6 Ways Hotels Can Protect Themselves from Cyberattacks
May 17th, 2019
The hospitality industry – including hotels, resorts, casinos, and other travel and leisure businesses – is increasingly under siege by cybercriminals looking to penetrate their corporate networks and steal valuable customer data. Threat actors prey on these organizations’ widely dispersed systems, high-turnover staff, and reliance on unsecured third-party vendors.
Despite this industry’s unique and complex challenges, there are many ways hotels, resorts, and casinos can mitigate their vulnerabilities and protect themselves from the growing – and evolving – threat of cyberattacks levied against them. Here some of the more important ways these organizations can equip themselves:
1. Educate and Empower All Staff Members
A hotel can use any number of advanced, state-of-the-art cybersecurity solutions available, but it doesn’t matter if an employee compromises the network. At least 95 percent of reported data breaches are the result of a person within or associated with the organization committing an intentional or unintentional act that opened the door for cybercriminals.
Training staff on cybersecurity best practices is an integral part of protecting hospitality businesses. Employees must be up-to-date on best practices, and should be alerted to cyberattack attempts when they occur. It is the entire staff’s responsibility to keep the hotel safe, both physically and digitally.
2. Bolster Network Infrastructure
Hotels must patch and update their systems as frequently as possible to mitigate their vulnerabilities. When a network is left unpatched, hackers can exploit these weaknesses to attack the system. In particular, hotels should direct their utmost attention for patching and updates to POS systems. Here are a few steps hotels should take to ensure their POS systems are secure:
- Use complex passwords on POS systems.
- Use two-factor authentication.
- Ensure antivirus or endpoint protection is up-to-date.
- Separate the POS network from other networks and investigate anomalies.
- Filter which external IP addresses can reach the remote-access mechanism of the POS controller.
- Use PCI-Validated Point-to-Point Encryption (P2PE) to encrypt credit card data immediately upon payment.
- Segment Wi-Fi networks by making guest Wi-Fi and business networks separate.
- Deploy Wireless Intrusion Prevention Systems (WIPS) to detect and prevent hacking attempts against the Wi-Fi network.
3. Assess Vendors' Security Capabilities
Many cyberattacks are carried out through third-party vendors. Third-party vendors are part of any organization’s attack surface, and pose a huge risk to overall security. Hotel security teams should ensure all vendors meet a compliance standard, and take it upon themselves to regularly assess the risk of their vendors and partners.
4. Perform Internal Threat Hunting
Hotels have massive digital footprints as a result of all the different systems they use. Hackers often try to gain entry into a network and then move around within the system to find data that they find valuable. Thus, security teams need to monitor their own internal network traffic to identify suspicious activity and discover potentially unauthorized access.
5. Monitor for Cyber Threats Outside the Wire
Monitoring for threats internally is a crucial piece of the puzzle, but security teams also need to be proactive in searching externally to identify potential threats against their organizations. For example, monitoring paste sites and dark web forums for any employee credentials that are leaked online can enable teams to lock down those accounts before a threat actor tries to leverage them in a targeted attack. External threat monitoring can identify and mitigate attacks before they occur.
6. Develop and Incident Response Plan
Hotel security teams cannot afford to sit around and wait for attacks to happen. They need to assume it’s a matter of when, not if, they’ll be targeted. Every hotel should have an incident response plan in place in the event that a data breach does occur to help streamline the communication and mitigation process. According to the IBM’s 2018 Cost of a: Data Breach Study, it takes hotels an average of 195 days to identify a data breach. The study also found that breaches that took longer than 100 days to identify cost organizations 35.3 percent more than breaches that took under 100 days to identify. Time is of the essence when it comes to identifying attacks and stopping the carnage.
There is no indication that cybercriminals have any plans to slow the frequency – or scope – of their attacks, particularly against vulnerable industries like hospitality. It’s vital for security teams to recognize their vulnerabilities and take action to ensure they are in the best position to mitigate the risks they face and dismantle attacks before they occur.
Get an exclusive look at the state of the hospitality industry’s cyber threat landscape by downloading a free copy of our Gaming, Leisure & Hospitality Cyber Threat Report (March 2019).
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.