As technology has become available, the hospitality industry has focused on making the most out of innovations such as contactless services and eco-friendly practices.
The era of mobile and contactless services has ushered in a new normal for hospitality organizations, offering guests seamless experiences with a simple tap of their smartphones. However, as these advances present new and profitable opportunities for the hospitality industry to navigate, they come hand in hand with associated risks as threat actors gain an understanding of how operators use these tools and their vulnerabilities.
Trustwave SpiderLab's recent research into the threats facing the hospitality industry, 2023 Hospitality Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies, shows exactly how innovation is a blade that can cut two ways.
The security implications bundled with these new customer-friendly applications and services have proven to be specifically challenging, especially with the rise of contactless services. Trustwave SpiderLabs found 59 ransomware incidents occurred in the hospitality industry in 2022, with 26% of all reported incidents among Trustwave hospitality clients attributed to credential access – specifically brute force attacks, which use trial and error until the bad actor gains access.
Hoteliers must address the following concerns to ensure the safety and security of their and their guests' data, such as personal information, travel preferences, identification documents, and payment details.
The Challenges of Turnover and Being a Seasonal Business
We have witnessed time after time that the human factor is the weak point of any mature cyber program. The MGM Resorts and Caesar's Entertainment cyberattacks underscore how the vast majority of attacks in the hospitality industry focus on people-based methods such as phishing and email-borne malware.
Because resorts, destinations, and travel in general tend to be seasonal, the hospitality industry faces the recurring issue of seasonal workforce turnover. As workers come and go, it heightens the likelihood of gaps appearing in a hotel's security posture. Maintaining consistent security protocols can become daunting as hotels hire and train new employees for peak seasons. Just as one group is trained, they leave, and the cycle repeats.
Adding to this conundrum is the use of mobile devices for guest services, check-ins, and access control, which introduces an additional layer of complexity to this constant flux.
So, what is the takeaway from this scenario?
Organizations must revisit and prioritize security awareness and education needs to become a business conversation – not solely a cyber one. The question is where to start.
In a perfect world, organizational governance is already raising these risks at the senior leadership level and supporting its cyber leader, but the world isn't perfect. This imperfection requires that security leaders ensure this conversation is occurring across the leadership spectrum – from the board through a combination of HR, IT, and legal.
Most workers, especially temporary, rarely recognize potential threats or adhere to best practices in securing guest information. Luckily, this situation can be altered for the better with regular security awareness sessions.
Unfortunately, even with the best awareness and education programs in place, there will still be unintentional – and more malicious – security incidents. Incident resilience requires understanding and readiness at multiple layers of the business. Incident response plans should be well-known and frequently tested.
That plan should account for every team member, ensuring administrative staff, executive management, and front desk staff know how to effectively identify, report, and mitigate security concerns. Hotels must train new and seasonal hires accordingly.
Scattered Networks and the Risks of Centralized Management
The shift towards mobile and contactless services has led to the proliferation of devices and endpoints connected to hotel networks, some of which are spread over nations and even continents.
From mobile check-in kiosks to smart room controls, each device is not only super convenient for customers but is also a potential entry point for cybercriminals. Cyber technology investment doesn't alleviate the need for governance and oversight to help properties embrace a secure-by-design culture. The independent operating nature of each hotel can create scattered networks; it's also an opportunity to think about how best to centralize property management across a brand. After all, a breach to one is a breach to all.
There are, however, pros and cons to implementing centralized network management solutions.
While these can streamline security efforts by enabling IT teams to monitor and control all network-connected devices from a central dashboard, centralized management can make systems more likely to fall to a cyberattack. This is because there is now a single point of total failure if and when attackers breach a network. To maximize security but minimize these risks, hotels should employ a defense-in-depth approach with multiple layers of security capable of protecting against breaches and lateral movement across the network.
Hotels may choose to keep that process in-house or outsource for additional security skills, capacity, and sustainability. The need for outside help cannot be understated.
Hotel operators must deal with a myriad of issues. Not just the people, processes, and technology of the hotels but also the corporate environment. These two are becoming more intertwined, and adding to this environment's complexity are the important third-party vendors that bring technology into their networks.
Continuous digital monitoring of confidentiality, integrity, and availability of traveler and corporate data can be costly to sustain if it's difficult to determine which data brings valuable insight versus additional noise. The people and process skills required to navigate a rapidly evolving digital environment are also difficult to scale. Partnerships are becoming critically important to alleviate burnout and help hotels compete for talent locally, with a predictable digital resilience operating model that can continuously defend the business from known and unknown threats.
Balancing Accessibility and Safety in Physical Security
Hospitality centers are nothing, if not large, facilities with many points of access, not just from a cyber point of view but physical. This means physical security is an increasing concern and a vector threat actors continue to exploit. Mobile keys, for instance, rely on Bluetooth or near-field communication (NFC) technology, which can be susceptible to unauthorized access if not properly protected.
The challenge lies in finding the right balance between accessibility and safety – 80% of guests want mobile technology used in hotels, making mobile a prime attack surface. Balancing the traveler experience with compliance, privacy, and threat risks is a continuous conversation in governance committees. Organizations may have policies, but ensuring adherence to policy can be the difference in property hygiene. Protecting mobile keys should require multi-factor authentication and encryption, but can we verify we have 100% compliance in achieving that across each hotel?
Physically speaking, hotels may choose to divide their property into access zones with varying levels of security. For example, guest rooms and public areas may have different access controls. Similarly, hotels should provide separate, secure Wi-Fi networks for guests and staff. Guests should have easy access to the internet without compromising the hotel's internal network. Strong authentication, such as requiring a room number and/or unique access code, can prevent unauthorized users from joining the network.
The Way Forward: A Holistic Approach
In the era of mobile and contactless services, security isn't a one-size-fits-all solution. Instead, it demands a holistic approach encompassing training, technology, and vigilant monitoring. To avoid placing travelers' brand loyalty or trust in question, hotel customer experience leadership teams must address their digital resilience posture.
By continuously educating staff, centralizing cyber governance supported by executive leadership, and prioritizing physical security measures, hotels can embrace the benefits of mobile and contactless services while safeguarding their guests' privacy and data.
A version of this article originally appeared in Today's Hotelier.
