Hospitality: Shelter Your Business from Advanced Cyber Threats

The past five years have seen a huge shift within the hospitality industry. Hotels and restaurants are now nearly completely digitalized – from reservation platforms and apps and POS systems, to the complex corporate networks of large chains. These changes have brought enormous gains in efficiency but also enormous increases in cyber risk.

According to Verizon’s 2017 Data Breach Investigations Report, accommodation was the top industry for point-of-sale intrusions. Over the past several years, virtually every major hotel group has been attacked: Starwood Hotels & Resorts, Mandarin Oriental Hotels group, Trump Hotels, Hilton, Hyatt, Hard Rock Hotels and Omni Hotels, among others. Recently, the Intercontinental Hotel Group, discovered malware across multiple brands and more than 1,000 properties.  The restaurant industry is similarly besieged, from the massive 2016 credit card breach of the Wendy’s fast food chain to the targeting of restaurants across the United States by the notorious FIN7 cybercrime group.

This article from endpoint security software provider Morphisec looks at what makes the hospitality industry so vulnerable and what companies can do to keep themselves safer.

Hospitality a Target of Choice

While all industries must deal with the threat of cyberattacks, hospitality establishments contend with a unique combination of risks factors. Hospitality, whether hotels or restaurants, transact more credit cards than almost any other industry, making them an extremely attractive target. And hotels in particular have many access points for malware to enter the system, from WiFi to on-premise restaurants and services. The threats don’t stop with the internal systems. Organizations also need to worry about attacks via online travel agencies and other vulnerable third party suppliers. The most recent breaches of Hard Rock properties, Loews Hotels, Four Seasons, Trump Hotels, Kimpton Hotels and Restaurants and the Red Lion Corporation all occurred through third-party Sabre’s SynXis central reservations system.

Lagging Resources

The hospitality industry’s rapid push to digitalization means that it is still playing catch-up on the security front. Hotels are dispersed geographically and often do not have skilled IT/security staff on site. The 2017 Lodging Technology Study by Hospitality Technology found that 74% of hotels do not have breach protection and less than half use end-to-end encryption for cardholder data or use tokenization at the card swipe. The recently published Verizon 2017 Payment Security Report confirms this gloomy picture, reporting that only 42.9% of hospitality companies have full payment security compliance, with the number dropping to 25% when looking just at American organizations.  Moreover, high employee turnover (a whopping 72.9% according to the U.S. Bureau of Labor Statistics) and extensive networks make it difficult to manage human error and ensure network integrity.

Common Attack Types

An overwhelming 74% of cyberattacks on the hospitality industry involve PoS intrusions. PoS systems are a weak security point for many networks as they are in constant use and often are not patched or updated. They provide direct access to lucrative payment card and other personal data, such as passport information, driver's license details, address details, emails, date of birth, and more. Cyber criminals then can monetize this stolen data through marketplaces on the dark web. In addition, PoS systems in hotel restaurants and other on-premise facilities can serve as gateways to a chain’s regional, national or global data systems.

Denial-of-Service attacks make up approximately 20% of hospitality cyber incidents. While they don’t carry the same risks as data breaches, they can impact revenue by bringing down critical systems such as online booking portals and billing systems. In addition, DoS attacks are often a diversion to hide other attacks, mainly data exfiltration.

As if hospitality didn’t have enough to contend with, ransomware has emerged as a viable threat to the industry. In January 2017, attackers locked the computer system of a four-star Austrian hotel, demanding $1,800 in bitcoins to restore functionality.

Sheltering Your Business from Attacks

Early detection is key to controlling attack costs and reputation damage. Hospitality has a better track record than other industries – most incidents are discovered within several weeks. But with system breach taking only minutes and data exfiltration completed in hours or days, it’s not good enough.

Host- and network-based firewalls should be used as the first part of a layered security approach. When it comes to endpoints, loading up PoS terminals with heavy anti-malware products is usually not feasible from a system performance point of view. Hospitality businesses should focus on building a security stack for their PoS devices and other endpoints that prevents threats at the pre-breach stage, but does not slow down operations or require ongoing IT resources. This also holds true for organizations using Virtual Desktop Infrastructures (VDI). Virtual environments widen the attack perimeter – an attack on a user’s physical desktop can provide access to the central virtual desktop server. To be considered secure, your VDI must be complemented with additional security layers, just like a traditional desktop environment.

A good endpoint prevention stack consists of an antivirus solution to handle known threats and a prevention layer that effectively prevents unknown, advanced attacks. While there are many serviceable AV solutions to pick from, protecting against advanced threats gets trickier. For example, the latest FIN7 attacks on restaurants used fileless techniques that were not only undetectable by signature-based AV solutions, but also weren’t stopped by many of the behavioral security tools or AI-based Next Gen solutions. Consider one of the newer technologies, like Moving Target Defense (MTD), which preempt such attacks by morphing the system runtime environment, so an attack cannot find and exploit the memory resource it is targeting.

No technology, however, can substitute for an overall culture of security. With solid policies, a reasonable, well-managed patching plan, and the right combination of traditional and innovative cyber security products, hospitality organizations can make themselves safer from current threats as well as those to come.