One phishing attack could expose your entire hospitality network
What's missing from your hospitality training? Regular security awareness training, and it's putting your organization's reputation on the line.
The hospitality industry is built on highly distributed networks. There are headquarters (HQ), regional hubs, smaller subsidiaries, and a great many franchises operating in the U.S. and overseas.
If a user account in one small property is hacked, it can compromise all others within the chain — providing access to information that guests trust is being securely shared.
“The hotel industry is one of the most hacked in the world because of the type of data they get, such as driver’s licenses, passports, loyalty information, home addresses, phone numbers, credit card info, flight data, itineraries and more,” said Mathieu Gorge, CEO of VigiTrust, on a recent Cyber Work Podcast. “It is one big playground for hackers.”
How to keep your entire hospitality network secure
Those managing corporate security can’t just decide that all they need to protect are the HQ and the various regional hubs. They have to protect everyone at all access points along the informational network.
It serves no purpose to protect only a part of a network when it is susceptible to attacks.
Adding to the complexity of this issue is the dynamic nature of the hotel industry. A property might belong to Marriott one day and be sold to another hospitality chain the next day, and vice versa.
Each chain has different systems, policies and procedures that revolve around its property management systems. There are also distinct payment terminals and methods of taking personal identification information (PII) and credit card payments. When a property moves from one brand to the other, there is, by nature, an added risk created for a data breach to occur.
Cybersecurity in the hospitality industry is essential
Social engineering methods are often used to breach user accounts. Once credentials are compromised, hackers can move into other systems within the connected network.
Some techniques bad actors utilize to gain access to hospitality networks include phishing, spearphishing, business email compromise and others. But keep in mind that cybercriminals are constantly adjusting and developing new tactics.
Once employees learn not to open a scam email or not to click on a particular kind of malicious link, the approach to gaining malicious access changes.
Gorge said regular security awareness training is key to keeping employees sharp and reducing their likelihood of falling prey to the latest phishing techniques.
Should you pay the ransom?
He noted that the Payment Card Industry Data Security Standard (PCI-DSS) says organizations must be in compliance at all times and train employees on credit card data security upon hire and once a year. But he doesn’t think that goes nearly far enough.
“You need to do a lot more security awareness training than that,” said Gorge. “Most organizations find it to be cost-effective to do e-learning training videos, awareness campaigns and quizzes — yet many organizations still do little or no employee training.”
Handling personal identification information in hospitality
One of the biggest challenges for those in the hospitality security industry is people. The security system can be as tight and comprehensive as possible, yet all it takes is one person not paying attention to allow bad actors access to your company's data.
People in hospitality work all hours of the day and night. Employee fatigue is an important issue within the industry.
Imagine approaching a check-in desk where a hotel employee is facing a line of people, an irate guest and several impatiently waiting callers currently on hold. When a person is stretched thin, it is easy to forget known security protocols, allow unauthorized individuals access to a secure system or inadvertently violate security best practices.
If seasoned, well-trained employees have the potential to make such mistakes, what about seasonal staff?
By necessity, the hospitality industry is a notable employer of seasonal staff, after all. Some such individuals may start right after the annual security awareness training update or may be allowed to skip security training in the rush to put them to work to cover obvious staffing shortages.
Critical hospitality training topics, such as cybersecurity training, can easily be deferred in such cases.
“Once the staff is recruited, the priority is often to get them operational,” said Gorge. “Security and compliance, unfortunately, are not top of mind.”
Are hotels following secure data collection and privacy regulations?
Data collection and privacy regulations, regardless of industry, are widespread concerns. What does Gorge recommend the hospitality industry adopt to mitigate this worry? The EU’s General Data Protection Regulation (GDPR).
GDPR applies to any organization that touches an individual's information in the EU. Therefore, major hotel brands dealing with international travelers must take the time to become fully familiar with the finer points of GDPR.
Gorge encourages those hotels outside of the EU to use the GDPR framework to address data protection and privacy, as it is comprehensive.
GDPR forces organizations to do a privacy impact assessment, which looks at data flows and analyzes the risks related to PII. From that assessment, the hotel can review the technical solutions they have in place, the training they require and update policies and procedures as needed.
“With GDPR, you don’t have any consent to use my data unless you tell me what you’re going to do it for and why,” said Gorge. “And in terms of technical security, PCI is the best framework to use because it is super prescriptive.”
ChatGPT training built for everyone
Ongoing cybersecurity education is key
Gorge's recommended key takeaway: The importance of training — both cybersecurity and IT personnel, as well as every single person employed.
“Cybersecurity is a great industry because you keep learning, and there’s always a new type of attack, another company that’s been hacked and so on,” he said. “But it is vital to provide all employees with regular security awareness training. Once a year just isn’t enough.”
In this Series
- One phishing attack could expose your entire hospitality network
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
- Cybersecurity and Windows 11: What you need to know
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization