The recent data breach at a global hospitality company revealed the insecure cyber environment prevalent in the hotel and restaurant industry. This attack and several high-profile attacks in rapid continuity have made cyber security a priority for the hospitality industry. Asmita Mukherjee spoke with cyber experts in the hospitality industry and tried to delve into this concerning situation faced by hotels and restaurants by understanding the ground realities.
According to industry experts, the attack surfaces which are also the entry points of the properties can lead to unauthorised access to any system that is lying under the entry points. Elaborating on attack surfaces, Ravi Kant Prasad, IT Manager, Crowne Plaza New Delhi Okhla said, “Attack surfaces are defined as all possible entry points and vulnerabilities that can lead to unauthorized access into any system. In the modern scenario, proliferation of Internet of Things (IoT), increased use of mobile technologies, devices, web applicable & network nodes as well as poor security structure of third parties can lead to multiple potential cyber security threats.
Prasad added that surfaces can be attacked in various manners such as digitally, physically, or through social engineering. Digital attacks prey upon vulnerabilities due to weak passwords, exposed application programming interfaces, poor coding or poorly maintained software, and default operating system settings. Physical attack surfaces encompass endpoint devices such as USB ports, mobile devices, desktops, and laptops. Social Engineering attacks rely heavily on human-to-human interaction and involve manipulating people to gain unauthorized access to system networks by identifying loopholes and breaking security protocols.
Echoing similar thoughts, Shiju Nair, Associate Director of IT, The Fern Hotels & Resorts, explained, “Attack surfaces are categorized as physical or digital. The modern attack surface is both digital and external because digital transformation has increased online presence via web-based SaaS applications and cloud services. Hotel software comprising of modules such as PMS, POS, MMS, FAS etc. are implemented both on the cloud and onsite. Therefore by exploiting these attack surfaces a hacker can carry out a security breach in various critical ways that could impact the vulnerable areas of a hotel such as point of sale/ payment card attack, customer data/ identity theft, and DarkHotel hacking.”
Hotels have a huge database that includes the sensitive personal information data of customers which can be domestic or international, their credit/debit card details, their preferences and so much more. This database is very much vulnerable, and if that database is exposed it is a big challenge for the whole industry.
Elaborating on the common types of attacks that try to steal customer data, Nair said, “Using attack vectors such as phishing, ransomware, malware, etc. malicious actors target the software systems and steal the customer data/ identity of the guest which is a major cyber security challenge for a hotel as compared to other industries.”
“Cyber and data security breach is a worldwide phenomenon and not restricted to any one particular industry. Hackers tend to target businesses that involve dealing with the personal data of the customers. Day-to-day operations of the hospitality industry include a collection of personal and financial data such as payment card details, addresses, phone numbers, identification-related documents, etc, which are a hacker’s jackpot,” added Prasad.
Jeevasuriyan. P, Assistant Manager – IT, Mercure Chennai Sriperumbudur elaborated on some unique aspects of the hospitality industry which make it an easy target for hackers, by saying, “Hospitality companies which use old technology, platforms, and applications, delay the periodic upgradation of IT Infrastructure, are more vulnerable when combined with the exposure to a high number of external community/people in the hospitality industry, as compared to other industries, where access to the premise is majorly for authorised internal teams /employees. In hotels/restaurants anyone can have access to different areas and services.
Recent findings indicate that during the pandemic, 81% of global organizations experienced increased cyber threats with 79% experiencing downtime. The pandemic had become an opportunity for malicious actors to step up cyber threats in the hospitality industry.
Prasad said that most of the organizations shifted to work from home or hybrid models during the pandemic, which made the systems more vulnerable. “As a measure, stringent systems and access scrutinizes are being conducted prior to allowing the shifted systems back to the network. The digitisation of communications and processes to minimize common touch points, especially in the hospitality industry has increased the risk of cyber-attack by an order of magnitude.” Prasad added that as an organization, they have always worked towards creating a culture of Data Safety and Cyber Security by deploying advanced technology, and periodic testing of threat detection and response capabilities. Along with all of these, they have also emphasized the training of their team members. “However, as a proactive measure, we reassessed our security systems – both physical and digital to identify any new cyber risks post-pandemic. This included system audits and updates, examining critical supply chains, examining digital capabilities of various business functions, revisiting access mechanisms, and refresher training for team members,” he added.
Echoing similar thoughts, Nair said, “There has been a tremendous increase in adoption in cyber security measures after Covid 19. During this phase, most of the industry had opted to work from home and switched to the online platform via SaaS applications and cloud services in which various measures were taken by the IT team to provide connectivity to their internal network from outside which has also created more attack surface area for cybercriminals to penetrate through the same channel and hack the system.”
Jeevasuriyan said that his property had implemented the latest security measures, viz. upgraded hardware and software platforms, devices with updated firmware, Operating systems with the latest patch updates, Fire eye, PCI-DSS compliance, etc.
The hospitality industry as a precaution has been taking a lot of measures to avoid big blunders in the future. For instance, Prasad mentioned that Crowne Plaza New Delhi Okhla (IHG), treats data safety and cyber security as one of the most integral parts of its DNA. “Few of our best practices include but are not limited to – ensuring that all our systems are upgraded with the latest security updates. We have also prohibited the download of any unauthorized applications or programs on the company systems. We encrypt users’ data and verify private data to ensure safety. Segregation of data is extremely important and hence we do not connect all networks under one system. We have created an access hierarchy and access requirements mechanism to ensure access and data relevancy go hand in hand. We have heavily invested in network protection- the latest firewalls, and next-generation anti viruses to ensure maximum security. As a policy, we only collaborate with those vendors who meet international standards when it comes to data privacy and handling. As a part of our contracts and agreements, data safety requirements remain one of the major focus areas. Reinforcement of existing security processes and reviewing them on a regular basis helps us identify risks and threats and formulate resolution strategies. Creating a culture of awareness and responsibility via mandatory online and offline training becomes the most important factor to ensure integrity and security for us,” he informed.
Nair added that firewall protection, SSL protocols, and antivirus are the most important things to focus on. He added that his brand also practices the separation of admin networks and guest networks, which are kept distinct from each other using VLAN, both logically and physically. To be more vigilant, they keep on monitoring and scanning the network on a regular basis for any threat detection, and last but not least the brand has made sure that IT security policies provided by them are strictly followed by the users within the company.