In recent years , hotel companies have invested in sophisticated electronic platforms to collect and store guest information , yet it ’ s this data — ranging from credit card numbers to birthdates — that ’ s making them prime targets for cyber gangs .
Kimpton Hotels & Restaurants is the most recent to report a malware attack , in August . Oracle ’ s MI- CROS point-of-sale system was hacked , presumably
HIGH ALERT
AS INCIDENTS OF DATA BREACHES INCREASE IN THE HOSPITALITY SPACE , EXTRA SECURITY PRECAUTIONS CAN PAY OFF .
Contributed by JULIANA SHALLCROSS
Contributed BY JULIANA SHALLCROSS by a Russian cyber gang , in mid-July , compromising about 330,000 payment terminals in 180 countries at hotels including ones owned by Marriott , Hyatt and Hilton . HEI Hotels & Resorts reported that malware installed on point-of-sale systems at 20 of its hotels affected thousands of transactions over more than a year . HEI has since installed a new payment processing system separate from other parts of its computer network . “ We are treating this matter as a top priority ," the hotel said in a statement .
Stu Sjouwerman , CEO of KnowBe4 , a security awareness training company , says security breaches can often be traced back to employees . “ Hackers get in through phishing ,” he says . “ They send a well-crafted email with a spoofed address , and an employee mistakenly opens the attachment . That gets the bad guy in on that machine , then they tunnel through the network and eventually compromise the POS system .” He advocates cyber security training involving simulated phishing attacks and ongoing education on cyber-crime trends .
NECESSARY DATA John Wethington , vice president of Ground Labs , a security software company , says hotels should only collect information that they absolutely need , especially as malware gets smarter . “ The go-to strategy for hotels has been to collect as much info as guests will share and then figure out later if they need it ,” he says . “ That ’ s not a good practice .” Instead , hotels should identify the least amount of data they can collect while still effectively marketing to guests .
Wethington also advocates storing data where it can be consistently scanned and managed . And much like what HEI is now doing , he says hotels should use a POS system that is not connected to its larger network , including the property management system .
Another form of protection is cyber insurance . Most such insurance has two broad components , says Collin Hite , an insurance coverage litigator at Hirschler Fleischer ’ s data privacy and security practice . The first pays for out-of-pocket costs – usually network restoration and brand or reputation management . The second covers liability and expenses related to claims from customers or others whose data was exposed . Hite says hotels typically tend to skimp on first party coverage , and then are forced to pay higher amounts than expected for fixing their compromised networks . Hite advises companies to do extensive due diligence when purchasing cyber insurance because cyber policies can vary “ wildly ” across insurance companies .
Tacking a cyber insurance policy to an existing policy like a Commercial General Liability policy is also inadequate , he says . Instead , consider standalone electronic data coverage , which also covers ransomware – a form of malware that locks down a computer system until a certain amount of money is paid to restore it . “ Hotels are prime at risk for that type of attack ,” he says . Today ’ s criminals can simply buy ransomware and other malicious software on the Internet . “ The guy next door can become a cyber criminal overnight ,” Hite says .
FIVE WAYS
TO PROTECT YOUR NETWORK
Tips from Collin Hite of Hirschler Fleischer :
• Segregate information : Make sure employees can only access the parts of the network they need .
• Keep access current : Former employees should no longer be able to access the network .
• Educate : Tell employees about your data privacy policy and what the legal ramifications are if it isn ’ t followed .
• Update : Perform regular updates to software and your computer system .
• Have a plan : Determine who is in charge of what in case of a breach , then practice drills to make sure the plan works .
54 hotelsmag . com October 2016