The hospitality sector is one in which technology is frequently embraced to improve the guest experience and the facility's operations. As many enterprises try to do more with less, leveraging technological advances is a smart way to accomplish that, and recent research has shown that approximately 50% of the hotel industry has active Internet of Things (IoT) projects in the works. That can include smart HVAC systems, biometrics, occupancy sensors, and more. As the availability of technology expands rapidly, so does the number of cybersecurity threats facing the sector.
It may seem like a no-brainer to increase cybersecurity in the hotel industry when you are making changes like this, but a lot of executives fail to appreciate the levels of risk that they are facing. Believe it or not, the hotel industry ranks third in cyber-attack frequency, behind only the retail and financial sectors. There are several reasons for this, but some of the major ones are the sheer quantity of customers' data and sensitive information that is retained and the challenges of maintaining said data securely both in transit and at rest.
We'll discuss some common cyber-attack methods shortly and give you some best practices to combat them, but first, let's show you some specific hotel cybersecurity threats and their dangers.
Unique Hospitality Concerns
One of these is specific to hotels, while the other is a potential threat in any venue, with many people looking to connect to public WiFi networks. We're talking about DarkHotel hacking and evil twin WiFi networks, respectively. These cyber-attacks are some things that any personnel dealing with cyber security in the hospitality industry should be aware of.
DarkHotel Hacking
DarkHotel hacking is a relatively new cyber attack that is heavy on prior intelligence and planning to specifically target individuals considered to be of high value. Attackers in these instances are looking for C-suite level executives and other VIP guests, and how they target them is rather ingenious. They obtain their travel itinerary through open-source intelligence gathering or social engineering tactics and then hack into their planned hotel's network before their arrival. After the target connects to the network, they receive a pop-up ad or other invitation to download a seemingly innocent program or update, thereby giving the attackers full access to their device and sensitive information.
Mitigation Steps
The best steps that can be taken to protect your VIP guests from DarkHotel hacking is to recommend that they always use a virtual private network (VPN) on publicly accessible WiFi and to remind them of the dangers of pop-up ads on any network. Encourage them to only download programs or updates they've obtained directly from the source.
Evil Twin WiFi Networks
While evil twin WiFi attacks aren't unique to the industry, they're still one of the major hotel cybersecurity threats. The security risks from this type of attack are extreme. A cybercriminal will obtain wireless access point information like the channel number, MAC address, and SSID name, and they will stand up an evil twin access point that masquerades as the legitimate guest WiFi network. This allows the attacker to use a man-in-the-middle attack and freely view any unencrypted traffic transmitted over the evil twin network.
A secondary threat is that they may also gain access to the hotel's guest information database if the data isn't securely stored. The amount of data stored on most hotel servers includes credit card information, personal data, and other sensitive information that can lead to serious monetary damages for your guests. This can open up a major source of liability and reputational damage for your organization.
Mitigation Steps
Again, a chief recommendation is using a VPN for anyone using a public or unsecured WiFi network; the encrypted channel the data passes through provides an added layer of protection against a man-in-the-middle-style attack. Also, you can deploy systems designed to scan for rogue access points, like a wireless intrusion prevention system.
Other Cybersecurity Threats
While DarkHotel hacking and evil twin attacks are attention grabbers, there are many potentially serious cyber threats out there. Data breaches in the hospitality industry have been steadily climbing, showing a 137% increase as of the second quarter of 2021. One of the leading causes is reliance on payment by card.
If that isn't scary enough, 64% of all data breaches in the hospitality industry begin from internal networks. Whether we're talking about a malicious insider threat, compromised access credentials, or a malware infection, nearly 2/3 of all breaches beginning internally is staggering. So, what are some of the other security risks and hotel cybersecurity threats?
Point of Sale (POS) and Payment Card
Many industries have seen a decrease in POS attacks, but that has not held for the hotel industry. Third-party vendors are a common target for compromising a POS, and several methods can be used. The best way to combat this threat is to ensure that your systems and vendors are compliant with PCI-DSS.
Ransomware
Ransomware attacks are on the rise everywhere, and with an industry that is increasingly reliant on computer systems to conduct its day-to-day operations and revenue management systems, network downtime could prove fatal. These attacks encrypt your entire system and all connected devices, pending payment of a ransom to the attackers. It can also include the theft of your sensitive information and its eventual resale as a secondary revenue stream for the bad actors. Many small hotel chains think they can fly under the radar, but most businesses targeted for ransomware attacks are small-to-medium-sized businesses. Our recommended best practice is quality antivirus and anti-malware programs coupled with a solid continuing education and onboarding program for your staff.
Distributed Denial of Service (DDoS) Attacks
We just said how challenging system downtime can be for the hotel industry, and DDoS attacks exploit that fact for ransom purposes, retaliation, or even in furtherance of other attacks as a distraction tool. This cyber attack uses a botnet of compromised machines to send repeated queries against a network's outward-facing servers, thereby overwhelming it and shutting it down. A new iteration of this attack leverages the botnet to spam group chats with message after message of malicious content in the hopes that the sheer volume of messages will be enough to entice someone to click a link.
Phishing Attacks and Social Engineering Scams
We haven't mentioned it before, but unfortunately, high turnover in the hotel industry is an added challenge to a successful cybersecurity program. The plethora of phishing attacks and other social engineering attacks like vishing and smishing (VoIP and SMS-based phishing attacks) seek to capitalize on that weakness. Poorly trained employees can allow attackers to access hotel databases with customers' data, credit card information, identity information like passport details, and much more. Once inside, the opportunities for these insidious criminals are endless.
In addition to antivirus software and network traffic monitoring solutions, continuous training is critical to thwarting phishing attacks and other related attacks. Training that includes scenario-based blocks is more beneficial than reminder emails or traditional classroom-based training.
Control Access
We've covered hotel cybersecurity threats in great detail, but if there is one area in which you can get the most bang for your buck, then it's definitely access control. We recommend establishing a role-based access control system where you have delineated groups with pre-set limitations on their access to systems based on the principles of least access. Essentially, ensuring that your staff only has access to information and systems that are absolutely necessary for performing their duties. Having these set roles streamlines the onboarding process and makes your IT security staff's job easier as they only have to assign the new employee to an existing role.
Hotel cybersecurity risks are serious, but they aren't all you need to be concerned with to run a successful hospitality business. At Bridgetown Revenue Management Solutions, our goal is to develop an intimate understanding of your hotel and market and then leverage that into an optimized revenue management plan. As a provider of premier hotel revenue management solutions, we pride ourselves on our customized programs designed to stay ahead of the trends and surpass your needs and expectations.