Hospitality Cybersecurity in Digital Transformation
Updated: Feb 28, 2019
Digital transformation’s impact on the hospitality industry has been deep and profound. Online travel agencies (OTAs) were some of the first businesses native to the web. With the advent of OTAs, hotel chains faced market pressure to bring their room reservation systems online as well. Thus the hospitality industry was by necessity an early adopter of online credit card payment processing technology, and has long faced the challenges inherent in storing and transmitting large volumes of customer financial data.
Established hospitality brands today must also compete with successful upstarts like Airbnb, Uber and HotelTonight—companies that were born digital and are exceptionally skilled at orchestrating online customer experiences. Such competition has shaped customers’ expectations of the hotel and travel industries, and the bar is high: travelers expect that their digital experiences will be convenient, seamlessly integrated with their in-person experiences, and, of course, secure.
Given this history, you might expect the hospitality industry to be better prepared to face cybersecurity challenges than many other industries, but far too often, this isn’t the case. According to the 2018 Trustwave Global Security Report, the hospitality industry underwent the third-largest share of data compromise incidents in general, and the second-largest share of POS compromises in particular. 78% of successful attacks involved credit card data theft.
Recent high-profile breaches have drawn mainstream media attention to the problem. In 2017, for instance, InterContinental Hotels acknowledged that payment card data had been stolen from more than 1,000 of its franchises between September 29, 2016 and December 29, 2016. Trump Hotels saw three major credit-card data breaches in three years between 2014 and 2017, and both Starwood and Hiltonexperienced significant credit-card data compromise incidents during the same period of time.
The good news is that awareness of cybersecurity’s importance is on the rise within the hospitality industry as well as among the general public. Hotels have built their brands upon a foundation of trust: guests prefer accommodations where they feel safe, and where they can have confidence in the physical security of their possessions. And as industry decision-makers are seeing, a single high-profile breach can do immense—and sometimes irreparable—damage to a hotel brand’s reputation.
But the hospitality industry faces a number of unique challenges that make it especially vulnerable to cyberattacks. Because excelling at creating pleasant and memorable guest experiences is so important to their business model, hotels must keep pace with the evolution of their guests’ technology wants and needs. When guests desire connectivity, hotels offer free Wi-Fi in rooms. When guests want convenience, hotels must maintain immense databases of user information to guarantee ease of payment and continuity of service. When guests wish for personalization, those databases must expand to include increasing amounts of detail.
In fact, almost every step a hotel takes to improve guest experience today is likely to bring an additional cybersecurity risk.
Offering Your Guests Wi-Fi Connectivity
Among all the amenities offered by hotels, the one their guests value by far the most, according to a recent survey by Forrester Research, is excellent Wi-Fi service. In fact, 34% of respondents said they wouldn’t stay in a hotel without it. It’s clear that today’s hospitality industry must meet this demand: guests use this access not only to connect to the digital resources that meet their everyday needs, but also to purchase additional hotel amenities, including food and other room service items, spa or luxury packages, and other add-ons.
But hotel Wi-Fi networks are notoriously insecure, even if protected by passwords that are given out only to hotel guests. Some of these guests may themselves be attackers, as may have been the case with the notorious DarkHotel hack, in which criminals individually targeted specific high-profile hotel guests using sophisticated keystroke-loggers to steal data and system credentials.
Attacks taking advantage of the inherently limited security of public Wi-Fi networks are nearly impossible to entirely prevent. Many of these attacks are enabled by human error, but hotels cannot demand that their guests become better educated about identifying and avoiding threats before logging on to their Wi-Fi networks. Nor can they require guests to access their email accounts or password-protected resources via VPNs. To offer Wi-Fi connectivity as an amenity to your guests is to take on some degree of risk.
Collecting Data to Personalize Guest Experiences
As online booking has empowered consumers to effortlessly compare hotel room rates, hoteliers are increasingly seeking to differentiate their properties on the basis of something other than price. Today’s traveler—especially in the luxury market—expects a highly personalized experience and exceptional customer service. To achieve this end, hotels can leverage data: they can collect and track their customers’ preferences. Everything from the room temperature a guest finds most comfortable, to the name of his favorite newspaper, to the fact that he prefers to check out using an app on his mobile phone can be logged and used to improve his next experience in that hotel.
But the more data the hospitality industry collects, the more carefully they must protect it. Hotels have long accepted credit cards, and are charged with meeting payment card industry (PCI-DSS) security standards. But their systems tend to be complex because they must maintain POS terminals in multiple locations (front desk, restaurant, poolside bar, etc.), so their data tends to be dispersed, and thus more readily accessible. Hotels almost always purchase their POS systems from third-party providers, so they are always vulnerable to system provider-level breaches as well. Because hotels are known to process high volumes of transactions, they are attractive targets for highly sophisticated attacks, and mere PCI compliance is not enough to protect against all threats.
As IoT or “smart” devices come into more widespread use, hotels will be able to automate the personalization of guest experience. But every connected device has the potential to be an attack vector. Electronic room access key systems have already been hacked successfully, locking guests out of their rooms until a ransom was paid in the case of one Austrian hotel. As the number of connected devices increases, this type of attack will only become more prevalent.
The Key to Keeping Hotels Secure
IT infrastructures in the hospitality industry tend to be complex. And they continue to be highly attractive targets. Because of these factors, no single security tool can be relied upon to keep them safe. It’s also unrealistic to assume that an infection will never occur. Hotel security instead demands a layered approach that incorporates multiple tools into an integrated platform, and that offers rapid detection and near real-time response to threats before they become breaches.
Particularly important for networks that must securely process large numbers of transactions and must keep large databases of sensitive information safe is incorporating a Security Information and Event Monitoring System (SIEM) into their arsenal of tools. SIEM examines the behavior of all devices in the network, and creates alerts when there are anomalies. The difficulty with such tools lies in the large number of alerts they are apt to generate—including false positives. That’s why the latest generation of SIEM tools incorporates artificial intelligence to improve the ability to categorize threats. Ideally a SIEM solution also needs humanmonitoring 24x7x365, so that alerts are never missed, and mitigation is prompt.
Decision-makers in small and mid-sized hotel organizations have worried that such systems are out-of-budget, but a managed detection & response provider can offer enterprise-level solutions at a price point that’s affordable even for smaller businesses. Please come back next week to learn more about “Why You Need MDR to Combat Current and Emerging Threats” can help your hospitality business stay one step ahead of attackers in today’s complex cybersecurity landscape. When you partner with a managed detection & response provider, you’ll be able to incorporate today’s most attractive digital amenities to enhance your guests’ experience without increasing your risk.