Not so Hospitable: Cybersecurity in the Hospitality Industry

Technology is everywhere. From laptops and smartphones to wearable devices and the internet of things, almost every aspect of our lives has become digitized in one way or another. In this digital era, people have the ability connect to your company, employees, customers, strategic partners and competitors through myriad devices, and society now relies on connected technology to safely operate our energy, utilities, transport, healthcare, government and financial systems.

In this world of omnipresent data, everyone and everything is seemingly online, which not only provides better connectivity but additional opportunities for hackers and bad actors to breach information technology systems. The more we rely on technology, the more we open ourselves to risks surrounding a cyberattack, and last year witnessed a number of high-profile players in the hospitality industry being breached.

From Hilton to Hyatt, and from Four Seasons Hotels and Resorts and Trump Hotels (via Sabre) to InterContinental Hotels Group, dozens of data breaches have been reported by hotels in the last year, affecting the entire hospitality industry — from major multinational corporations to individual properties. While hotel security previously focused on physical security to keep guests and their possessions safe during their stays, that same level of protection is not as often extended to digital assets. Bottom line: hotels need cybersecurity measures in place in order to protect their most sensitive data.

Although hotels don’t tend to process the volume of transactions that online and brick-and-mortar retailers do, transactions in the hospitality industry tend to be much larger, and hotels often store their guest’s personal details in a variety of locations, meaning hackers and bad actors have more widespread access to that information. Worse yet, hotel Wi-Fi connections don’t always have the most robust protections in place, which suggests any information stored on a laptop or smartphone accessing that network is vulnerable.

Consequently, credit card fraud and identity theft should remain high on the hotel and lodging industry’s list of things to watch out for. In many of the recent breaches, point-of-sale (POS) systems were attacked, launching malware to acquire cardholder names, credit card numbers and expiration dates. Unfortunately, personal information is only the tip of the iceberg for hotels and other companies in the hospitality industry.

Data breaches can also cause significant repetitional damage and be rather expensive. In fact, according to IBM’s 2018 Cost of a Data Breach Study, each breached record costs the industry $120, and as the number of hotel data breaches continues growing, the industry needs to enhance its focus on effective cybersecurity.

In addition to financial losses and reputational harm, hospitality organizations need to understand their vulnerabilities as well as how to identify cyber threats to their guests, their property and their important data.

Billing systems obviously need to be secure to protect guests’ personal and financial information, but with centrally connected reservation systems, the attack surface extends well beyond a single hotel’s system. Hoteliers would be wise to consider all of the endpoints and connections touching their property operations as myriad electronic devices can surrender to the control of bad actors aiming to disrupt normal operations. From electronic doors to HVAC systems, alarms, lights and more, the hospitality industry features myriad remote endpoints that can be exploited to cause disturbances or interruptions if security measures are not up to par.

Additionally, individual franchisees often are able to access regional, national and global data systems from the biggest and best-known hospitality brands in the world, which means breaches can impact all or many of the individual franchises as well as corporate systems, even if just one system is breached.

Today, malware and other sophisticated cybercriminal strategies also represent a formidable threat to the hospitality industry. As previously noted, POS systems are a weak security point for many networks because they are constantly in use. Making matters worse, these systems aren’t always patched, updated or protected from vulnerabilities as often as they need to be in order to remain protected from hackers and bad actors. As a result, if left unpatched, these systems can be exploited for the credit card data held on their terminals.

Compounding the issue, it can be difficult and expensive for hospitality organizations to hire and retain IT security teams that have the time and ability to monitor, analyze and remediate the security alerts and reports that come pouring in each day. Further complicating this task is the notion that security teams must be able to recognize the real threats and know the appropriate remediation steps required to mitigate the damage they intend to cause.

Recent major breaches demonstrate that antivirus, anti-malware and firewalls alone are not enough to secure businesses in the hospitality space from the constantly evolving and increasingly sophisticated threat landscape. The hospitality industry needs a myriad of various security technologies, tools and resources that can be used to prevent malicious attacks.

About Automox

Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.

Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.

Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.