‘A Failure of Leadership’

Cybersecurity experts find holes in data security systems as well as in C-suites

The failure to stay on top of cyber-security threats and their solutions is a major cause of data breaches that can result in millions of dollars in lost business and recovery, say hotel technology experts.

Recent studies on technology in the hospitality industry show disconnects between business owners and executives and their IT departments.

First the good news. A 2019 Hospitality Technology Sentiment Survey by Hospitality Net and Hospitality Technology & Financial Professionals or HFTP reveals many hoteliers and tech suppliers plan to increase their IT budgets in 2020. In addition, IT staffers in more than half (65 percent) 0f the businesses say their companies’ leadership view tech spending as important.

The not-so-good news is a third of the 540 hoteliers and suppliers surveyed during June’s HITEC in Minneapolis say they do not know the status of their company’s IT budget. The report authors call the result “shocking.”

A study by Shredit, a document shredding company, showed 36 percent of hospitality business owners surveyed believe “data breaches are no big deal and are blown out of proportion.”

The results of the studies show a nonchalant tone that in almost all cases is set by a company’s leadership. Jen Stone is a senior security analyst with SecurityMetrics. She visits a lot of businesses and assesses their compliance with credit card processing systems as well as other platforms.

“A data breach is a failure in leadership,” Stone said. “There’s a lack of communication between senior leadership and their IT folk that I’m seeing in conversation after conversation through my assessment work.”

In many cases, leadership does not take the threat seriously, is willing to accept the risk or instructs its IT department to find cheaper solutions. Protecting customer data “is the responsibility of senior leadership because they’re the ones that decide how much money, how many people and what kind of time will be put toward protecting information. You can’t point your finger at the IT department and say they didn’t do it if you didn’t give them what they needed to protect that information.”

Of the more than 500 attendees surveyed at June’s HITEC, most said their companies plan to increase or maintain their IT budgets in 2020. This chart shows the spending priorities in specific categories.

Threat of Loss

The failure to stay on top of cyber-security threats and their solutions is a major cause of data breaches that can result in millions of dollars in lost business and recovery, say hotel technology experts.

A new IBM report notes the average cost of a data breach in a U.S. business is more than $8 million. Most of the cost is the result of lost business, meaning travelers stop coming to your hotel because they don’t trust the security of the technology.

In yet another report, this one by Morphisec of Israel, 70 percent of 1,000 hotel and restaurant consumers surveyed say they believe the hospitality industry is not investing enough in cybersecurity. Of the respondents, 9 percent said they have been victims of cyber theft in hotels and 10 percent say claim the same at restaurants.

The bigger the loss of data and the longer the breach goes undetected, the more it will cost a business.

It’s a given in today’s technological age that hotels depend on technology to process customer credit card purchases and to store personal information about guests that helps hotel staff serve them better.

For the most part, hotel owners and operators have done all you can to make sure your customers’ data is secure. The 2019 Verizon Data Breach Investigations Report shows a dramatic drop in point-of-sale data thefts at hotels and restaurants since last year.

The decline in incidents is most because of hospitality merchants adhering to payment card industry data security standards or PCI DSS and other processing protocols such as the European Union’s general data protection regulation or GDPR.

While it’s a smart move to be PCI and GDPR compliant, that does not fully guarantee your hotel data is safe from hackers. Today’s cyber criminals thwarted by retailers compliant with PCI and GDPR are targeting different quarry – hotel guests’ personal identifiable information or PII.

Scott Boren of Boren & Associates, a compliance auditor who gave a presentation on Oct. 24 at HFTP’s convention in Orlando, told Long Live Lodging that “most of the information that the hospitality industry is receiving is basic. It’s the type of stuff nowadays you used to be able to locate by going to the corner and pulling out the old phone book, and that’s the level that they should be retaining to.”

Yes, payment information is digitally encrypted, but there is other information that comes off the chips and mag stripes, Boren said. The non-financial PII “gets stored in systems that people may not even be aware they exist. They need to ask questions of their IT people and the providers of software.

“I don’t think they really realize what they are collecting in the back ground and how much could be a potential for use. There is a lot of information we inadvertently turn over, and we don’t know it.”

PII has monetary value, Boren said. Cyber thieves use PII to commit identity theft. “You’re not stealing someone’s credit card information, you’re creating it,’ he said.

The hacker looks for ways to infiltrate a hotel’s data-storage system and glean a guest’s age, address, driver’s license, social security number and even their voice to build a false identity. The fake persona can be approved for online loans and credit card applications.

The false persona can also send an email or make a phone call to a business associate or family member and ask for a transfer of money into an account.

It may sound like a movie plot, but these are real incidents tracked in Verizon report.

Verizon analyzed nearly 42,000 security incidents that occurred in 2018. More than 2,000 of them were confirmed data breaches. In many cases, tactics were the usual – such as ransomware or malware.

Other breaches involved what Verizon calls “financially motivated social engineering” and were focused on credential theft and duping people into transferring money.

The 2019 Verizon Data Breach Investigations Report is derived from more than 41,600 security incidents and more than 2,000 data breaches provided by 73 data sources, both public and private entities, spanning 86 countries worldwide. No matter what kind of data your business saves, there is someone who wants to steal it. The chart shows the victims of recent data thefts.

