aimbridge remains committed to investing in top-tier tools and capitalizing on the knowledge gained from our longstanding partnerships. We have made a considerable effort in strengthening our brand collaborations—which provide us with valuable insights and enhance our comprehensive strategy—ensuring we maintain the highest level of security for our guests, properties, and owners.
Moving our operations from data centers into the cloud with real-time backups and data replication has provided us with improved data integrity and enhanced our ability to recover in the unlikely event of an incident. We have invested in implementing top-tier firewalls, network intrusion detection, and endpoint security protection. Email security with spam filtering, phishing, and automated compartmentation of suspicious emails using multiple solutions has proven invaluable in helping to reduce that attack surface. Several years ago, we implemented a full-time staffed, 7x24x365 Cyber Security Operations Center (C-SOC), and it provides cyberthreat monitoring and evaluates data from all our servers, endpoints, applications, and network to detect and respond to potential threats.
JS: Choice and many other hospitality organizations have invested heavily in endpoint detection response capabilities, commonly referred to as EDR. I think EDR is going to make a tremendous difference in this industry to help thwart these common attacks. A hacker doesn’t just target one organization; they target everybody and they use the same techniques. Hopefully solutions like EDR will help the entire industry thwart those attacks, because we see the exact same threat actors every single day.
LM: What is being done at the property level to ensure that your guests feel assured that their personal information is protected?
PB: Implementation of both physical and virtual security measures, maintaining compliance with PCI DSS and other security standards, providing ongoing security awareness and training, and ensuring all passwords, software, and antivirus programs are regularly updated. Protection of personal information must be of high concern for hotel owners and operators. A good example is maintaining a current patched version of both PMS and guestroom entertainment platforms.
The rise of streaming services creates an opportunity for bad actors to gain access to the streaming service accounts of previous guests. In addition, if the PMS is not completely deleting this information upon checkout, there is a good chance that the guest folio is also available via the TV set and guestroom entertainment platform. Many times, access to the name, billing address, phone number, etc., is still available via the TV of the previous guest. This can be valuable information to a bad actor looking to commit acts with malicious intent.
KM: We place great importance on the handling and safeguarding of guest information. This starts with our training programs that all new associates are required to complete and an annual refresher training that includes Consumer Privacy Awareness and covers things such as PII, CCPA, and GDPR, and payment card industry (PCI) training on protecting credit card information and fraud prevention. We also conduct monthly vulnerability scans of our hotel property networks and quarterly security compliance scans of the point of sale (POS) infrastructure to ensure those environments remain secure and guest information is protected. With our Vendor Security Risk Management Assessment program, we assess any new technology vendors and their products prior to purchase and installation in order to ensure the solution is secure and data is protected.
LM: How critical is the role of hotel personnel in helping to fight against potential cybercrime, and how is your company supporting those associates?
PB: Our No. 1 asset in the fight against cybercrime is our associates. While we are focused on the technologies that will prevent cybercrime, we know that our biggest risk and strongest defense is our team. Educating our team on how best to protect our guests is key to our success. We take pride in utilizing top-tier tools and ensuring that our associates are thoroughly trained in cybercrime prevention strategies to safeguard our properties and guests.
KM: Training our associates is a vital line of defense to protect our guests and properties from cybercrime. As part of our comprehensive talent development programming for associates, we prioritize extensive, ongoing training for our associates to ensure they are well-equipped to identify and respond to cybersecurity threats. This proactive training is integral not only to safeguarding our operations, but also to empowering our associates with the critical skills they need. We recognize that a robust, well-trained team is essential to maintaining our position as an industry leader, and we are committed to honing the expertise required to stay ahead in an ever-evolving landscape.
JS: Choice has published training materials for our franchisees through our award-winning Choice University platform, and those training courses are made available to everybody at the hotel; it could be housekeeping, it could be engineering, or front desk staff. I think training is a critical component for hotels to really thwart the attackers. The most likely way that a hacker will infiltrate a lodging organization will be through social engineering. It’s absolutely critical that everybody at the hotel understands those threats, and when they see something, they need to say something.
LM: What is your general outlook on hotel cyber-security going forward?
PB: Hackers are going to get more sophisticated in their attacks with the change in the technology landscape, particularly AI. Technology solutions will need to keep pace to prevent future attacks. Additionally, IAM and PAM are big opportunities to help defend against bad actors and attempted cyberattacks. Education for owners and operators needs to be enhanced to ensure everyone understands that while people are often a company’s greatest asset, they can also represent the biggest risk. Hotels must prioritize investing in technology and employee education to protect against the malicious intentions of bad actors. However, there is a critical need for a shift in attitude, as this area is often the first to face budget cuts and only receives the necessary attention and resources after a breach occurs. It’s a classic case of being too late to secure the right insurance coverage after the damage has already been done.
KM: The landscape of cybersecurity is constantly evolving and requires continuous vigilance and collective awareness. Protecting guests and properties remains a top priority as we work closely in collaboration with technology partners and industry experts to develop effective solutions and prepare for what may come our way.
JS: I would say the investment in lodging for cyber controls has increased dramatically over the last five to 10 years. You’ll see that at the brand level, but also at the individual hotel level.