Are Most Hospitality Businesses Behind in Getting Secure?
Undoubtedly, the year 2020 broke all records regarding data lost in breaches and the sheer number of cyberattacks on organizations, governments, and individuals. Statista published that in 2020, data exposures in the U.S. affected over 155.8 million individuals through the accidental revelation of sensitive information due to less-than-adequate information security.
Besides, according to a report released recently by security firm Risk Based Security (RSB), even though the number of breaches may have fallen in 2020, the number of exposed records hit a high not seen since 2005. However, not all organizations that suffer a data breach disclose it publicly. Additionally, the sophistication of threats increased because of emerging technologies like artificial intelligence, machine learning, and 5G. KPMG's insights on the risk of cybercrime and emerging technologies reveal that technologies like the Internet of Things (IoT), AI, and cloud computing that are now a part of our everyday lexicon can also provide avenues for the criminals' fraternity to commit larger, more rewarding, and potentially more sophisticated cybercrimes. Other than that, security teams are observing greater tactical cooperation among hacker groups and state actors. The 2020 Akamai state of the internet security states that it may not be a comfortable thought, but in many ways, criminal enterprises are businesses just like any other and follow some of the same patterns we see in legitimate businesses.
Like in any other sector, the highly connected hospitality industry continues to be vulnerable to cyberattacks. What are the cyber risks facing the industry? Are most hospitality businesses behind in getting secure?
The Hospitality Sector Becoming Increasingly Vulnerable to Cyberattacks
According to PwC Press Room, "the hospitality industry offers many opportunities for hackers and other cybercriminals. Hotels are considered big targets for cybercriminals because they hold a host of personal and financial information on their guests, as well as other sensitive data, such as payment card information."
PwC's Hotels Outlook report 2018 to 2022 reveals that hospitality is the industry with the second-highest number of cybersecurity breaches after the retail sector, with most of the industry's prominent hotels falling victim to cyber breaches. "Worldwide, hotels are in the spotlight due to recent high-profile security breaches," said Kris Budnik, PWC. "Companies' trust, confidence, and reputation are put at risk. In addition, the legal risks are significant."
A study by IntSights looked into the dark web hacker forums – a section of the internet that isn't visible to search engines and requires an anonymizing browser to access – and discovered that Hilton had 31 percent share of mentions, followed by Marriott and IHG with 28 percent and 19 percent respectively.
NIST also notes that attackers have compromised the networks of several major hotel chains in recent years, exposing the information of hundreds of millions of guests. Additionally, a recent industry report by Trustwave concurs with the NIST report. Trustwave divulged that the hospitality industry ranked among industries compromised by cybersecurity breaches, with the industry suffering 13 percent of the total incidents in 2019.
According to IntSights, the volume of financial transactions that hotels carry out, the use of loyalty programs, databases of sensitive personal data, and the national and international spread of hospitality businesses make them particularly vulnerable to cyber-attacks. Obviously, any business or individual is susceptible to cyber threats. However, putting it plainly, the bigger the organization in the hospitality sector, the more of a target it becomes for cybercriminals due to the volume of information held. Typically, large hotel chains have loyalty programs that store sensitive information like guests' names, addresses, phone numbers, credit card details, and other personal information for long periods.
Top Cyberthreats Affecting the Hospitality Industry
When it comes to the hospitality sector cybersecurity, many different attacks could happen. Therefore, hotels need to learn and understand them to prepare their defenses. Here, we discuss some of the widespread cyberattacks that the sector is susceptible to:
1. Phishing Attacks
If you have an email, it is quite likely that you have come face-to-face with phishing attacks, which remain one of the most common scams on the internet with a high success rate.
With hackers getting smarter and discovering new ways to fool even the most switched-on users, phishing attacks are on the rise. In phishing attacks, hackers send emails that appear to be from a genuine source to lure the target to share personal information such as bank details and passwords or to click a malicious link.
2. Dark Hotel Hacking
DarkHotel hacking is targeted spear-phishing spyware and malware-spreading campaign that appears to selectively attack hotel visitors through the hotel's in-house Wi-Fi network. Kaspersky Lab characterizes DarkHotel as an advanced persistent threat. Besides, the attacks are specifically targeted at senior company executives, using forged digital certificates generated by factoring the underlying weak public keys of real certificates to convince victims that prompted software downloads are valid.
