Digital transformation is redefining many aspects of the hospitality industry, and the importance of cybersecurity cannot be overstated. The recent spate of high-profile incidents is a reality that many in the industry are coming to grips with. No entity, regardless of size or stature, is immune to the threats posed by cybercriminals. In building our products, I paid a lot of attention to this element, and we researched and learned a lot along the way. Taking from everything we learned, I’d like to offer some perspectives on the nature of these threats and the strategies and practices that can help safeguard hotels and their guests.

Understanding the Target

Motivated cybercriminals often target businesses for financial gain when they identify a weakness. The interconnected nature of casino operations, from hotel room keys to payment systems, makes them vulnerable to a broad range of attacks. This focused attention can be attributed to several factors. Ransomware gangs, which operate with a profit motive akin to traditional businesses, prioritise targets that can afford to pay substantial ransoms.

Casinos are a perfect fit for the profile of businesses with high cash flow and critical operations. Their success relies heavily on the smooth functioning of their operations. Data breaches and similar incidents may force companies to pay ransoms to resume operations, highlighting the critical nature of these threats.

Beyond Ransomware and DDoS Attacks

While ransomware, DDoS attacks, and the compromise and sale of customer data are well-known threats, the cybersecurity landscape is far more varied and complex. Phishing attacks aim to steal valuable information by exploiting human psychology. The advent of generative AI threatens to make these attacks more sophisticated, targeting individuals with alarming precision.

IoT (Internet of Things) devices in hospitality increase the risk of cyber attacks, causing financial and operational disruption. Robust security measures and vigilance are vital to protect sensitive data and maintain reputation. Supply chain attacks and targeting high-profile clients through persistent infiltration or insider threats further complicate the industry’s security challenges.

Far-Reaching Effects of Cyber Attacks

The extensive infiltration capabilities of modern cybercriminals can lead to widespread disruption of hospitality operations. From non-functional hotel door locks to shutdowns of hotel IT and payment systems, the interconnectedness of a hotel’s tech stack means that a breach in one area can have cascading effects. This interconnectivity often necessitates a comprehensive shutdown to eradicate threats and rebuild infrastructure, highlighting the importance of widespread security awareness and training across all levels of an organisation.

In today’s digital age, all industries are at risk of being targeted by cybercriminals. ALEKSANDER LUDYNIA

Comprehensive Security Strategies

Creating and maintaining a robust security strategy is a continuous process rather than a one-time task. Keeping up with the changes and updating your cybersecurity strategies is crucial as the technological landscape evolves. By taking proactive measures, you safeguard your hotel and ensure your guests can trust you to secure their sensitive information. As you formulate your cybersecurity plan, remember that trust is the cornerstone of guest satisfaction and retention, so it’s essential to prioritise it in your security efforts.

To effectively combat cyber attacks, it is crucial to implement a comprehensive cybersecurity strategy that focuses on


SHIJI’S HOTEL CYBERSECURITY CHECKLIST – DOWNLOAD

Cyber Hygiene Practices: Think of cyber hygiene as the cleanliness protocol for your digital environment. Just as you’d schedule regular maintenance for your physical spaces, your hotel’s systems need routine check-ups. It is essential to update your software and promptly patch any vulnerabilities. This is the first line of defence against cyber attackers.

Access Control: Only certain employees need the keys to every room, digitally speaking. Use role-based access control (RBAC) to ensure that your staff only has access to the information necessary for their roles. This minimises the risk of internal breaches and keeps sensitive data compartmentalised. Access control should be implemented on the network level, application level and in all solutions that criminals can use to disrupt the business processes.

Data Protection: Minimising the scope of processed data and encrypting it is like putting a treasure chest in a vault. It ensures that personal information remains unreadable to unauthorised eyes even if intercepted. This applies to payment information and personal details like keeping your guests’ information safe and secure. Data inventory and robust protection and access control processes help protect data integrity and availability.

Malware Protection: Modern anti-malware solutions allow the detection of malware activity on a wide range of devices, block it and minimise the consequences of such activity.

Continuous Monitoring: Just as you keep an eye on the comings and goings in your lobby, continuous monitoring of your IT network can alert you to any suspicious activity. Employing intrusion prevention systems (IPS) and security information and event management (SIEM) solutions can help you spot and respond to potential threats in real time, much like your front desk staff would handle a security issue in the lobby.

Incident Response Plan: A clear, concise incident response plan enables quick action when a suspected cyber breach attempt is detected. This plan should outline steps for reporting incidents, who to contact, and how to contain a breach.

