The coronavirus crisis that’s slowed or closed businesses is attracting more cybercrime, especially as more employees work from home on unsecure devices, say experts.
(Photo: Unsplash/ Nahel Abdul Hadi)
“What we’re seeing is the bad guys out there, they know which industries are really strained right now. They know that the hotel industry is dramatically understaffed.” Jen Stone, Security Metrics
As the coronavirus pandemic lays siege to the U.S. hospitality industry, another menace is at hand – cybercrime.
Menlo Security recently reported it has detected a “sophisticated, multi-stage attack leveraging the current COVID-19 pandemic.”
Bad actors are ramping up their phishing attacks designed to steal login credentials and credit card numbers. These attacks typically involve an email that encourages the user to open a link. Once the link is opened, the criminal can gain access to the computer and its data.
Menlo Security said it expects phishing attacks to increase exponentially, an estimated 32 times greater than normal, during the coronavirus pandemic. The phishing takes place over email and texts. The communications might include “COVID” or “coronavirus” in the subject line or on an attached document.
The opening of malicious links began to surge on March 11, the day the World Health Organization declared the COVID-19 outbreak a global pandemic, reported the security company. And criminals have not let up since.
Menlo Security tracked the number of phishing attacks and shows an increase in the frequency of the cybercrime since March 11, when the World Health Organization declared the new-coronavirus outbreak a global pandemic.
Cyber security experts interviewed by Long Live Lodging warn the outbreak is revealing weaknesses in business technology platforms. They advise on what hotel businesses can do to curb cybercrime and protect their guest data.
“What we’re seeing is the bad guys out there, they know which industries are really strained right now. They know that the hotel industry is dramatically understaffed,” said Jen Stone, a security analyst with Security Metrics, which helps businesses with payment card industry compliance.
“Anything that’s already strained is a good place to look for gathering information, and the hotel industry as a whole has a lot of information the bad guys would love to access.”
Though many hotels are either closed or operating with low occupancy and a skeleton crew, now is not the time to ease up on controls of the hotel’s card data environment – where guests’ payment methods and personal identifiable information are stored.
Paul West, a risk management and technical consultant and founder of GapSpot, advises hoteliers can set themselves up for big trouble down the road if they’re not carefully watching their backend systems.
“More than ever before everyone should really be raising their awareness, their due diligence in general, and be very vigilant.”
LISTEN: Episode 263, part 10 of Lodging Leaders podcast special report on the coronavirus pandemic and its impact on the hotel industry, explores cyber security as well as how hotels are using existing tech platforms in operations and guest communication during the crisis.
In late March, the federal Cybersecurity and Infrastructure Security Agency posted guidance on its website about how state and local governments can protect communities and keep critical infrastructure secure during the coronavirus pandemic.
The agency expects cybercrime to double during the coronavirus crisis.
At the same time, as part of its COVID-19 guidance, CISA suggests essential businesses may want to have employees work off-site in the interest of health safety.
That’s all well and good, said West, but many employees who handle sensitive information might be using home computers – devices not equipped with firewalls and antivirus programs used in a corporate setting.
“A lot of people working from home are working on home devices, and that’s an issue,” West said. Software patches aren’t applied or they aren’t updated on personal devices.
In addition, employees working from home might not have secure routers or internet service. And many business owners, executive leaders as well as rank-and-file employees use the same password for different programs, websites and email accounts.
Many hospitality executives working off-site are handling personnel issues, including payroll and benefits. Remote workers might also be working in accounting. “These are the big areas to watch,” West said.
“These are people who can get hacked even if they’re not connected to (an employer’s) network,” he said. When the employee does connect to the business, the cybercriminals can infiltrate the company’s data storage. “Once they’re in, they can move all over the place.”
LISTEN: Long Live Lodging and its Lodging Leaders podcast recently covered cyber security issues in the hotel industry, including interviews with experts during HFTP’s annual convention.
‘A Different Approach’
Ransomware is the number-one cybercrime, West said.
The criminal encrypts a victim’s files and demands a payoff to unlock it. West predicts cases of ransomware will increase exponentially after the crisis has passed and businesses get back online.
The coronavirus crisis came upon the industry so fast, hotel owners or operators probably did not build security with virtual private networks or provide managers and others in administration with secure identification methods to access the VPNs.
That goes for the hotel’s vendors and service providers, too. If their systems are compromised, then so are yours.
“There has to be a different approach to this,” West said. VPNs are not designed for mobility. They are point-to-point programs and meant for on-site access and to be used by employees who have leaders’ trust.
“I think what will happen is this will switch to zero trust,” he said. “And that will require multi-faceted authentication.”
Accessing a network will require a series of steps – a combination of passwords, QR codes and maybe even biometrics, West said.
And there’s no roaming allowed. “Once an employee has established connectivity he should only have the privilege to do what he needs to do.”
Call Center Concerns
Stone noted that many call-center employees work from home. Cyber security is particularly vulnerable at call centers, especially if the call center employee is working from home.
“So we have customer service agents that previously worked in a call center that are told now you have to do this work from your home office. Will they be trying to log in to a browser from their home computer? A lot of security controls that are standard in the office you just don’t have at home,” Stone said.
Even if the employee is using a company-provided laptop, home WiFi access can be jeopardized.
“That’s pretty critical for organizations to take into account,” Stone said.
Security Metrics offers guidance on PCI compliance during the COVID-19 crisis.
A blog by Michael Simpson advises steps a company can take to ensure its network and payment processing systems are secure with employees working from home.
“Realize that any system involved in the storage, processing, or transmission of cardholder data is in-scope for your environment as is any system that can affect the security of these devices,” Simpson writes.
AT A GLANCE
Here are some updates regarding the impact the new-coronavirus outbreak in the U.S. Long Live Lodging will continue to update this chart as well as other information as part of its Special Report on Coronavirus and the U.S. Hotel Industry.