Kaspersky reports that the name DarkHotel is derived from the threat actor's unique method of tracking traveler's plans and attacking them via hotel Wi-Fi. They have also been labeled as Tapaoux due to the name of the trojan they use in many attacks. Since the criminal's initial rising, they have scaled beyond business targets to attack politicians and more.
3. Malware
Malware is software that can access, destroy, corrupt, or steal information from your computers, all while you are unaware. More frequently, attackers use malware for spying purposes, infect networks and systems with viruses, delete files, or send sensitive information to a remote server. Notably, different types of malware can infect a hotel system and network. Examples include spyware, adware, viruses, and trojan horses.
How does a hacker distribute malware to hotel systems? They use phishing email attachments and links to send malicious programs. Other times, hotel employees can get malware while downloading software from untrusted sources.
4. Ransomware
Most security experts group ransomware under the malware attack category. However, we cover ransomware attacks in a separate section due to its unique attack tactic. The cyber threat infects computers by encrypting files, allowing cybercriminals to hold data and system hostage and demand a ransom for the target to restore access. A Tripwire post mentioned that hackers target a new business with ransomware every 40 seconds. In addition, half of the businesses hit with ransomware pay the ransom, but only 26 percent of those businesses actually have their files unlocked by the attackers.
Again, like in malware attacks, hackers leverage phishing emails to spread ransomware. In this case, unsuspecting employees and customers download an infected file to the hotel system. Besides phishing emails, cybercriminals can launch ransomware attacks by manipulating security gaps, such as weak access controls in the network.
5. Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks
The hospitality industry has been a favorite target of DoS and DDoS attacks in the recent past. The 2020 Akamai state of the internet security revealed that attackers have access to DDoS for hire and botnet rentals, making it easy for them to launch impactful attacks.
Today, DoS and DDoS attacks are something any hospitality business dreads because if their online portal collapses under an onslaught of millions of packets and malicious traffic, it could cost them a lot.
6. Credential Stuffing
A 2020 Akamai state of the internet security in retail and hospitality revealed that the sectors attracted a startling 63 percent of credential stuffing attacks. Between July 2018 and June 2020, Akamai observed more than 100 billion credential stuffing attacks, and more than 63 billion of these incidents targeted retail, travel, and hospitality.
The report also divulges that during the COVID-19 lockdowns in Q1 2020, criminals circulated dozens of password combination lists and targeted each of the commerce industries – Akamai uses the term "commerce" in the report when categorizing customers that fall into retail, travel, and hospitality industries. In addition, the process enabled hackers to identify new vulnerable accounts, leading to an uptick in sales related to loyalty programs in the three sectors.
7. SQL Injection (SQLi) and Local File Inclusion (LFI)
Cybercriminals also targeted the hospitality sector using SQLi and LFI attacks. The internet security report revealed that between 2018 and 2020, security experts observed more than 4 billion web attacks against retail, travel, and hospitality, accounting for 41 percent of the overall attack volume. The report further states that these industries are top targets for criminals because they offer several commodities, from personal information to entire accounts flush with reward and loyalty points that bad actors can cash out or trade.
A Glimpse of Cybersecurity Regulations in the Hospitality Sector
What are some of the regulations affecting the sector? First among them is the General Data Protection Regulation (GDPR), which fundamentally changes customer's perceptions of how businesses should handle personal information. Indeed, the GDPR has a global effect as hotels offering goods and services to EU residents fall within the regulation's broad territorial scope.
The EU GDPR is not the only data protection regulation, and it will not be the last. The U.S. and Canada are also enacting and reviewing regulations. Additionally, many states in the U.S. are following suit by enacting their data protection laws. A good example is the California Consumer Privacy Act that closely aligns with the GDPR. The CCPA gives consumers the right to know what data a business holds on an individual, the right to disallow the sale of the data, and the right to have it deleted. In addition, under the regulation, a hotel customer can sue the facility if it has a data breach and investigators prove that the company was negligent in protecting the data. Other states like Alabama, Arizona, Louisiana, Oregon, South Carolina, South Dakota, and Virginia have smaller but notable laws across the U.S.
