Unlike building security, cybersecurity is an area where criminals are continually finding new technological means to their ends. Thus, hotel operators must stay up to date on best practices to fend off data theft. “Cyber threats are continuously evolving,” said Brian Cornell, chief information officer at Concord Hospitality, which manages nearly 150 hotels. “It’s become an industry of its own. For example, criminals can purchase tools on the dark web to craft or use code that others have developed to target organizations.” Among the relatively new types of attacks Cornell cited are (1) multi-factor authentication (MFA) exhaustion, where a user is bombarded with multiple sign-on requests until they agree and authenticate the attacker and allow access to the user’s device; (2) the use of QR codes to entice victims to go to malicious or data-gathering websites; and (3) the online travel agent and the “guest needing direction assistance” scams, which both include malicious links or malware-infected files to download. “This email or communication is frequently delivered to an unsuspecting front desk agent,” he noted.
Coupled with these threats, organizational vulnerabilities have increased since the changes COVID-19 brought to the workforce. “During the pandemic, risks increased due to the trend of employees telecommuting and having decreased security posture, and lean IT work forces that may be working remotely,” Cornell explained.
The good news for many operators and franchisees is that several brands have ratcheted up their focus on cybersecurity. “The maturity level of each brand’s security stance differs, but those that are lagging are making strides in catching up,” he noted. “For example, several brands have not only implemented their own external managed security providers (MSPs), but they have also made these services available to the franchisees at a reduced rate. In addition, several brands have increased their scanning for vulnerabilities or rogue devices that either need to be removed or blocked from the network. I encourage all brands to continue to focus on this critical area.”
Whether or not a hotelier partners with the brand’s MSP, Cornell recommended they always utilize an MSP that has a service-level agreement that guarantees “quick response times to lock down and isolate any asset that has suspicious activity, before any lateral movement can occur.” He added, “No matter how many layers and levels of security you implement, there will also be a vulnerability that can be exploited. These can be caused by end-user failures, zero-day vulnerabilities [flaws in an app or operating system that are unknown to the developer], and brute-force intrusion [a hacking method using trial and error], to name a few. Regardless, when an event occurs, quick action by a team to isolate the vulnerability, prevent lateral movement to other systems, and prevent data exfiltration is critical to minimize the impact.”
A good MSP can go a long way toward preventing two of the most damaging cyberattacks: ransomware or cryptolockers. “They usually go hand in hand,” said Cornell. “The ransomware typically includes the exfiltration of sensitive, financial, employee, customer, or credit card holder data. ‘Pay or else we expose your information.’ The cryptolocker, when launched, completely locks you out of the infected assets or network. Once again, you must pay to regain access or you are forced to recover systems from backup. Sometimes, the backup systems are targeted also. Recovery takes time, which results in labor costs, loss of productivity, loss of customers, sales, and negative PR.” In addition to an MSP, organizations should utilize a SIEM (security information and event management) solution, which helps to detect, analyze, and respond to cybersecurity threats. Such a system should “overreact to threats versus under-react,” Cornell advised. “Even if it takes a workstation or server out of commission for a moment, we’d rather be safe than sorry.” An email management solution, which filters, blocks, protects, and educates end users, is also highly valuable.
Speaking of educating staff, all employees must be trained on spotting phishing emails and other data theft ploys. At Concord, “all associates when they are hired go through several cybersecurity training courses,” said Cornell. “To keep associates’ skills honed, they are tested monthly, and failures result in re-enrollment and progressively longer and more in-depth training. It is not a popular program, but unfortunately necessary. We use an outside service, and the simulated phishing emails are topical and very well disguised. For Cyber Security Awareness Month last year in October, we conducted a contest. We plan on doing something similar this year.”