First Steps

We are not helpless in the face of such threats, say experts, including those Lodging Leaders interviewed. The good news is there are many security experts and security safeguards and best practices that can be deployed to ward off cyber criminals and protect your business as well as your customers.

Ron Hardin, director of information technology at Sandestin Golf and Beach Resort, said for business owners who believe being PCI or GDRP compliant is a once-and-done security step realize this: “No company that ever had a documented breach of credit card data was compliant at the time of the breach.”

Hardin said every business that is deemed PCI safe was compliant at the time of the assessment. But studies reveal that most merchants fail to stay compliant.

Hardin is passionate about cyber security. He says he got that way because he once took cyber threats too lightly and got burned. That was a long time ago.

Hardin has earned the reputation of being an evangelist for the adoption of IT security systems and safety protocols throughout the hospitality industry.

He recommends hotel owners and operators use PCI compliance assessment as a step toward building and maintaining a safety net around stored data. It’s not the only tool in the box, but it’s a good start and it can reveal existing vulnerabilities.

The Verizon 2019 DBIR shows who was responsible for data breaches last year. No organization is too large or too small to fall victim to a data breach.

Draw Me a Picture

Stone of SecurityMetrics is a self-described nerd when it comes to PCI and GDPR compliance. She agrees with Hardin that performing an assessment credit card processing compliance can help hotels find their weakest links in data security.

But there’s a deeper conversation that needs to take place. That includes the kind of guest information a hotel stores and where is it stored.

“Let’s say you’re doing a PCI compliance assessment and it shows your credit card data is secure,” Stone said. “But there are other areas that have PII that’s not related to their credit card and that data is kept in different systems not related to PCI compliance.

“Knowing where data is in your systems and how they’re included in the scope of assessment will give you a greater or lesser degree of assurance that you’re keeping that information secure.”

Stone advises businesses to draw diagrams of their IT storage systems, creating a map of sorts on paper that shows the different buckets of data. The map should show where credit card information is stored and then draw a dotted line connecting the credit card storage bucket to the bucket where PII is collected and saved and so on.

“Know how that information flows into your systems; what is saved; where it gets saved; and the security controls that apply to it,” Stone said.

Geographically charting the hardware and associated software programs and then adding the digital pathways can reveal holes where cyber criminals can get in.

Stone suggests businesses run their own break-in attempts. “If you can remotely access information in a system then that’s going to be the pathway that someone who has malicious intent might use the same pathway that you use.”

SecurityMetrics offers a free guide to help hotels, restaurants and other merchants determine whether the POS and other data-collecting systems are secure and compliant with PCI DSS and GDPR cyber safety standards.

Practice Resilience

Though no hospitality business wants to experience a data breach, it’s smart to be prepared in the event it occurs.

Paul West, a risk management and technical adviser at GapSpot! advises hotels create an alternative way to do business if their IT systems are on lockdown. He calls it “crisis resilience.”

West advises that hotels plan a strategy that allows them to continue to stay open amidst a cyber security event.

The lifecycle of a breach is the number of days a breach goes undetected and the number of days it takes to contain the incident.

In its 2019 report, IBM says the average length of time a breach went undiscovered was 209 days. The average number of days it took to contain the breach was 80 days.

West said businesses need to plan to continue to operate during the containment process.

Remember Y2K? And the warning to be prepared to operate without computers? Employees at banks, businesses and merchants all learned, or relearned, how to do business with paper and ink.

A modern-day data breach might require your hotel staff perform transactions using manual processes and hand-written receipts until the crisis can be contained.

“Crisis resilience allows you to function regardless of the pressure or change in events,” West said. In the event of a cybercrime that has paralyzed your data systems “your resilience is how you are dealing with it.”

“How can you function with the least amount of lost business and the least amount of cost and expense?”

The 2019 Verizon DBRI reveals where the hackers are coming from. “Where a motive is known or applicable, financial gain is the most common driver of data breaches, representing 71 percent of cases. Espionage is the motive in 25 percent of breaches,” reads the report.

M&A Due Diligence

Criminals infiltrating your data systems is awful enough by itself, but imagine what happens if you acquire a business and merge its compromised systems with your own.

That’s what happened in November 2018 when Marriott International discovered a breach a guest reservation database it acquired in its 2016 acquisition of Starwood Hotels & Resorts.

Information belonging to more than 380 million customers was compromised. In addition, the hackers stole more than 500 million unencrypted passport numbers.

The FBI is investigating the Marriott breach, but West said the culprit could have easily accessed what he calls a “shadow IT” system. Many hotels have a computer in a forgotten or little used area of the building, perhaps at a bar used for special occasions.

Some acquisitions are not friendly and a disgruntled employee may sabotage a system before the new team takes over.

West notes modern-day due diligence must include scrutiny of data-storage systems. That includes finding out the company’s policies and procedures for collecting and storing information, and whether security was regularly assessed.

Due diligence on the business’ vendors is also in order, said West.

In fact, whether or not you’re acquiring and integrating another system, knowing whether your suppliers are compliant with their data handling methods is an important step in ensuring your hotel’s information systems are secure.

Back to Top