Hospitality Finance and Technology Professionals ( HFTP ) “ immediately form the senior-level Joint Emergency Guest Data Security Workgroup .”
Noting that he hasn ’ t heard that any of his recommendations have been embraced , Burns says he remains “ hopeful rather than optimistic .”
SYSTEMS , PEOPLE , DEVICES What are the immediate and long-range security vulnerabilities for property owners ? According to security experts , there are at least three dimensions : systems , people and devices .
First are existing enterprise IT systems , particularly legacy ones that may be inadequate from a technology – or access-policy – standpoint . This appears to have been the case in the hack of Starwood database , which was phased out at the end of 2018 in favor of Marriott ’ s own system .
Employees are part of the problem . “( O ) ur industry is blessed and cursed with very hospitable professionals ,” Michael Blake , CEO of HTNG , the technology solutions association for the hospitality industry , wrote in a blog post in January . “ These folks are fundamentally accommodating , making them perfect targets for social engineering attacks by cyber criminals .”
Blake ’ s recommendation : recurring cybersecurity training for everyone . He also stressed the need to hire a chief information security officer if the organization lacks such an executive .
The final , and arguably most problematic , cybersecurity attack vector is also the newest : a profusion of devices in the Internet of Things ( IoT ).
IHS Markit predicts the installed base of IoT devices rising from 27 billion in 2017 to 73 billion in 2025 . However , as businesses deploy more and more IoT systems from an ever-expanding number of vendors ,
Getty Images
TESTIMONY TAKEAWAYS
Marriott International CEO Arne Sorenson testified before the U . S . Senate in early March regarding last fall ’ s hack of its Starwood guest reservation database . Robert Cattanach , partner at Dorsey & Whitney , offers three takeaways on the impact of the breach .
On the erosion of trust : This is not to say that there will be some mass migration away from Marriott , but one pauses to consider how much companies like Marriott spend to promote their brand generally , and the past compromises will require some time and money to bring back the customer connection to where it was pre-breach .
On legislative action : Even legislators sympathetic to the plight of businesses being exploited by hackers are facing pressure from those very same businesses to provide some uniformity in regulation at a federal level to relieve businesses of the burden of complying with a plethora of one-off state requirements .
On corporate culture : Hindsight is always 20-20 , so it ’ s easy to say Marriott should have done specific things , but that misses the point : Top management simply didn ’ t stress the importance of data security , and the result was inevitable . — Chloe Riley
their security exposure increases . More than half of the global organizations that responded to a Kaspersky Lab survey last year agreed with the claim that “ the increased risks associated with connectivity and the integration of IoT ecosystems are a major cybersecurity challenge .”
“ It ’ s a mind-boggling number of access points , most of them operated by people for whom security is not a top concern ,” says Burns about the diverse , fragmented infrastructure managed by many property owners .
Both Burns and Moyle focus on the need for robust data governance as a mechanism for managing the technology elements within the ecosystem – in particular those that interact with guests – as well as segmenting what these systems do .
Mark Begor , CEO of
Equifax ( left ) and Marriott CEO Arne Sorenson are sworn in during a U . S . Senate committee meeting on March 7 in
Washington , D . C .
“ Given the complexity , a workmanlike and systematic approach to data governance isn ’ t just a ‘ nice to have ,’ it ’ s foundational ,” Moyle says .
May 2019 hotelsmag . com 47