Last year saw a rise in cybercrime across the board, and this year so far, appears to display the same trends. With handsome prices being paid for credit card data on black markets worldwide, criminals doubled their efforts in stealing it. While banking institutions are on top of things and seem to be well armed to fend off both intruders and malicious insiders, service industry with its poor state of security looks like an easy target.
Hospitality industry especially received a huge blow last year, with all the major franchises compromised in one way or another. In an industry where reputation is a key, this should serve as a wake-up call for hoteliers to review their vulnerabilities and strengthen their defenses. Sadly, despite all the fallout from these large data breaches, many hotels are still have cyber security problems well into 2016.
Common cyber security mistakes in hospitality industry
There are many misconceptions about cyber compliance and security of POS systems between hoteliers. Many of them think that simply following compliance regulations is enough to protect your guests’ data, while other believe that POS systems and various physical infrastructure comes secure out of the box (when it’s not).
All of this lead to the same common security mistakes that are seen across the industry. Being aware of these mistakes and making an effort to avoid them is the first step in establishing reliable cyber security for your hotel:
Insufficient investment in cyber security. Current cyber security market suffers from the lack of talent with proper experience and education. At the same time, most hotels, especially smaller ones, invest very little in security of their digital data, thus, making it almost impossible to hire much-needed experienced professionals.
Many hoteliers believing in the security of POS systems, compliant with all the necessary regulation, think that investment in additional personnel and cyber security solutions for hotels is no longer needed. In practice, this could not be further from the truth. Compliance is only one step on the path to reliably protect your data, and sufficient investment in talent and proper security software are required for establishing solid defenses.
Lack of a proper incident response plan. When it comes to incident response plans, hotels tend to fall into one of the two extremes: they either do not have it at all, or the plan is so large and complex, that it becomes useless in practice. For effective incident response, it is very important to have a plan that is simple and easy to follow.
You should select responsible people and assign them specific roles, and then try to work through a variety of different practical scenarios that your hotel may face. This will allow you to minimize, and maybe even mitigate some of the damage in case of a data breach or leak. It is also important to revise the plan whenever needed. Any changes to cyber security, network infrastructure or the way you work with and store data should be reflected in your incident response plan.
Widespread use of legacy software. This is a widespread issue through all of service industry. Hotels also are not rushing to update, either because of the high associated cost, or because they are used to the old system that is simply “works”. However, use of legacy software and failure to apply security patches and updates as soon as possible leaves your system with known active exploits that criminals will be sure to make a good use of.
Unnecessarily gathering and storing data. Hotels collect and store credit card data for payment processing purposes, but they do not always delete it after the guest already left. Many hotels tend to store large quantities of unnecessary or even redundant credit card data that, if leaked, can result in a heavily damaged reputation and high remediation costs for a hotel.
Hotels also tend to store other information about their clients. Large quantities of stored clients’ data make such hotels a perfect target for criminals. Therefore, the best course of action is to not store any data unnecessarily, and dispose of any stored data properly and on time, making sure that it cannot be restored.
Danger of insider threat
Another cyber security mistake that is rarely talked about in hospitality industry is lacking protection from insider threats. Employee theft is not new to hotels, as they struggled with it for as long as they existed. Nowadays, with digital cameras, background checks and security personnel, control over physical items theft is fairly rigorous, providing guests with thorough protection and a necessary peace of mind.
However, when it comes to credit card data theft by employees, hotels are much less thoroughly protected. And this is despite the fact, that insider attacks are both more dangerous and harder to detect than conventional cyber attacks by external hackers.
Malicious insiders already have legitimate access to credit card data and other sensitive information that your hotel stores. This makes it easy for them to steal it, or leak it online. In many cases, malicious actions are indistinguishable from regular work routine of an employee, and even if they get caught, they can easily claim that they simply made a mistake.
However, not all data leaks and breaches by employees are done out of malice or for personal gain. More often than not, employees will conduct security mistakes out of carelessness or simple lack of security training and qualification. Inadvertent data breaches should be part of your hotel’s strategy of dealing with insider threats.
Sub-contractors, affiliates, partners and third-party providers are also often have insider access to your customer database. This opens your hotel to additional risks of data breaches and leaks.
Insider attacks can cause huge damage to your hotel’s reputation and remediation of such attacks can cost you a fortune. It is important to make insider threat prevention and detection a part of your security strategy and make sure that you have an incident response plan ready in case of insider threats.
