Why would cyber criminals attack hotels? It´s often thought that they only target financial institutions and large multinationals. However, times have changed. To understand what is happening, we have to recognise that SMEs are also increasingly being targeted today. According to a PwC study*, the financial costs of security incidents have increased by 100% for SMEs, while those for large organisations have fallen by 20%. With regard to the major hotel chains, the story is the same: it´s easier to attack an unprepared target than one that is used to dealing with attacks and well protected.
Handling very sensitive client data (credit cards, personal data, client preferences, etc.) is also in the nature of the hotel business. This is a gold mine for cyber criminals, who can reuse such data for other attacks, sell it to criminal groups or publish it on the `dark web´.
The best known method - spear phishing - consists of obtaining information from a specific person in order to manipulate him or her and extort money. One tried and tested fraud technique is `social engineering´: a hacker usurps the identity of a rich client by using personal information acquired previously - stolen from a hotel, for example - in order to get an employee of the client´s bank to send money.
Let us look at some actual examples. Early in 2015, White Lodging Services Corporation of Indiana, a hotel chain that includes Marriott properties, reported a cyber breach (a breach that enables criminals to access a network and the data it contains) that had lasted seven months! In 2016, it was the turn of the Hyatt chain to announce a massive theft of credit card data and client information involving over 250 establishments worldwide.
This sort of event is the hotel industry´s worst nightmare . . . but it is not alone. According to the 2016 PwC Global CEO Survey, which gathers the responses of 1,409 CEOs in 83 countries, 59% of CEOs rate cyber risks among the top three threats to the development of efficient and secure business.
They are right! The arrival of the `Internet of things´ is opening up almost limitless opportunities for hackers today. As the number of connected objects continues to grow - it will reach over 30 billion by 2020 - the network security challenges multiply. The investments needed to address these challenges doubled in 2015, and yet only 36% of survey respondents have a dedicated strategy to deal with the Internet of things.
In addition to having to protect a much wider perimeter, we also note that the number of cyber attacks reported increased by 38% globally in 2015. On the other hand, the information security budgets of organisations only grew by 24%*.
This leads to two observations: security-related investments are more often driven by regulatory requirements rather than the desire to protect company data; and hotel managers tend to believe that `outsourcing´ is the solution to such problems. It´s time for a change of mindset: hotels not only have to manage the financial and personal data of their clients, but also have to integrate cyber risks into their working methods.
To this end, hotel managers need to ask themselves a few questions:
- Have we defined, validated and reviewed an overall security policy based on a security standard (e.g. ISO 27000)?
- Do we have someone who is responsible for information security (i.e. CISO/CSO)? Do we have the resources required in terms of competence and ability?
- Do we perform an annual assessment of the internal and external risks affecting data confidentiality, integrity and security?
- What are our `crown jewels´? Do we have a precise inventory of these (e.g. client data, employees, intellectual property)?
- What are the major technological measures we have defined to prevent and detect security incidents, such as a data leak?
- What controls do we have in place to minimise human error, especially where key employees are concerned?
- Which of our external service providers stores our key data? Do we have a precise inventory?
- Do we perform internal and external penetration testing on our key applications and infrastructure in order to assess our weaknesses?
- Have we defined a cyber-incident management process and, if so, do we test it regularly?
- How do we collaborate with our peers?
The good news is that there are also new approaches that enable organisations to anticipate threats by making use of `threat intelligence´. This comprises threat information systems based on the analysis of vast volumes of data gathered from the Internet, cloud environments, hidden areas of the net, social networks and other sources. Thanks to such systems, organisations can identify what threats they face in advance and thus respond to them proactively rather than reactively.
To finish on a hopeful note, despite the alarming situation in which hotels find themselves, we are sure recent events have triggered greater global awareness for the nature of the threat thus leading to improvement in the coming months.
It´s now time to act! Because the question is no longer whether your organisation will be a victim of a cyber attack, but rather how to prepare for one and how to respond when it happens.