According to a new IRONSCALES survey, email phishing is the top concern of 90% of IT professionals polled in the hospitality industry. In fact, since the onset of the COVID-19 pandemic, nearly one third of IT teams spend all of their time remedying phishing attacks, and 74% spend more than 30 minutes addressing each attack, according to the research. To learn more about how cybercriminals are attacking the hospitality industry and what hoteliers can do to protect themselves and their guests, HT spoke with Eyal Benishti, founder and CEO of IRONSCALES.
Is the hospitality industry facing the same type of cybersecurity risks as other industries?
The hospitality industry is targeted just as often, if not more than, other industries. One reason for this is the sensitive data exchanged in transactions between these businesses and their customers. For instance, a hotel stay requires both credit card and ID information to be collected and stored.
In addition, hospitality companies rely heavily on technology to handle business-critical operations. In our hotel example, this includes reserving rooms and even providing key-card access to those rooms using computer-controlled technology. Unfortunately, the computer systems used, and the networks they are connected to, are vulnerable to ransomware attacks.
Threat actors often regard hospitality companies as easy prey for locking down systems with malware, ultimately leading to large ransom payments. And there is still a prevailing perception that this sector is not as invested in cybersecurity as, say, finance or healthcare, making it an even more attractive target.
How might phishing schemes target on-property hotel staff differently from corporate employees?
Corporate employees are generally communicating with people they know, such as coworkers and regular vendors with whom they have established relationships, so phishing attacks are typically not as successful with them.
An example of a common attack on a corporate employee is a Business Email Compromise (BEC). This is where criminals send an email message that appears to come from a known source making a legitimate request, like a known vendor sending an invoice with an updated mailing address or a manager asking an employee to purchase dozens of gift cards and send the serial numbers.
However, these attacks are easy to spot if employees have been trained properly. The danger arises with onsite hospitality staff. Because these employees regularly receive emails and messages from people they don’t know, such as potential guests and inquiring customers, they’re often exposed to fraud that is much harder to identify.
Why are phishing attacks so dangerous to companies and their employees/guests?
Phishing attacks are especially dangerous for hospitality companies in our post-pandemic world. The sector is still reeling from the after-effects of quarantine, during which hotels, bars and restaurants saw steep decreases in customers that lasted several months. A serious breach of customer data, costing an average of $4.2 million per incident, could tip any business over the edge.
And customers are at risk when threat actors get access to their sensitive data. For example, an Austrian hotel's electronic door locks and other systems were hacked for ransom four times in less than two months, locking customers out of their rooms and leaving their personal and financial information vulnerable.
How can employers educate employees on the danger of phishing schemes and other cybersecurity threats?
Build the right culture: Don't blame your employees, train them. Adopt a security-first culture among all your staff that educates them on basic cybersecurity best practices, spotting different types of attacks and reporting incidents.
Make this training a part of your onboarding process and invest in ongoing employee training on a regular basis. Ensure everyone is aware of the dangers of phishing emails, which often provide an entry point for ransomware attacks by fooling recipients into clicking links or downloading files. Test employees’ knowledge regularly.
It’s also important to update all software and operating systems in a timely manner, including POS software. Many ransomware attacks start by exploiting unpatched software vulnerabilities, so proper patch management is a quick win in your defenses.
Phishing and ransomware attacks are both a human and machine problem. Solving this complex challenge requires a human and machine solution. Combining security awareness simulation and testing with adequate cybersecurity tools will provide your organization with a layered security approach, which is the best protection for your employees and your organization.
Any other comments?
It’s critical to start preparing for ransomware attacks and adopt prevention strategies today. A comprehensive data backup and business continuity strategy is as much preventative as it is reactive. If you can easily restore your data and swiftly resume critical business operations by temporarily using cloud infrastructure, you’re already well-prepared for successful attacks when they occur. For smaller companies, engaging with a security services provider can provide the expertise needed to develop a robust business continuity plan.
And it is always important to put people at the center of your cybersecurity strategy. Treat your employees as an asset, not as a liability. Empower them to take an active part in the defense of the organization.