How to ramp up employee cybersecurity training
10 FEBRUARY 2016 7:39 AM
Here are five tips that offer guidance in how to make your property less attractive to hackers whether from an outside offender or employees.
In 2015, the hotel industry suffered unprecedented cyberattacks. In one month alone, Hyatt Hotels Corporation, Starwood Hotels & Resorts Worldwide and Hilton Worldwide Holdings all fell prey to savvy cyber thievery.
Hyatt confirmed hackers used malware to collect cardholder names, card numbers, expiration dates and verification codes from at least 250 hotels globally. Just a few days after the company announced its planned merger with Marriott International, Starwood Hotels also stated malware had been used to steal credit and debit card data that was found on point-of-sale cash registers.
Hilton also began investigating credit card breaches at several of its properties, including its Hilton, Embassy Suites, DoubleTree, Hampton Inn and Suites, and Waldorf Astoria Hotels & Resorts brands. Hilton confirmed the breach and, much like Hyatt and Starwood, cited unauthorized malware that targeted payment card information in point-of-sale systems as the cause of the breach. Additional hotels targeted by hackers in 2015 included The Trump Hotel Collection, Mandarin Oriental and White Lodging Services Corporation.
To help prevent breaches, management should take steps to clearly define employee policies and procedures, which include:
Create protocols for access and transfer of sensitive information
Once a hotel has its IT network secure, only certain individuals should have access to the data. Further, user activity should be monitored using insider threat detection solutions that notify management of suspicious activities, both externally and internally. This includes monitoring applications for phones or computers that have access to sensitive data.
Hoteliers should tighten all network security. Simple ways to help accomplish that include:
- ensure logins expire after short periods of inactivity;
- require strong passwords that are never written down in public or unsecured locations; and
- scan devices for malware every time they are plugged in.
Confirm that off-site technology is secure
Data housed off-site should be routinely backed up, and hoteliers should ensure that Web application firewalls are cloud-based solutions that are secure and encrypted. Hoteliers also should use top-notch anti-malware software and update it routinely.
Securing paper files that might include personal information
Employee files are a major target area for data breaches by way of paper files. They are typically easy to access (particularly in smaller hotels) and provide a significant source of data for a low-tech inside job.
Employee files also might include medical information protected by HIPAA. According to the Department of Health and Human Services, hacking has been involved in the HIPAA breaches of nearly 3 million patient records since 2009. Employees across all industries, including hospitality, should be aware that this highly sensitive information needs to be protected.
Ward off “spear-phishing” tactics
Cybercriminals frequently send phony emails to companies and individuals that seem to be from someone the recipient knows, often containing malware attachments. These emails look legitimate, but havoc could ensue if the receiver responds or even opens an attachment.
Employers should create policies and procedures to inform and educate employees about such scams and develop a methodology for handling suspect emails and other forms of correspondence.
Create a workplace culture with a strong emphasis on privacy and data security
Companies should be working to instill a sense of responsibility in every employee when it comes to cybersecurity. Properly trained employees will be mindful of the potential areas of susceptibility.
Companies can continue investing in IT software, but more attacks are likely to happen if they fail to engage their workforce. If nothing else, breaches from the inside become far less likely in a hotel with a strong culture of privacy and data security. Areas completely within the hotel employer’s control include implementing written policies and procedural safeguards.
While these practical tips cannot guarantee that your property will be immune from a data breach, they certainly offer guidance in how to make your property less attractive to hackers whether from an outside offender or employees.
Lara Shortz and David Lee are partners in Michelman & Robinson, LLP’s Hospitality Department. Michelman & Robinson, LLP, a national law firm with offices in Los Angeles, Orange County, San Francisco, Sacramento and New York. For more information, please visit www.mrllp.com.
The opinions expressed in this column do not necessarily reflect the opinions of Hotel News Now or its parent company, STR and its affiliated companies. Columnists published on this site are given the freedom to express views that may be controversial, but our goal is to provoke thought and constructive discussion within our reader community. Please feel free to comment or contact an editor with any questions or concerns.