The threat of cybercrime and data breaches have never been so prominent. In the hospitality industry, hotel cybersecurity is a matter that shouldn’t be taken lightly. That’s because security experts now estimate that cyberattacks cost businesses $1.6 million to recover. And what’s scarier: in 2019 the average time it took to identify a breach was 7 months according to IBM.
Why Hotel Cybersecurity Matters
A study by IntSights found that in the past three years, the hospitality industry has had 13 “notable data breaches”.
They also looked into the dark web hacker forums (a section of the internet that isn’t visible to search engines and requires an anonymising browser to access) and revealed that Hilton had 31% share of mentions, followed by Marriot at 28% and IHG at 19%.
But why are hotels particularly vulnerable to these attacks?
Well, IntSights believes this is because of the volume of financial transactions that hotels carry out, use of loyalty programmes, their database of sensitive personal data and finally, their national and international spread.
Put plainly, the bigger the organisation, the more of a target it becomes for hackers due to the volume of information held. And that’s why cybersecurity is so important; protecting your customers’ data should be a primary concern - right alongside safeguarding against COVID-19.
In this day and age, your customers will be more cybersecurity savvy, and this may impact their choice of hotel.
This blog will explore cyber threats to hotels and how you can protect yourself against cybercrime.
Hotel cybersecurity best practices against 6 threats
When it comes to hotel cybersecurity, there are a multitude of different attacks that could happen, which is why it’s important to learn about them and ready your defences. You need to protect your hotel against any sort of data breach.
So, what are the types of cyber-attacks hotels might be susceptible to? And how can you avoid them?
1. Phishing attacks
If you’ve got an email, chances are you’ve come face-to-face with a phishing attack. They are one of the most common scams on the internet and have a high success rate.
That’s because in the past few years, cyber-criminals have gotten smarter and have found ways to fool even the most switched-on individuals.
Phishing refers to the sending or receiving of emails that appear to be from a genuine source. The sender then tries to convince the receiver to share personal information such as bank details or passwords.
Nowadays, phishing has become more sophisticated, and that puts hotels at even greater risk.
There are two types of phishing: spear phishing and whaling. So what’s the difference? Spear phishing is highly targeted, usually aimed at individuals (jump to our next point to learn more), whereas whaling usually involves a lot more victims.
For example, an email being sent from a senior leader at an organisation to employees asking that they approve a transaction.
How can you protect against phishing attacks?
- Training employees how to catch phishing emails. This could include teaching them how to scrutinise email addresses, look for poor spelling and grammar or typos.
- Use the latest software to prevent phishing emails.
- Keeping all data backed up.
- Avoid disclosing any sensitive personal or business information.
2. DarkHotel hacking
Hotel cybersecurity now needs to protect against a relatively new type of cybercrime: DarkHotel hacking. It’s targeted, precise and difficult to protect against. It's also a form of spear phishing.
The name, DarkHotel, derives from the attackers’ method of tracking the users’ travel plans. Attackers then use hotel Wi-Fi to target specific business guests (usually C-level business executives and other high-level figures), usually in a bid to gain sensitive information.
They use forged digital certificates to convince victims that a software download, such as an Adobe update, is safe. Instead, the victim receives a malicious executable.
How can you protect against DarkHotel hacking?
Encourage guests who are concerned about DarkHotel hacking to use a virtual private network (VPN) if they are going to conduct any business with personal data.
- Encourage guests to double check any update alerts that pop up on their computers during their stay and download directly from the vendor's website.
Malware, short for “malicious software” is software that can access, destroy or corrupt your computer, all while you’re unaware.
It can be used for spying purposes, to infect computers or networks with viruses, delete files or install more malware on your computer. Types of malware that can infect your computer are spyware, viruses and trojan horses.
This can happen when you open email attachments, download software, open links or pop-up windows or visit an infected website.
How can you protect against malware?
- Invest in anti-malware software
- Scanning flash drives before use to ensure they aren’t infected
- Training staff to be smarter when it comes to clicking on links and adverts
- Ensure employees are using up-to-date browsers
- Using ad-block
We could have grouped ransomware under malware, but due to its slightly different nature we’ve given it its very own section.
Ransomware not only infects your computer; it also encrypts your files – allowing them to hold data hostage and demand a ransom so that you can restore access.
So how could a computer become infected by ransomware?
This can be done with the aforementioned phishing – where you download an infected file and it infects your computer. It can also manipulate security gaps in your network, which gives it access without you ever giving it administrative access.
How can you protect against malware?
- Invest in anti-malware software
- Keep operating systems up-to-date and patched. This will help keep any security loopholes that hackers could use, closed.
- Avoid giving software administrative permissions unless you’re sure its from a trusted source.
- Backing up files and data regularly.
5. Denial-of-Service or DDoS attacks
A DDoS attack is a malicious attempt to disrupt the normal traffic of a server, service or network by overwhelming it or its infrastructure with a flood of internet traffic.
In regards to hotel cybersecurity, it’s a hack of choice for those looking to target the systems that hotels use. It can result in websites and entire computer systems being brought down.
In some cases, targeted victims may be threatened with an attack, or if already attacked, a more devastating attack to gain money.
How can you protect against DDoS attacks?
- Use technology or anti-DDoS services that can assist you in recognising legitimate spikes in network traffic.
- Configure firewalls and routers to reject bad traffic. Keep them updated at all times with the latest security patches.
6. Point of sale (POS) or payment card attacks
A huge part of hotel cybersecurity is watching for point of sale (POS) or payment card attacks. They pose a huge threat when it comes to hotel cybersecurity. That’s because they attack the vendor, rather than the hotel itself, making it a third-party crime.
This type of attack can result in customers being out of pocket and the media getting involved – which means bad press for your hotel. It can also mean financial implications for the business.
One of the most recent attacks was on the Ritz London, where scammers targeted their food and beverage reservation system.
How can you protect against point of sale and payment card attacks?
Be PCI-compliant across all card readers, networks, routers and servers.
- Employee training
- Hiring hotel data security providers
- Use end-to-end encryption on POS systems
- Install antivirus on the POS system
- Regularly account for all POS devices to prevent against theft
Use these best practices to guard your hotel against cybercrime today!
Find out about Cvent’s secure hotel software tools that can help you maximise your MICE business.