Ransomware activities increased across all industries during the pandemic, causing loss for targeted businesses and leading to nearly all businesses increasing network security efforts. The pandemic also affected the hospitality industry in an outsized way because travel was significantly reduced and, in some areas, halted. That meant increased security risks were taking place at the same time that hotels were suffering from severe reductions in revenue and staffing, said Daniel Healy, partner at Brown Rudnick LLP. “Hotels and hotel companies did have many employees working from home or remotely, just like other businesses,” he said. “The remote connectivity was a risk factor from a cybersecurity point of view.”
The number of data breaches has increased in the past few years, said Dale Buckner, CEO of security solutions company Global Guardian. Hotels retain a lot of sensitive data on individuals such as credit cards, personal details, passport numbers, and more in their reservation databases. This information is a high-value target to cybercriminals.
According to the Retail & Hospitality Information Sharing and Analysis Centers (RH-ISAC), the hospitality industry has the highest phish-prone percentage of any industry at 48 percent, Buckner continued. This is 10 percentage points higher than the next industry, construction, which stands at 38 percent.
“Hotels are high-value targets, especially those surrounding other targeted industries and those that attract high-net-worth and senior-executive guests—who could fall victim to DarkHotel,” Buckner continued, referring to the spear-phishing spyware and malware-spreading campaign that targets hotel guest data.
Prevention Efforts
Complete prevention of data breaches is an ideal, but most experts believe this cannot be entirely achieved, Healy said. “Human error is an ongoing issue—and often the biggest issue—in data breaches,” he said. “However, having up-do-date security measures in place, current software and other measures such as security training for employees, can be important parts of a prevention program. Just as important is having a response plan in place. Quick and effective responses involve a team of personnel and often can prevent some breaches from becoming significant and contain the loss from breaches as much as possible.”
Hotels secure a high volume of sensitive customer information, positioning them as vulnerable subjects when it comes to cyberattacks, Buckner said. “To ensure breaches do not happen, hotel leadership should address their end user, ensuring all employees have robust and thorough training to teach them how to recognize and report potential cyberattacks/breaches,” he added.
Additionally, hotel chains should increase the security they provide hotel guests. Guests may be willing to pay an additional fee to have a secure connection that also allows them to connect to their VPN. The Wi-Fi should never have a shared password or be open with no password at all. Hotel chains should also ensure their terminal computers are all up to date with regular software updates taking place, Buckner continued.
Becoming part of the RH-ISAC can be a good start for hotel chains as the centers will help hotel chains understand the standard they must follow when it comes to protecting their customers data and providing secure internet access, Buckner said.
Hotels need to stay current on the use of software and the tools that need to be in place to maintain security. “The best security software to select today could become obsolete in a year or maybe less,” Healy said.
Most large companies have IT departments with multiple functions, including personnel dedicated to network security and training employees on the security issues. Those are the types of security measures than can help prevent many would-be hacks.
“Hotels should look to work with established third-party cybersecurity vendors,” Buckner concluded. “By setting up the appropriate firewalls and VPNs, hotels can ensure they are protecting their customer data and mitigating the potential of a cyberattack. An established third-party vendor can monitor and protect hotels from cyberbreaches 24/7/365.”