By Andrew Vermes, Specialist Consultant at Kepner-Tregoe (www.kepner-tregoe.com)
Unfortunately, the very nature of cyber-attacks means they come without warning, you don’t know where or when and if the worst happens and you face a serious security breach you can expect irretrievable reputational damage not to mention a lot of unhappy customers. It happened not too long ago with Marriott Hotels and the repercussions of this incident may continue for many years to come.
The hospitality industry in particular, suffers some additional vulnerability compared to other industries: in the case of a hotel, it not only has its own firewalls to worry about but also those of every other data holder and data user in the information chain. From airlines, to online booking agents and sister companies using different platforms, personal data is continually flowing all over the world. Worse still, hackers are likely to be making use of personal data that was acquired many years ago, once they have the information it is impossible to retrieve. With that in mind, prevention is key but dealing with an attack in the best possible way at the point it happens, is paramount.
Evidence of security compliance is a must
Hotels exchanging information with other parties must always ensure that their partners’ security policies are in line with their own. If the partners are using cloud services, are they with a major vendor that has the capacity to fund large security teams, use full-stack encryption and guarantee physical security? These are important questions to consider. Whoever you choose to partner with, you must insist on evidence of compliance with industry security standards and never just accept an assurance.
Large, high level cyber-attacks for big hotel groups like Marriott often has the same devastating impact as a thief physically breaking into to a guests room and because their personal details (essentially their own belongings) can be used for years after, the number of disputes from affected customers can continue for years and cost billions.
For hotels, another real threat can come from staff on site. Hotel chains rely on a transient workforce, some of whom might be vulnerable to criminals trying to access customer data. Ensuring that booking systems have the appropriate protections is vital, for example, regularly changing passwords and ensuring use of multifactor authentication makes it far more difficult for criminals to get in to your systems.
Preparing for a security hack
Preparing for the possibility of a hack at your hotel is vital and any hotel that possesses information that communicates externally via the Internet is always at risk therefore, most large businesses have many layers of security detection and elimination.
There are many reporting tools out there that will highlight any unusual activity of attempts to retrieve data. Multiple defence tools are also used to isolate malware and remove it quickly and those tools are usually kept updated by a big team of expert developers and security vendors who are keeping watch on what the hackers are up to.
If and when a cyber attack hits, there are a number of common mistakes that hotels, like other businesses make. As with other tech-related incidents, people are often too quick to jump to a conclusion i.e. we found the malware, we squashed it, all sorted. However, if you fail to analyse the exact behaviour of the malware and demonstrate how that could have caused the specific alert, you could also be overlooking a second or third software agent that’s hiding behind the first obvious attack.
It’s very easy to go off track during a crisis, sometimes the issue starts way before the attack, for example GDPR has given European companies a jolt and made them think about how much personal data they really need to retain. Hotels may need to check the passports of foreign guests, but do they really need to keep those details on file?
Ask the right questions
If a cyber attack strikes at your hotel, when addressing the problem, the most important thing is to pay attention to the precise behaviour of the system or database at the moment the breach is noticed. So the questions are: How exactly was the breach noticed? In what way was the system behaving unusually at that time?
Responding quickly while under pressure is no easy task, but most large hotels dealing with money already have monitoring tools in place, but for efficiency, these tools may not be turned up full i.e. if we’re looking at the average transaction speed and sampling every five minutes, we can easily miss things. It’s usually quick and simple to turn these up to a much higher sampling rate to detect unusual activity, though there will be some cost in slowing systems down and perhaps in getting larger storage for the data harvested.
Every cyber attack is different but the best advice for any major product or service failure is to be transparent, focus first and foremost on protecting your guests and be open about that. Any attempt to control the news leaking out will go badly. If you’re in any doubt about the security of a service, the most obvious course of action is to shut it down to avoid any more people being affected.