What the WannaCry hack teaches hotels about data

This weekend, more than 300,000 computers across more than 150 countries were stricken with ransomware, dubbed "WannaCry" by its creators. With this year's HITEC conference just around the corner, the event brings to mind a simple but crucial bit of advice from a panel last year on combating hackers and data thieves: Don't pay the ransom.

It may be too little, too late at this point, but if you spoke with any technology security expert in the past two years he or she would have told you the hospitality industry, and the U.S. at large, was overdue for a large-scale ransomware attack. Ransomware, for those not in the know, is a virus uploaded onto a device that locks it down, demanding payment to the hackers in charge. If no payment is delivered, they threaten to delete all the data from the systems under their control.

So who is at fault for the WannaCry debacle? It's difficult to say, but currently Microsoft and the U.S. National Security Agency are playing the blame game. The WannaCry virus spread through business networks due to a vulnerability in Microsoft's Windows operating system, and Microsoft is claiming the NSA lost control of the software behind WannaCry in April. Meanwhile, the NSA and many Windows users claim it is up to Microsoft to ensure its systems are protected against attacks.

However, Microsoft did release an update protecting users against WannaCry in March, more than a month before the outbreak. So how was the attack so successful? Last year at HITEC, Caleb Hurd, hacker and senior developer for children's website Elf on the Shelf, said too many companies fail to update their computers' security on a consistent basis, and that any missed update is a potential vulnerability. What's more, many companies are still using outdated operating systems such as Windows XP or Vista, which receive irregular security updates at best (Microsoft had to whip up a new update for XP users this week in the face of WannaCry, for example).

Furthermore, avoiding ransomware is tricky. In fact, it's so tricky that one malware file was able to hit 57,000 computers at once, and can masquerade as familiar files users send for business-related reasons, such as .zip, .jpg or .doc. The best-case scenario for companies with infected machines is to have a recent data backup on hand, standing their ground and wiping their machines. Unfortunately, frequent data backups rarely occur and companies are often left high and dry.

Don't pay ransom; it emboldens hackers and doesn't guarantee your data will be returned to you.

So if your hotel is hit with ransomware and you risk losing all your information without a backup available to you, why not pay?

For one, ransomware is perpetrated by criminals, so there is no promise that control of your systems will be returned to you even if you pay.
"I very much doubt anyone would return your contact request, bearing in mind the attention that is now on this," professor Alan Woodward from the University of Surrey told the BBC in a statement. "If anyone pays this ransom they are more than likely going to send Bitcoin that will sit in an address for ever more. No point."

Second, every successful payment only serves to embolden future hackers. If 57,000 computers seems like a lot, it's only a drop in the ocean compared to the number of currently vulnerable systems out there. And for businesses looking to remove WannaCry manually, a process does exist via BleepingComputer, but getting rid of the malware won't restore access to encrypted files, meaning anything locked up by WannaCry before backing up is still out of reach.

This event outlines the biggest threat hotels face with regard to growing data: The need for consistent backups. With every new hack comes a new level of sophistication, and unfortunately a new hack can always be expected in the future. This is because, as WannaCry has proven once again, hackers are more eager to access our files than many of us are to keep them out.