How Hersha Hospitality Uses AI to Fight Phishing
In this exclusive interview with Hospitality Technology, Jason Shane, VP of IT at Hersha Hospitality, shares how the company is using machine learning and staff training to reduce its risk of a data breach.
What have been your biggest challenges in your role as Vice President of IT of Hersha Hospitality?
Jason Shane: The hospitality industry continues to face challenges in the protection of personally identifiable information (PII) and customer credit card data. Cybercriminals have increasingly targeted hospitality, knowing the industry has numerous legacy systems that store and transmit sensitive customer data. Numerous large hotel brands have reported large-scale data breaches through a variety of threat vectors such as point-of-sale exploits, targeted spear phishing, and malware-based attacks.
Credit cards are the primary payment method in the hospitality industry, which drives our team to prioritize credit card security to protect our customers. Year after year, email continues to be the most significant threat vector to the hospitality industry including threat to consumer credit card data. Email is used as an entry point to carry out sophisticated malware or phishing attacks. The attacks attempt to deceive their intended target into divulging sensitive information, with a target to break back-end computer systems that contain customer data or financial assets.
Our business consists of more than 5,000 employees who are spread across 120 hotels and resort complexes in the United States. Since we have geographically dispersed operations, email is a critical channel for us to collaborate throughout the day and night. In fact, we process about half a million incoming and intra-organizational emails weekly, including those that communicate new HR policies and procedures, guidance from the executive team to regional managers, business changes, and customer requests.
What tools does Hersha use to train staff on best practices to avoid a data breach?
Shane: As with many businesses today, email is our primary mode of communication. While training serves as a decent baseline education on best practices to follow, we’ve found that our employees are far more likely to follow those best practices when we provide proactive tools that remind them at the moment of risk. Our email security solution, GreatHorn, places a banner on the top of emails to warn employees to take extra care when interacting with emails it deems suspicious.
About how long have these programs been in place? How often does your team (internal and external) update these procedures?
Shane: We’ve had some form of training and email security for years, and have been using GreatHorn specifically for more than three years now. GreatHorn uses machine learning to understand individual and organizational communication patterns, so as good as it was when we first deployed it, it just keeps getting better over time as it learns what’s “normal” in our environment. The team there is also continually improving the product, adding new detection and remediation techniques all the time.
What impact does staff turnover have on these efforts?
Shane: Employee bases fluctuate pretty significantly across the hospitality industry. According to the Bureau of Labor Statistics, the hospitality industry has an annual turnover rate of 73.8%, with over 6% of staff leaving every month. While security awareness training plays a role in an organization’s security measures, employee mobility and turnover creates challenges in effective training programs that safeguard employee and customer information.
Ensuring new employees adhere to our rigorous security standards is a tedious process, particularly as new threats emerge daily. We needed a tool that could not only do a better job detecting sophisticated phishing attacks, but also one that would help our employees in the moment of an attack in case one made it through our initial defenses.
What role does AI and automation play in detecting these threats?
Shane: GreatHorn Email Security combines threat intelligence from their proprietary database and third-party sources with adaptive threat analytics to identify widespread known attacks, as well as highly targeted spearfishing attacks. The solution is able to analyze the risk of all email that is sent within our organization and is able to gain a constantly evolving understanding of our unique communication patterns and relationships between the sender of the email, our employees, and Hersha as a whole. This makes it much easier to identify phishing attacks that otherwise have no obvious malicious threat.
My understanding is that machine learning is also applied to all the email the sees across their customer base, making it easier for them to quickly spot emergent threat patterns.
In addition to identifying threats, our solution provides our employees with context around emails that are suspicious, but don’t quite meet the threshold of an obvious threat – this supplements our cybersecurity awareness training. For example, if an email claims to be from an executive at the company but does not use their corporate email address, the system will apply a banner at the top of the email that warns the recipient that this might be a phishing attempt. That additional warning effectively serves as in-the-moment context security awareness training and often provides the necessary context our employees need to reconsider responding with sensitive information.
The final piece here is incident response. There is no email security tool that’s 100% effective at stopping threats before they reach the users – if you met that standard, you would also be stopping a lot of “regular” business communications. The manual process of removing threats that are already in mailboxes can be imprecise and tedious – lengthening the time your organization is exposed to risk. GreatHorn gives us the ability to quickly find and discover those threats that are still in mailboxes and with just a couple of clicks, remove them out of harm’s way.
How successful has this initiative been? How are you measuring this program’s success?
Shane: Security is a continuous improvement cycle – it’s something we’ll always work to refine. The greatest measure of success is when there’s no news to report because none of the attacks have been successful. Over the past three years, my security team has been able to spend a lot less time on email threat management and more time on other critical security areas. This initiative has enabled the security team to stop acting as a “human firewall” and allowing our employees to trust their email again.