On Monday, HEI Hotels & Resorts became the most recent hospitality company to be preyed upon by hackers. But according to Stu Sjouwerman, founder and CEO of employee training and security company KnowBe4, hotels should be aware of the dangers of credit theft by now, though they still have a long way to go. If the industry is going to learn from its mistakes, Sjouwerman has four takeaways:
1. Understand the risk
Currently, HEI is saying the breach was contained to 20 locations across 10 states and the District of Columbia. But Sjouwerman said that these hacks target point-of-sale systems used in hotel food-and-beverage outlets, and any location operated by HEI using that POS system is vulnerable.
“Many chains all use the same infrastructure. If someone were to break in, the amount of data they could access is enormous,” Sjouwerman said. “To the bad guys time is money, so they go where the biggest hits will net them the most cards.”
And because hackers are so good at hiding their tracks, data breaches often go unnoticed until banks detect fraudulent charges. But by then it’s too late; the information has been disseminated and most likely sold online for a profit. Even worse, a majority of hackers operate overseas, making the likelihood of their arrest slim to none.
2. Train your employees
Human error remains the most effective exploit for hackers, who Sjouwerman said most often still rely on phishing schemes to gain access to protected networks. By sending falsified emails or loaded links that upload malware onto company computers, employees often give invaders access to a company’s data through errant clicks from sources that appear legitimate. Sjouwerman said the best defense is a strict online policy bolstered by strong employee training.
“One thing hotels should do to make a massive improvement on these risks is send employees simulated phishing attacks,” Sjouwerman said. “Train at least once per month to identify these attacks.”
The process usually begins with a baseline test to determine what percentage of employees are falling for phishing attacks, and then train them through their browser. “This type of training is the biggest bang for your buck because it’s how [hackers] are getting in,” he said.
3. Update machines
Even if your employees are properly trained it means nothing if machines aren’t up to date. This is a small order when considering most updates are free, but investing in strong firewalls and a properly protected network is integral to keeping dangerous malware away from sensitive information.
A particular issue that all businesses are running into right now with regard to data security is that at some point there is a moment where credit card information is not encrypted, Sjouwerman said. “It’s usually at the POS level; that’s where these things usually fall down,” he said.
4. Don’t wait for the next attack
Home Depot, Target and many of the hotel industry’s largest companies have been struck by credit card theft in recent years, and yet Sjouwerman said many properties remain without proper defenses. He implores hotels to be prepared because the only difference between a hotel that has been hacked and one that has not is that the second one just hasn't been hacked yet.
“There are three ways to learn about security: Read about it in books, see others practice it or become a victim,” Sjouwerman said. “Most people who are hacked insist on learning the third way. Unless it has happened to them, it’s not real enough for them to spend money. Remember that being compliant is not the same as being secure.”