By Heinz Wehrle on 1/4/2022
Taking care of a hotel property as the owners’ representative encompasses supporting the operators and ascertaining the future protection of valuable data.
Digitalization has tremendously transformed the way business is conducted over the past decades. These technological innovations led to an alternated criminal business model. Whilst in the beginnings of digitalization, cybercriminals were targeting specific companies for industrial espionage, or to increase their reputation amongst the hacker community, it has changed nowadays to pure hacking-for-profit, targeting any potential victim.
Contrary to physical security items like fire alarms, smoke detectors and the physical threat – a fire – that are visible to anybody, cybersecurity cannot be seen from the outside, and prevention, as well as threats, can only be assessed by seasoned experts. To continue the fire analogy: The effects of an actual fire are widely known – property destruction, loss of revenue, bodily harm and, in the occurrence of violations, regulatory fines. Although Cybersecurity incidents only seldom lead to bodily harm, they can result in the destruction of property (data), loss of revenue (non-functional IT-system), as well as regulatory fines (GDPR) and reputational damage.
In the hospitality industry, guests trust their hosts to provide a pleasant and safe experience during their stay. Therefore, it is of the utmost importance to ensure that these non-tangible cybersecurity measurements are kept to a high standard as well.
Similar to physical security, cybersecurity measures are implemented, monitored and controlled in multiple layers, comparable to an onion. To penetrate the inner layers of the onion, a threat or attacker has to pass through multiple layers from the outside towards the centre. In the hotel industry, these layers would be the property grounds, the actual building, the inner common areas, employee-only areas and ultimately the guests’ rooms. In terms of cybersecurity, these layers can be associated as follows:
Whilst the Darknet might appear similar to the internet, it has two fundamental differences: There are no generally available search engines, which provide all the possible information one might look for, and there are no legal processes and entities, which could remove sensitive or unlawfully obtained information. Sensitive data will often be posted on the Darknet to either blackmail the affected entity or tease its content in order to sell to other criminals. Therefore, it’s important to monitor the available information about entities continuously and act accordingly with countermeasures to prevent more information from leaking to criminals and/or to minimize damages.
Despite being one of the most impactful innovations of the last 50 years, the internet also poses risks to a business. The increased possibilities of risks and threats include cyberattacks, social engineering or impersonation of brands/businesses/people. Nowadays, a hijacked social media account can wreak tremendous damage to the reputation and trust of a company, and worst-case, drive down the stock price, thus decreasing the business value. With the right partner at hand, this information can be monitored, controlled and, if necessary, removed.
The internal IT-Infrastructure: The actual connection point between the hotel property and the World Wide Web serves multiple purposes. It often hosts various services like websites, mail servers or other services available to the public. From the inside, the uplink is used either by staff to conduct business or by guests to provide a fast surfing experience. Also, the perimeter acts as an interface to third-party partners, who either submit or receive information. If these interfaces are not carefully implemented, a business might suffer from a so-called supply chain attack, where the attacker gains access to (multiple) businesses at once, by infiltrating just one common supplier amongst the supply chain. If this perimeter is not carefully planned, maintained or audited, cybercriminals will be able to cross the barrier into the property itself – either by viruses, Trojans, ransomware or other types of malware.
Once an attacker was able to gain a foothold inside the business, it is unfortunately often too easy to gain full control over all systems and their data. Depending on the attacker’s intention, the area of focus would be espionage on VIPs, theft of personal information, theft of credit card data or flipping the kill switch and deploying ransomware, rendering all IT systems unusable. These attacks are especially heinous, as usually an attacker can move freely, avoid detection and can search and also find the most valuable assets (often most damaging for a business) from an attacker’s point of view. A disastrous example from the hotel industry would either be the theft of all the confidential client data, which would lead to identity theft and massive reputational damage, or the complete de02activation of a keyless entry system that would make the property uninhabitable until the problem could be fixed.
Whilst a single hotel might be able to get quick help from the supplier, a supply chain attack based on the vendor side could lead to an enormous number of properties being unavailable, and even with the supplier’s best intentions, leaving them out of business for multiple weeks or months.
Download the report to learn more or follow this link.