As the coronavirus vaccine becomes more widely available and the hospitality industry continues its pandemic recovery, the health and safety of employees and guests remain top of mind for hotel and restaurant leaders across the United States. These concerns prompted unprecedented business regulation by states and local governments in response to the pandemic, including measures designed to mitigate the spread of COVID-19 by limiting the operations of hotels and restaurants. On the other hand, these concerns fueled innovation at various levels of the hospitality business, which has experienced a significant shift toward providing contactless options for customer-facing functions like reserving rooms and tables, check-ins, and payments, as well as in adapting, internally, to virtual team meetings and increased working from home for back office functions.
Unfortunately, despite their best efforts, many hospitality and tourism businesses struggling to stay afloat under the weight of spiking coronavirus cases and government regulations laid off or furloughed management and professional staff, including compliance and IT security personnel who, in the past, were the first line of defense for the data stored in the organization’s computer systems and networks. Meanwhile, cybercriminals have seized the opportunities potentially created by their weakened defenses, as well as those of other businesses of all types, governments, medical organizations, and education institutions. In fact, at one point during the pandemic, the FBI reported that its Cyber Division was receiving between 3,000 and 4,000 cybersecurity complaints each day—up approximately 400% from pre-pandemic numbers. And given that many cyber incidents are never detected—and that many detected attacks go unreported—these numbers leave no doubt that potential cyber intrusions, including spoofing and phishing schemes, ransomware, and business email compromise schemes, pose a grave threat to the data entrusted to your hospitality business by its guests and employees.
So, how do you level the playing field against threat actors who could be working full time to undermine the safety and security of your company’s IT infrastructure and data? There are two important steps all hospitality executives should consider:
Educate and prepare your entire organization.
Hotel and restaurant operators customarily engender a team mentality at all levels (and across levels) in their organization. To that end, everyone in the organization shares responsibility for the guest experience, customer relationships, and managing the company’s reputation and brand. Take this same approach with your organization’s cybersecurity.
In addition to taking preventative technical steps such as utilizing offline encrypted backups, restricting user permissions, and installing appropriate anti-malware software, network security leaders should also educate and prepare the organization’s staff to serve as ambassadors for cyber safety in their organization. To that end, employees at all levels—even those who do not use a computer as part of their job—should be educated in the basics of cyber safety. Train them on the most common types of cyber threats (malware, phishing, ransomware, and man-in-the-middle attacks) as well as some of the basic terms applicable to network security, such as the meaning and significance of endpoint security and your organization’s firewall. And for employees who use a computer and access your network as part of their job, train them on the “why” behind using security features such as multi-factor authentication and internal policies and checklists requiring employees to follow specific procedures before money or sensitive information can be exchanged. In educating your team, remember that practice is also important. Taking the time to conduct role-plays that test your employees’ proficiency with completing due diligence before opening an email, clicking a link, or sending sensitive or financial information in an email is an investment that can pay untold dividends in protecting your organization against a cyber-attack—and the business interruptions, legal risks, and reputational harms they often provoke.
Empower your Incident Response Team
In the event of an attack, a critical segment of your team – the cyber incident response team – should already be in place, educated on cyber safety, and prepared to act. Tasked with supporting your upper management and the organization’s corporate board in assessing and responding to a breach, this team should include professionals with authority and expertise in IT, operations, human resources, and internal and external communications. This team must act quickly to limit the scope of the attack and assess any damage or ongoing risk. To assist with doing so, the response team should also include legal counsel. Synergy with a legal professional will streamline the process of crafting internal and external communications about the suspected incident, managing law enforcement and governmental reporting where necessary, and conducting an internal investigation of the occurance with an eye toward preserving your organization’s attorney-client privilege and work-product protections where appropriate.
ABOUT THE AUTHOR
Jonathan K. Osborne is shareholder and co-chair of the White Collar and Internal Investigations group at Gunster. He began his practice at Gunster and returned to the firm in 2019 after serving in the U.S. Department of Justice as an Assistant United States Attorney in the Southern District of Florida.
An experienced first-chair trial attorney, Jonathan’s practice includes the representation of individuals and organizations in civil business litigation, including the defense of legal malpractice claims as well as white collar criminal matters and internal investigations. Jonathan has conducted internal investigations on behalf of companies across a variety of industry sectors, including hospitality, travel, education, healthcare, and banking. Drawing from his extensive grand jury and criminal investigations experience, he consults businesses and individuals in responding to government scrutiny and cyber security threats. Jonathan routinely advises companies, business leaders, nonprofit organizations, and healthcare professionals in connection with compliance with state and federal criminal law and other regulations, including COVID-19 emergency orders.