Cybercrime is already costing the hotel industry and others billions, not millions, and the stakes are about to get higher in Europe with the introduction of new general data protection regulations.
GLOBAL REPORT—Cybercrime is costing global businesses billions, not millions, and in some jurisdictions—notably in the European Union—the cost to companies found guilty of negligence in regards to data breaches could soon rise substantially, according to sources.
At a panel titled “Cyber-attacks are on the increase, so how secure are your systems?” at the recent Annual Hotel Conference and in telephone conversations with Hotel News Now, experts underlined that many businesses, especially small- and medium-sized ones, remained woefully unprepared.
The EU’s General Data Protection Regulation law comes into effect, as one example, in the United Kingdom on 25 May 2018.
Moyn Uddin, a cyber and privacy consultant, said GDPR will change the landscape for everyone and could cost businesses huge fines, but he also sees it as a learning opportunity.
“It is an opportunity to have organisations really go out and find out what data they have, but not only that, to analyze where they get it from, what they have and why they have it,” he said.
Uddin said fines could “be as high as €20 million ($23.2 million) or 4% of global turnover, whatever is the highest, if you really screw up.”
The new regulations would force hoteliers and other entrepreneurs to really concentrate on what risk they had and how they processed data, he added.
The new Data Protection Bill currently passing through the U.K. Parliament will mirror GDPR post-Brexit and will also make directors liable on the occurrence of a data breach.
“The more I talk to hoteliers, the more I see they do not understand the concerns,” said Jesus Molina, director of business development, Waterfall Security Solutions, who added at a recent stay at a hotel in China he had been able to “take control of every Internet-able device in every room.”
Molina added he told hotel officials immediately.
Uddin said industry sectors such as finance, insurance and banking are best prepared, but that is because they are highly regulated, compliance-driven sectors.
“They are quite good at those things and have big teams,” he said. “The leisure industry, and others not so regulated, they are finding it difficult, as they do not think about this traditionally. Most have had hacks, but with GDPR, they almost might suffer huge damages in regards to reputation and fallout.”
“Imagine the headline of the Daily Mail the first time this happens post-GDPR,” he said.
Uddin said right now is the time to start thinking about and complying with the new regulations.
“Use GDPR to drive improvements in cyber-security as soon it will be a legal requirement,” he said. “There will be no two ways about it. Look at where the most problematic areas are. Find out where the major gaps are. That will improve cybersecurity, and that can be used to raise related culture with staff and partners and points along the supply chain and operational risk. It is every business’ responsibility to make sure all are compliant.”
Too clever by half
Richard Hodson, director, UKGlobal Broking Group, said it’s a problem that it’s not always obvious when breaches occur.
“Would you necessarily know if you had a data attack? That’s the first step to being able to take definite action,” he said.
With the mania to make hotels technology havens as much as comfortable retreats, Hodson questioned the wisdom of designing “intelligent buildings controlled by WiFi, when this opens the door to cyber-attacks.”
“Every room (in the Chinese hotel I stayed in) had an iPad to change the lighting et cetera. I found the script, ran some scenarios and then thought, ‘If I can do this in my room, I can do this throughout the hotel,’” Molina said.
Paul Cook, head of technology, ISG Technology Solutions, said hoteliers needed to think about cybercrime right from the beginning of the design process.
“Breaches often occur from a failure of IT design in the very first place,” he said. “Information can be kept on disparate silo sites, with the IT integrator then assigned to try and design software components to stitch it all together. This is how holes can form.”
Cook recalled a tale about how someone hacked into a hotel owner’s personal email, studied how and when communication was done between employees and chose a time to add a fictitious invoice, which he then chased to be processed pretending he was the owner.
All the AHC panelists had similar tales.
The highest levels of protection might be easier to achieve at a new-build property than a hotel in a 600-year-old building, panelists said.
“Look at what you have. What platforms does information sit on? It has to be a holistic risk assessment,” Cook said.
Molina added that not every business needs every new IT gadget.
“There is big money in all of this, and you do not need everything. Fears come from the interaction of your people with your machines, so ask, who has control of what? Segmentation done correctly solves many problems,” Molina said.
“If a building is controlled by WiFi, it’s not an intelligent building. Well, obviously it’s not a stupid building,” Cook added.
Uddin said insurance against GDPR was almost impossible to obtain.
Hodson said it was possible to insure against general cybercrime and that the risks insured against are the same as they would be from fire and theft—a loss of business, profits and reputation—but that many insurers do not currently have cyber security teams in place.
And those taking out any insurance might not know they could have recourse against IT vendors, Hodson added.
Hoteliers would need to have certain requirements in place if they took in large numbers of payments.
“There are fairly basic controls, such as having regularly updated virus patches, data encryption, a firewall and processes in place that are independently verified, but still at the moment everything is very low-touch,” Uddin said.
He said a new headache under new GDPR laws is that individuals affected by data breaches will be able to make claims and that both processors and owners (data controllers) of data are liable.
“There are more people under the risk umbrella. With cyber insurance, the risk still stays with (the owner), and insurance investigations will be thorough. Cyber insurance does not cover GDPR, as the risk is so high,” he said.
Individuals will also be able to claim in three different jurisdiction—where it took place, where they work and where they reside, Uddin said.
This does not constitute three separate claims, he said, with the individual more than likely going for the maximum pay-out.
“And as always, there will be lawyers to advise them,” Uddin said.
“When customers start taking action then (legal actions) will take place more and more often,” he added.
Colin Nutton, operations director of cyber security consultancy Software Major, to which Uddin also is affiliated, said the best advice for hoteliers is to “get some advice. Anyone who says they are not worried about GDPR, well, they are either lying or foolish.”
“Good advice from people who know what they are talking about. There are charlatans out there jumping on this (GDPR) bandwagon,” he said.
Uddin said there’s one more benefit of having data-processing operations in tiptop shape.
“I compare having the right processes in place to having good brakes on a car. They will let your business drive faster as you know you are safeguarded,” he said.