Risk Management: Every hotel has its own unique set of challenges. To effectively address your hotel’s specific risks, it’s important to tailor your cybersecurity measures accordingly. Prioritise your resources where they’re most needed by taking a risk-based approach.

Human-based attack prevention: It is much easier to hack a living person than most IT systems. Therefore, criminals often target hotel employees to get initial access to the systems and later compromise the entire IT environment.

The Human Element in Cybersecurity Breaches

Social engineering is a successful tactic used by cybercriminals to breach secure environments. It involves manipulating individuals to gain unauthorised access to systems and data by taking advantage of human vulnerabilities. For instance, in the hospitality industry, employees are often targeted through phishing emails that appear to be booking confirmations or customer complaints. These emails may contain malicious links that can compromise the establishment’s cybersecurity defences.

Another common social engineering tactic is pretexting, where attackers create a fake scenario or identity, such as pretending to be a trusted vendor or IT support, to get employees to disclose confidential information. For example, a scammer could pretend to need access to a guest’s booking details for verification purposes, thereby gaining access to sensitive data. The following practices help to decrease the risk related to attacks on hotel staff:

Employee Training: Regular training sessions should educate staff on social engineering attacks, such as phishing, pretexting, and baiting. Employees should know how to identify suspicious requests, verify identities, and handle information securely. They must be aware of the security policy and general practices they must follow.

Two-Factor Authentication (2FA): Systems that provide 2FA add an extra layer of security, ensuring unauthorised access is still blocked even if credentials are compromised. For example, a code sent to an employee’s phone and a password entry can prevent unauthorised access. Among the others, it prevents password sharing, which is one of the common security mistakes of employees.

Security Audits and Phishing Simulations: Regular security audits and phishing simulations can help identify organisational vulnerabilities and gauge employee readiness against social engineering tactics. These exercises can also reinforce training by providing practical examples of how to react to attempted attacks.

By focusing on the human element and equipping employees with the knowledge and tools to recognise and resist social engineering tactics, hotels can significantly enhance their cybersecurity posture.

Learning from High-Profile Incidents

Analysing past incidents that impacted our industry offers valuable lessons in the importance of preparedness, the need for comprehensive incident response procedures, and the role of company-wide education in cybersecurity best practices. These incidents are stark reminders of the need for vigilance and the continuous improvement of security measures.

Responding to an Attack

The immediate response to a cyber attack can vary significantly, but having a well-developed incident response playbook cannot be overstated. Regular training and simulations ensure that the hotel’s operations are prepared to act swiftly and effectively in the face of an attack, minimising damage and expediting recovery.

The Role of Law Enforcement

The involvement of law enforcement agencies in cyber attacks can differ depending on jurisdiction, the nature of the victim’s business, and other factors. In some instances, reporting the incident to authorities might be optional; in others, it could be mandatory. Integrating the decision to notify law enforcement and seek potential support from them into the incident response procedure is crucial.

Globally, law enforcement authorities actively pursue cyber gangs, striving to disrupt and dismantle them within their areas of jurisdiction. Therefore, their primary role is preventing attacks and shutting down criminal groups rather than directly responding to individual incidents.

Key Takeaways

Comprehensive Risk Management: Understanding the hospitality industry’s vulnerabilities and threats is essential for developing effective cybersecurity strategies.

Employee Training and Awareness: Empowering employees with the knowledge and tools to recognise and respond to security threats is critical in preventing attacks.

Robust Incident Response: Developing and regularly testing incident response procedures can significantly mitigate the impact of cyber attacks.

Collaboration with Law Enforcement: Engaging with law enforcement and other cybersecurity entities can enhance an organisation’s ability to prevent and respond to attacks.

Constant Work in Progress: Cybersecurity is an ongoing process that requires continuous assessment, adaptation, and improvement to address evolving threats.

In conclusion, while the hospitality industry, particularly casinos and gaming, will likely remain attractive targets for cybercriminals, advanced security measures, employee training, and comprehensive incident response strategies can significantly mitigate these risks. By cultivating a cybersecurity awareness and preparedness culture, your hotel can confidently navigate the challenges of the digital age, protecting its operations and patrons.

About Shiji Group

Shiji is a multi-national technology company that provides software solutions and services for enterprise companies in the hospitality, food service, retail and entertainment industries, ranging from hospitality technology platform, hotel property management solutions, food and beverage and retail systems, payment gateways, data management, online distribution and more. Founded in 1998 as a network solutions provider for hotels, Shiji Group today comprises over 5,000 employees in 80+ subsidiaries and brands in over 31 countries, serving more than 91,000 hotels, 200,000 restaurants and 600,000 retail outlets. For more information, visit www.shijigroup.com.

View source