The hospitality sector is facing up to an increase in cyberattacks and, as an industry known for holding huge amounts of data, it’s critical that CISOs and their teams know where the threats are coming from and how they can be defended against. We hear from Jeff Ogden, General Manager – Middle East and India, Mimecast, and Harish Chib, Vice President, Middle East and Africa, Sophos, about some of these cyber-risks and how they can be mitigated.
What are some of the key cyber-risks faced by the hospitality industry?
Jeff Ogden, General Manager – Middle East and India, Mimecast
The hospitality industry, like any other major sector, faces a significant increase in targeted attacks. According to Mimecast’s newly released State of Email Security report 2019, targeted attacks like phishing, impersonation fraud and ransomware have increased over the last year and have caused major disruption, including loss of customers, money and data.
More than 86% of UAE respondents experienced an impersonation attack and 77% of impersonation attack victims experienced a direct resulting loss. And the thing that hurt these organisations the most was data loss.
The hospitality industry is known for hosting vast amounts of data. These organisations have to store and process personally identifiable information in order to operate effectively but it also means that they are left with the responsibility of safely storing confidential information like credit card data and proofs of identity, including passport numbers.
This automatically makes this industry a significant target. Just look at the Marriott/Starwood breach that happened in December 2018. Marriott’s loyalty rewards programme database was breached and exposed the personal information of over 500 million people, making it the second largest breach in history.
When criminals get their hands-on customer information stored by a hotel group or similar, they can steal identities and open bank accounts, credit cards or loans in a victim’s name. They can also use this information for targeted social engineering and impersonation attacks, which means the cybercrime cycle continues.
Harish Chib, Vice President, Middle East and Africa, Sophos
Disconnected approach to cybersecurity is the most exacerbating security risk faced by organisations including the hospitality industry. To understand the root cause of these issues, we first need to look at the threats we’re trying to stop. Cybercriminals don’t use single techniques and technologies in their attacks. Instead, they use multiple techniques in connected, coordinated assaults.
For example, they might start with a phishing email that includes a malicious URL, clicking on which connects you to a command and control centre. Using a combination of credential theft, privilege escalation, and malicious executables, they then carry out their ultimate goal, which could be stealing your data, or holding your data for ransom.
Disconnected approach to cybersecurity struggles to fight back against these complex, coordinated attacks. This is where cybersecurity systems come in: integrated products working together to outsmart today’s hackers.
How do regulations (like GDPR for example) impact the industry?
Jeff Ogden, General Manager – Middle East and India, Mimecast
Hospitality is probably the sector that is most affected by GDPR when looking at how the legislation impacts countries outside of Europe.
That’s because it’s the one industry that tends to store and process data from individuals all over the world.
If a European were to travel to any hotel in the Middle East, that hotel would have to ensure they are GDPR compliant because they would now be responsible for storing and processing that individual’s data.
It also tends to be an industry that stores some of the most confidential information, like passport numbers. GDPR requires organisations to obtain explicit (opt-in, rather than opt-out) consent from the owners of this data at the time of its collection. They must demonstrate they have proper controls over the processing and security of personal data, including how data is used, stored, kept up-to-date, accessed, transferred and deleted.
Organisations in the hospitality sector are likely to have customers who agree to having their data stored because it is important for the effective management of loyalty programmes or ensuring returning customers receive the highest quality service. So it’s important that the right measures are in place to ensure the best possible protection of this highly confidential information.
GDPR should be seen as a solid best practice for security and marketing guidance instead of just another compliance burden. And with more legislation like this popping up around the globe, organisations should evaluate their security and privacy projects through a GDPR methodology to ensure that they are adequately future-proofed.
What steps should businesses and organisations operating within the sector take to mitigate cyber-risks?
Jeff Ogden, General Manager – Middle East and India, Mimecast
It is important that these organisations have the right measures in place to be able to face cybersecurity challenges and ensure they are resilient. Organisations need to have effective, layered security controls before, continuity during and automated recovery after an attack.
It’s important to have a comprehensive cyber-resilience strategy in place, employ skilled cybersecurity employees, have a plan to keep email running and be able to recover data in the event of a successful ransomware attack.
Another important step would be to have effective and regular cybersecurity awareness training. Many hospitality staff members are dealing with the personal data of their customers and so they need to be cyber aware.
While most organisations offer some kind of training it’s often ineffective, boring or not provided often enough. Training needs to be engaging, delivered persistently and it needs to concentrate heavily on helping employees detect and avoid cyberattacks.
Harish Chib, Vice President, Middle East and Africa, Sophos
The companies need to re-think the traditional approach of ‘layered security’ and think more about ‘cybersecurity system’.
With the latest Deep Learning technologies, new cybersecurity solutions can now take action faster than an IT manager predicting issues and stopping threats before they can enter an organisation’s network.
Click below to share this article