Best practices for dealing with insider threats in your hotel
Despite how hard it is to deal with insider threats, with the right approach, you can protect your hotel from malicious employees and subcontractors even on a limited budged. By following the best security practices in dealing with insider threats, you will be able to effectively mitigate risks and strengthen your overall security:
Employ a risk-based approach to security. Often times, hotel cyber security management is handled with a compliance-based approach in mind. They check boxes off the list until all the necessary compliance regulations are met, and then stop at that. Compliance-based approach is sure to strengthen your general security, but it often leaves you vulnerable in many critical areas.
Smarter thing to do would be to combine compliance with risk-based approach to security. Take the time to assess what data is a potential target for an attack, who are potential attackers and what potential vectors for an attack they can use. This will help you understand weak points and oversights in your current security. You will then be able to prioritize fixing them based on the potential damages and remediation costs of an attack through each of them. Regular thorough risk assessments will allow you to strengthen your overall security posture and will keep you well prepared to handle newest cyber security threats.
Establish culture of security. Data leaks and breaches are often result from mistakes or simply careless behavior on part of your employees. In order to prevent that and strengthen your overall security, you need to create and maintain security policy and make an effort to educate your employees on potential threats and dangers that your hotel faces. Make them aware of the best practices that should be used for preventing such threats.
Make your employees a proactive part of your security, establish culture of security in your hotel, and your employees will be sure to follow all the security procedures in their regular work. Educated employees make less security mistakes and are less vulnerable to fraud and social engineering techniques that criminals often use to steal credit card information.
Monitor any third parties. Even if your hotel has all the necessary sensitive data protected in full compliance with the law, it does not mean that your partners, sub-contractors and affiliates have the same level of security. Hotels work with many different third-party service providers – car rentals, flight booking companies, travel agencies, and many other services. It is safe to assume that most of them do not have sufficient level of protection.
Therefore, you need to make sure that your guest data is thoroughly secure when third parties are accessing it. User action monitoring solutions, while they may be expensive, are great to use for this purposes. They are generally cheaper and less cumbersome than your regular DLP systems and provide you with the necessary insight into how your third-party partners and affiliates use financial and personal information you provide them.
Conduct thorough background screening. Background check is a great way to measure risks, associated with hiring a particular employee. This is arguably an essential part of a set of measures for countering theft, both of physical items, and of clients’ data. It also useful to conduct periodical background screenings of current employees. They may reveal unexpected rise in their living expenses that will indicate a malicious insider.
Monitor employee activity. The best way to reliably prevent and detect insider threats is to monitor hotel and restaurant employees. This is especially important for employees with privileged access and users working directly with guests’ financial information. While employee monitoring solutions can be expensive, they will give you the good idea of how sensitive data is handled and will allow you to detect malicious activity.
If you want your insider threat protection efforts to be effective, you need to make them complex and layered. Employee monitoring should be coupled with data access monitoring, strong access policy, thorough background checks, and efforts to rise employee security awareness, in order to create a system where your guest’s data is thoroughly secured.
Ekran System – user monitoring solution to protect your guest’s data
Ekran System is a user monitoring solution with a flexible licensing scheme that will be able to strengthen security of your hotel on multiple levels. It produces searchable video recording of everything user sees on their screen, providing you with ability to detect any unauthorized activity, including breaches and data theft. You can use Ekran System for
employee computer monitoring, third-party vendors and subcontractors.
Video recording with relevant metadata. Ekran System produces video recording in an advanced indexed format, complete with relevant metadata, such as active window and launched application names, keystrokes, visited websites (allowing you to monitor employee internet usage), etc. All data coupled with relevant timestamps and completely searchable.
Monitor privileged users. Ekran System can monitor every user regarding of the level of privileges they have within the system. This allows you to monitor system administrators and other groups with immediate access to sensitive data and critical infrastructure.
Monitor subcontractors and third-party service providers. Ekran System gives you the ability to monitor subcontractors, business partners, affiliates and third-party service providers while they work with your data. This allows you to ensure security of your guests’ data even if third party service provider is not compliant with all the necessary regulations.
- Advanced alert and notification system. Ekran System features extensive customizable alerts feature, allowing you to set your own alerts on suspicious events. When alert goes off, security personnel will receive notification and will be able to review said suspicious event. If user session is still ongoing at that point, they will be able to watch it live and immediately block users if malicious actions are detected.
One of the biggest advantages of Ekran System is its flexible licensing scheme that makes deployment of any size cost-effective. Ekran System provides you with the ability to protect database and POS systems of your hotel from insider threats with minimum investments.
Hospitality business is rooted in trust. For your hotel to succeed, guest should be confident that their data is secure when staying in it. In order to maintain that confidence, effective protection from all kind of breaches and data theft is very important. Therefore, it is necessary not only to follow best practices and avoid common mistakes, but also to employ best security tools, such as Ekran System, in order to protect your hotel from both outsider and insider threats.