On the other hand, NIST offers a cybersecurity guide tailored to the hospitality industry. The three-part guide can help hotel owners and property managers improve their cybersecurity by reducing risks to a highly vulnerable and attractive target for hackers. The three-part guide, formally titled Securing Property Management Systems (NIST Special Publication [SP] 1800-27 a, b, and c), shows an approach to securing hotel property management system (PMS), which stores guests' personal information and credit card data. Additionally, the guide offers the best practices using commercially available products, allowing hotel owners to control and limit access to their PMS and protect guest privacy and payment card information.
Mitigating Cyber Risks and Meeting Compliance in the Hospitality Sector
Already hard hit by the COVID-19 pandemic, hospitality businesses must not deal with the increasing threat of frequent and sophisticated cyberattacks. Moreover, other than the risks listed above, the sector faces stringent regulations that potentially lead to large non-compliance fines.
Hospitality businesses can implement the following measures to keep their customer and business data safe from malicious actors:
1. C-Suite Support to Drive a Strong Security and Compliance Culture
Cyber and litigation risks should warrant the attention of the C-suite. In this case, executives must understand where to look for the biggest exposures and improve their controls and approach to enhance cyber and data security.
2. Employee Awareness
Training hotel employees to catch phishing emails, including teaching them to scrutinize email addresses, look for poor spelling, typos, and grammar to protect against phishing attacks.
3. A Holistic View of the Value Chain
Besides the C-suite support and employee awareness, hotels need to take a holistic view of the value chain from how guests place bookings, check-in, and check-out interactions with facilities, recommend, review, and everything that happens while customers engage a hotel. The process allows an organization to identify key security and privacy exposures to devise ways to address them.
An essential part of securing the value chain is to develop an appropriate vision for the desired security end state. Markedly, the vision considers an entity's special characteristics and the views of all stakeholders. In effect, such information provides necessary insights for developing a strategy that will put in place effective security measures.
Moreover, hotels should keep up with trends of hackers and strive to protect their crown jewels by adopting popular security tactics.
4. Use VPN
Hotels should encourage customers, agents, and remote employees to use a virtual private network (VPN) when conducting transactions involving personal and sensitive information to prevent attacks such as the DarkHotel hacking.
5. Strong Access Controls - Robust Passwords, MFA, and Zero Trust
An effective way to prevent credential stuffing attacks is to use a password manager and strong user credentials. Additionally, hotel employees and customers can enhance security posture by generating long, random passwords unique to each online account. This measure, combined with other access management controls like multifactor authentication, renders passive credential stuffing attacks useless.
The NIST practice guide promotes the tenets and components of the zero-trust architecture – a cybersecurity paradigm focused on resource protection. The guide's premise is that trust is never granted implicitly but must be continually evaluated. In zero-trust, access is not granted to devices or users' accounts based solely on their physical or network location or who owns them. Instead, authentication and authorization of both subject and device are required before users can access a network's resources.
Partnering with Pulsar Security
As the hospitality industry embraces digital technologies and security awareness grows, the sector is approaching a tipping point when hotels realize they have no choice. They have to do much more to tackle the cybersecurity and privacy risks they face and live up to the expectations that customers, shareholders, and regulators place in them. Additionally, with the present-day customer being more security savvy, a lack of sufficient cybersecurity measures may impact their choice of a hotel. In that case, organizations should implement measures and partner with leading security vendors like Pulsar Security to protect themselves against frequent and sophisticated data breaches.
Pulsar Security experts have developed, improved, and redeveloped state-of-the-art defense controls, such as the Sonar service, to deal with complex and frequent attacks. We provide automated approaches for businesses of all sizes and industry types to fortify your cybersecurity infrastructure. We collaborate with your internal teams to sync up and ensure that your business stays ahead of the curve. What's more, Pulsar Security comprises the best and brightest in the industry. Every professional of Pulsar Security's technical team holds advanced cybersecurity certifications. In that case, the team can leverage that experience and proprietary tools to protect businesses against malicious attacks.
Ultimately, security is not a one-off purchase or control. Instead, it is a constantly evolving process necessary to keep your business going or ensure that you get back to normal operations as quickly as possible in case of an incident. Thus, working with Pulsar Security allows organizations to turn security and compliance into a consistent, proactive, and reliable service.
