The challenges of hospitality cybersecurity: An unsolved problem?
An industry with high integrity, but with a lot to lose.
Growing economies around the world and sophisticated technologies accessible to most have changed how the hospitality industry is run today. Like all people-oriented businesses, the hospitality industry lives and dies by its customers’ integrity.
With information traded on digital platforms, businesses have their task cut out to secure the lines of communication across platforms be it online, mobile apps, or POS machines deployed across the hotel building.
The R&D labs of many cybersecurity service companies are populated with highly talented engineers creating tough firewalls and sell it as services to hotels. While the dark underbelly of scheming bullies are using the same cutting-edge technologies to build stronger hacks and launch nefarious attacks on the industry. Many behemoths have tumbled to sophisticated hacks and have been made to pay.
Areas of vulnerability
Point-of-sale systems remain the most vulnerable to malware attacks launched to get hold of customer names, credit card details. POS remains the weakest security point for many, mainly because these systems never get updated or patched frequently. As a result, they can be exploited for the credit card data held on the POS terminals.
We live in a connected world and it seems obvious for businesses to store customer data at various locations. In the hospitality industry, large chain hotels give access to global customer data to its franchises, allowing hackers to get a more widespread access to consumer data. So breaches can affect all or many of the individual franchisees, as well as corporate systems if even one system is breached.
Hotels are always vulnerable to POS system breaches, a major breach which affected Oracle and its 300000 odd merchants in a massive POS breach.
Ways of attacks
A popular tactic used to gather consumer data is the phishing technique. Here the targets are both the hotel consumers via POS systems and hotel’s own employees who are tricked into sharing login credentials.
Besides the usual suspects aimed to steal consumer data, Ransomware has become rampant in the hospitality industry as well. Here the tactic is to hack the network, encrypt the data and make it unusable and inaccessible to the hotel staff until a ransom is paid. These kinds of attacks are launched against small hotel chains.
Reputational damage and revenue loss from a breach headline not only impact individual edge locations but the corporate brand as well. Each silly breach affects the individual franchise locations and the overall brand reputation.
Current solutions and its challenges
With many services offered to meet industry standards such as the File Integrity Monitoring (FIM), Unified Threat Management (UTM), and Security Information and Event Management (SIEM), one has to be aware that the attackers evolve their strategies and tactics quicker than our industry can second guess.
- FIM is a process that validates the integrity of an operating system, or any software used by a hotel or a chain of hotels.
- UTM is a live administrator which can monitor and manage security-related infrastructure through a single dashboard.
- SIEM checks for anomalies in the logs generated at POS systems and other such terminals used in a hotel.
Cost of security is a major concern
It is a mighty ask for many hotels to hire and manage an IT security team, especially a team capable of monitoring systems round the clock. And also to analyze, report, and mitigate real threats on the go.
Many hotels end up investing in infrastructure such as SIEM and fail to leverage the methodologies as retaining talented analysts is another bane altogether. This has led many industry analysts to define expensive technologies such as SIEM as “shelfware”.
What’s the ideal solution then?
For now, the best bet looks like outsourcing cybersecurity to reputed entities who are capable of not only securing your data for the sake of it, but also who are up to date with cutting edge methodologies to sense, expect, and mitigate threats and attacks from various and unusual conduits within a hotel’s infrastructure.
By: Anil Kumar Prasanna, CEO, AxisRooms