A Holistic Approach to Solving Hospitality’s Unique Cybersecurity Challenges
Cybercriminals are primarily after data, and hotels and other hospitality businesses are ripe with the kind of customer information attackers seek. But despite the hospitality industry’s talent for data gathering, there’s a misconception that other industries, like finance and technology, are the more likely attack targets. For some businesses, this can lead to a lack of robust programs in place to effectively secure data. The subsequent gap—massive data stores without proper security controls—makes the hospitality industry uniquely vulnerable to cybercriminals.
Businesses working to protect themselves and their customers must understand the unique security challenges they face, and the necessary steps to mitigate risks if they hope to keep pace with modern threats.
The Unique Challenges of Hospitality
It’s important for hospitality businesses to have a thorough understanding of the unique security challenges the industry faces. One of the most obvious: the very nature of the business. Hotels offer a wide range of temporary services, both physical and digital. There are countless Internet of Things (IoT) connected devices within an average hotel, including contactless entry applications, door keys and locks, thermostats, televisions, and web routers. The extreme degree of turnover inherent to hotels and other hospitality businesses compounds the problem. Normal operation for hotels effectively involves inviting hundreds (even thousands) of unvetted users to access their networks, most of whom will be replaced by new, equally risky visitors within 24 hours. And beyond the network, those users also require access to physical spaces, which generally lack the control mechanisms inherent to other businesses.
This turnover extends to the workforce as well, especially at seasonal destinations. Temporary workers might arrive for the summer months and immediately receive the same access permissions as full-time staff. While most businesses ensure all employees receive security training, hotels often don’t have the time or resources to train temporary workers and the return on investment simply isn’t there for anyone only around for a few weeks or months. Unfortunately, a lack of security awareness significantly increases the risk of an employee making a costly mistake, such as falling for a phishing scam or business email compromise (BEC) scheme. In fact, hospitality was the number one industry targeted by phishing attacks last year, underscoring the industry’s relative vulnerability.
Finally, the franchise model, common in hospitality, gives rise to the challenge of consistency. Establishing security guidelines and consistent processes across a franchise environment that lacks top-down control is difficult, often resulting in divergent standards across the network that make it more difficult to manage and secure. This is particularly problematic because digital hygiene practices, like timely patching and updating, are critical in an environment with so many potential vulnerabilities for attackers to exploit.
The key takeaway? While hotels and other hospitality businesses work to make life as convenient as possible for guests, they inadvertently also made things more convenient for attackers. As a result, adversaries view hospitality as an easy target with a treasure trove of data waiting to be exploited.
Essential Steps to Secure Hospitality Businesses
There is no one-size-fits-all approach to securing hospitality businesses, but there are steps for more effective protection. It starts with an honest assessment of the organization’s security posture, from its supply chain management practices and password policies to its incident response plans and identity management solutions. Organizations without significant security experience may need to call in third-party experts to conduct a thorough assessment, but it’s important to establish a baseline and understand where vulnerabilities exist.
The second—and arguably most important—step is shifting the organization’s focus from “prevention” to “resilience.” Breaches are, unfortunately, a fact of life in today’s world, and even the strongest security program in the world cannot prevent 100% of attacks. But what organizations can do is ensure that they're prepared to detect, contain, and recover from attacks in a timely and effective manner. That means placing added emphasis on solutions capable of providing 24/7 monitoring, detection, and response capabilities. Modern security solutions armed with AI capabilities can make a big difference here. By observing the organization’s digital environment over time, these solutions establish a baseline for what “normal” behavior looks like and alert security teams when suspicious or unusual activity occurs. This type of behavioral analytics is critical in today’s threat landscape and can help businesses identify attack activity even when the attacker enters the network through the front door using a key (i.e., using stolen credentials).
Unfortunately, most hospitality businesses don’t have endless resources to invest in security, which often leads to “build vs. buy” considerations. As the software-as-a-service (SaaS) economy continues to grow, many hospitality businesses are turning to third-party security specialists rather than attempting to build a security program from scratch. Additionally, the ongoing cybersecurity skills shortage makes it difficult for organizations to hire experienced security professionals, further complicating efforts to build strong internal security programs. The need for 24/7 incident response against constantly evolving threats leads many hospitality businesses to seek external help.
Taking Steps in the Right Direction
Hospitality businesses collect a significant amount of customer data, making them a veritable treasure trove for attackers looking for information to sell on the dark web. Factor in that the nature of the industry leaves businesses dangerously vulnerable to a wide range of attack tactics, and it’s easy to see why hospitality is a popular target among today’s attackers. But while adversaries persist, improving cyber hygiene and implementing 24/7 detection and response capabilities can go a long way toward significantly hardening defenses and strengthening security postures for hospitality businesses—even if that means bringing in some outside help to make it happen.