Cybersecurity and Hospitality: A Unique Challenge

Hear from White Lodging, Loews Hotels, and the Retail & Hospitality ISAC on issues such as: ransomware, multifactor authentication, phishing, employee training, cyber security budgets, and more.
IT security panel at HT-NEXT 2022
IT security panel at HT-NEXT 2022

Insurance Prices Keeping Rising

Referencing the recently released 2023 Lodging Technology Study, Vander Linden asked Todd and Armstrong if they feel like budgets specifically for cybersecurity were increasing.

“Insurance is a significant driver of spend within the cybersecurity space,” Armstrong noted. “Every year we have to fill out a cyber insurance renewal and every year they add three pages and 250 questions. So we continue to have to grow the environment to meet the needs and concerns of the insurance carrier.”

Todd agreed noting that 10 years when he filled out a cyber liability insurance form it was one- page long and had three multiple choice questions.

“Now it’s a multiday project!” he added.

Cybersecurity is at the top of most IT executive minds, regardless of what industry they work in. So, it was unsurprising that during HT-NEXT 2022, the room was packed with attendees who wanted to hear from three important individuals: Luke Vander Linden, VP of Membership & Marketing, Retail & Hospitality ISAC, Chris Armstrong, VP of IT Security and Governance for Loews Hotels, and David Todd, Senior Vice President and Chief Information and Security Officer for White Lodging.

For those unfamiliar with the Retail & Hospitality ISAC, Vander Linden explained that it is a membership organization that offers platforms where cybersecurity information can be quickly and safely shared among the members. This information could be everything from indicators of a compromise to strategies for how to overcome or prevent an attack. Currently, 20 percent of the organization’s members work in the hospitality or travel industry.

Both Todd and Armstrong are members of the Retail & Hospitality ISAC, and both joined their respective companies at a time when cybersecurity was top of mind for the executive leadership team.

“White Lodging suffered two credit card security breaches back-to-back,” Todd explained. “One in 2013 and then one in 2015. I was asked to join the company in 2016 to help put controls in place and prevent that from happening again.”

Todd became the company’s very first CISO.

Armstrong, on the other hand, started at a time when a Loews Corp's. subsidiary and sister company to Loews Hotels suffered a ransomware attack that “leveled them for four weeks. My ELT has been extremely supportive of the information security space, and I’m sure that has a little bit to do with it.”

Picking up on this comment from Armstrong, Vander Linden noted that the attitude among many leadership groups is to view cybersecurity as a cost center that isn’t prioritized until a breach happens.

“There’s definitely a honeymoon period following a breach where you get a lot of attention, budgets are fairly open, and senior level people are very responsive to ensuring the recovery process goes as smoothly as possible,” Todd noted. “But it is a honeymoon, and it gets harder and harder as people forget about the breach.”

To help ensure organizations keep cybersecurity top of mind even after the honeymoon period is over, Armstrong emphasized the importance of good communication with the leadership team, executive boards, committees and more.

“It’s our responsibility to provide [information security and risk management strategies] to them in a consumable manner. It shouldn’t be filled with tech jargon,” he explained.

Todd agreed noting that he has weekly meetings with White Lodging’s COO and his operational team for this very reason.

“We have a lot of acronyms and jargon in our space but I’m trying to learn my COO’s language and their jargon. I need to know what they do on a regular basis and what their pain points are. Building that relationship has really helped me to explain ransomware to them because when they see I’m interested in them and what they’re doing, they become more interested in me and what I’m trying to do,” Todd added.

Data Breach Trend

Referencing the DBIR (Data Breach Investigations Reporter), Vander Linden noted an interesting, targeted data trend. About five years ago, breaches typically targeted credentials, PII, payment data, etc. and made up about 50 percent of the industry’s cases. Today, those types of breaches have fallen to less than 2 percent of cases.

Todd speculates that the reason for this is that hoteliers have made it much more difficult to capture payment information for their environment. But he cautions anyone from feeling too comfortable and thinking “I’m done, I’ve fixed it because every day I’m chasing down something new and we’re constantly having to evolve.”

Armstrong agrees. He explained that a good security program is like your car: it needs to be fueled regularly, you need to give it regular maintenance, and sometimes it might require an expensive repair.

Ransomware, Multifactor Authentication, & Phishing

When asked by Vander Linden if ransomware continues to be a threat for hoteliers, Toss said “It’s one of things that still keeps me up at night.”

Starting in 2015, the lodging industry began to spend a significant amount of time and resources educating its workforce on ransomware attacks. But then 2020 and the pandemic hit and the workforce was “turned upside down” Todd explained. “We tried bringing people back but I can personally tell you that 60 percent of our workforce has been with our brand for less than a year. So I’m having to redo all that training.”

Armstrong agreed, noting that the reason ransomware attacks are successful is often because “someone made a mistake. It’s not because people don’t care or aren’t doing their jobs.”

Even implementing a protection like multifactor authentication has been weaponized by cyber criminals.

“We protect our emails with multifactor authentication and bad guys will just ping employees every 15 seconds to annoy them into hitting the approve button and letting them into the system,” Todd added. “So they’re using our own tools against us.”

Adding to Todd’s comments, Armstrong noted that phishing scams are still a very successful tool for scammers.

“When you talk about training your workforce, we’re trying to get employees to think through what’s being asked of them, to be focused and thoughtful. We all have 800 emails a day that we’re trying to get through, but taking a few extra seconds could save the company,” Armstrong said.

To help train and prepare employees, Loews Hotels sends out several of its own phishing scam emails, measures the response rate and reports that data back to leadership. For employees without an email address, it uses the TV systems within the hotel to deliver a static, awareness campaign. Meanwhile, White Lodging has begun sending out its own phishing emails monthly, up from its original policy of twice per year.

“If an employee fails, we make sure they know right away,” Todd said with a laugh. “We invite them to do more training and thank them for supporting our security policy. But really the question is, why are our phishing failure rates so high?”

Prior to coming to White Lodging, Todd worked in in the auto insurance and financial sector and their scores were around two or three percent.

“I haven’t been able to get us even close to that,” he said candidly.

Armstrong feels that could be because of the inherent good-natured personality that is drawn to the hospitality business.

“Our job is to make people feel better, cater to our teams and our guests. We immediately want to jump in and help,” which makes it easier for team members to be scammed.

The Future of Security

When asked how White Lodging is looking to secure its data both now and, in the future, Todd said the company has three key principles that its cybersecurity policy has been built around. To begin with, keep things simple.

“We’ve made security too difficult for our front desk managers,” he explains. “Do I call internal employees, the vendor, the brand? Complexity is the enemy of security. So we’re really looking at rationalize our tool set.”

Second, White Lodging is going back to basics: disaster recovery, business continuity planning, etc. If the business does suffer a breach, it has to be able to rely on its backups.

Third, automation is really going to be beneficial now and in the future and automated controls are much more sustainable than manual ones.

WATCH: This informative session

X
This ad will auto-close in 10 seconds