02 Dec Cyber-security in the hotel industry
The hotel sector has become one of the primary targets for cyber criminals, terrorists and nation state actors. Like many industries, hotels are particularly reliant on technology; using complex network systems to store vast amounts of classified customer data. This is just one of the factors which make hotels incredibly vulnerable to attackers, who focus on weaknesses in cyber security strategies and are essentially motivated by economic interest.
In November last year, Marriott International had their guest reservation system accessed by hackers resulting in approximately 500 million guests at risk of having their confidential information stolen. Not only was this a breach in customer care, but it could have also impacted the hotels’ reputation. It is therefore critical for an effective and sustainable cyber security strategy to be in place – giving hotels a better chance of understanding the way attackers operate and ultimately mitigate the risks.
What are the main risks associated?
As technology evolves, so does the sophistication of cyber-attacks. They can be categorised into four main types:
Ransomware is a type of malware which threatens to publish data where victims are essentially blackmailed into paying to have this data restored. Machines are usually infected with a virus that encrypts the data or disables the hard drive. Hotels can also be affected with infrastructure hijacking, meaning guests and staff can be locked in or out of different areas of the hotel.
This is an attack disguised in an email form from hackers attempting to gain personal information, another procedure commonly carried out through blackmailing. This is also used as a way to gain log in details, which can either be sold on or used to access sensitive data.
A relatively recent threat, DarkHotel hacking consists of attackers gaining access to a hotels Wi-Fi system. They do this by forging digital certificates to convince victims that software downloaded is safe. The criminals then upload malicious code to a hotel so they can target specific, high profile guests.
Point of Sale Attack
Point of Sales (POS) attacks are increasing with threat actors targeting hotel systems and third-party vendors. They target POS and payment terminals with the intention of obtaining credit and debit card information from customers.
How have the risks changed over the years?
As technology has become more pervasive across the industry, hotels have inevitably become more dependent on it to provide the best customer experience. The hospitality industry has therefore been forced to embrace cyber threats too. The challenge is keeping up to date with the skillsets required to manage those risks. Big investment is needed to increase the level of cyber maturity, so it falls in line with other industries that are equally dependent on a continually evolving technology footprint.
How can hotels improve their cyber-security?
Essentially, hotels can improve this issue by ensuring cyber security strategies are in place to protect themselves and their customers, demonstrate compliance and reduce the risk of reputational damage to their brand. As a minimum, we would recommend the following steps and measures are taken.
Penetration Testing and Red Teaming
This identifies potential weaknesses within an organisation’s cyber security and seeks to exploit them maliciously as a hacker might – protecting the hotel and its guests from security flaws and potential attacks, while helping to keep operational resilience at the forefront of the business
IT Security Review
This includes various reviews and assessments to determine the current state of the security of hotels security systems. A hotel chain will likely require a tailored methodology to account for its specific requirements and risk profile.
Find out more about how your organisation can provide clients and guests with knowledge of the enhanced duty of care for their cyber-security: https://www.gsaccreditation.com/about-accreditation/