A hotel owner shouldn’t always rely on their management company to ensure proper cyberattack defense. Here are some ways an owner can take extra precaution themselves.
It seems as though each week brings a new cyberattack or credit card breach that affects thousands, if not millions, of users. Yahoo!, Target and FedEx have all been recent victims of a variety of highly publicized cyberattacks.
According to Forbes, the global cost of cybercrime was estimated at more than $450 billion in 2016 and is forecast to grow to $2 trillion by 2019. Last month’s ransomware attack, “WannaCry,” affected users around the world and should be a warning that hackers are becoming more sophisticated, broadening their targets and getting more aggressive.
But did you know that one in five cyberattacks occur in the hospitality industry? Many of these attacks weren’t made public, but hackers are quickly learning the hotel industry is an easy target. Until we acknowledge this, we should expect more aggressive attacks in the future, which will be much worse than yesterday’s simple credit card breach.
Unlike banks, retailers and technology firms, the hotel industry operates with an open and accommodating environment. We invite guests and other visitors into our lobbies and hotel rooms where they can join unrestricted Wi-Fi networks. We encourage mobile and online reservations, and the technology to check into your guestroom with your iPhone is here. These multiple entry points, though favored by guests, can create substantial risks for hotel operators and owners.
As a hotel owner, we rely on our management companies to ensure they take the necessary steps to protect us from cyberattacks and credit card breaches. So how is the typical hotel management company doing? Based on our discussions with cyber experts, audit firms and credit card processors, as well as our findings from cyber-penetration tests, it is apparent the hotel industry has a significant cybersecurity problem.
A respected cybersecurity expert focused on the hospitality industry recently conducted cyber-penetration tests at several branded and independent hotels around the country and successfully accessed the interworking of the hotels’ property management systems, point-of-sales systems and accounting systems in a matter of minutes. They advised this is typical of what they see throughout the hotel industry, which should concern every hotel owner and operator.
As a CFO for a publicly traded hotel real estate investment trust, part of my role is to manage the risk environment for our company. I have reviewed the cybersecurity and control environment for more than 20 hotel management companies and brands and have learned that they primarily focus on credit card data, payment card industry compliance and individual guest information. Keeping this information secure is certainly important, but this is just part of the cybersecurity spectrum. Gaping security holes currently exist throughout the industry, which present significant risks from cybercrime. It is just a matter of time until this risk materializes.
So, what should a hotel owner do to better protect their hotel? Based on my experience, along with working with cyber-experts in the hotel industry, here’s a few things I recommend:
- Conduct an assessment at your hotel: Retain a third-party cybersecurity expert who will help you identify key areas of risk at your hotel. Following the assessment, ensure that detailed policies, procedures, technology and regular employee training practices are in place to monitor and detect the risks identified in the assessment. You should not expect your hotel manager to do this for you. Cybersecurity is a constantly evolving process, so these assessments should be performed regularly.
- Ongoing monitoring at your hotel: If you don't have the resources for an in-house team to monitor cybersecurity, you should retain a managed security service provider (MSSP). They have the resources and knowledge to proactively detect and contain threats. But don’t underestimate the value of basic employee training and oversight, which can prevent or mitigate many cybercrimes. PCI and Europay, MasterCard and Visa compliance, while important, does not provide a full-spectrum approach to securing your hotel.
- Secure all POS terminals: POS terminals are the No. 1 attack vector in the hospitality industry. Ensure that you use a POS solution that uses a supported operating system and confirm that patches are applied regularly. Endpoint detection tools (e.g. Antivirus, Anti-Malware, Firewall), network segmentation and disablement of all unnecessary services can drastically reduce your risk level.
- Backup systems regularly: Ensure all critical systems have daily backups, and test them frequently. In the age of ransomware, this might mean the difference between paying a hefty sum to criminals and seamlessly recovering your data to keep your hotel running smoothly.
We live in a new age of cyberterrorism, and the hotel industry will come under attack. Experiencing a cybersecurity breach is no longer a question of “if,” but a matter of “when.” As a hotel owner, you need to protect yourself, as you cannot expect your hotel manager to do so.
Raymond D. Martz is the chief financial officer for Pebblebrook Hotel Trust and serves as the Co-Chair on AHLA’s Financial Management Committee. He is a graduate of the School of Hotel Administration at Cornell University and a MBA from Columbia University. The AHLA’s Financial Management Committee supports the overall goals and objectives of the American Hotel & Lodging Association by providing superior financial management expertise on issues of common interest to owners and operators of hotels.
The opinions expressed in this column do not necessarily reflect the opinions of Hotel News Now or its parent company, STR and its affiliated companies. Bloggers published on this site are given the freedom to express views that may be controversial, but our goal is to provoke thought and constructive discussion within our reader community. Please feel free to comment or contact an editor with any questions or concerns.