“Prepare to be hacked.”
Mike Blake, April 2, 2012,
The Wall Street Journal CIO online edition
This quote was true six years ago and it still stands true today. If you haven’t gone through a data breach, you will — and that means you need to prepare now for it.
Our industry is blessed with very hospitable professionals. These folks are fundamentally accommodating, making them perfect targets for social engineering attacks by cyber criminals. How many employees in your company would share their credentials or print a guest’s presentation when handed a USB drive? This is the primary cause of many security problems.
The best medicine is to ensure that EVERYONE goes through some level of training on a recurring basis. Awareness, posters or anything else that can keep cybersecurity at the top of mind is very important. Cybersecurity is not the job of just the CIO or Chief Information Security Officer (CISO), it is everyone’s responsibility, including the CEO.
Security Through Law Enforcement
Imagine seeing someone walking door-to-door checking locks, then entering the homes that are unlocked in your neighborhood. You would naturally call the authorities. Well, there isn’t an entity out there that hasn’t been crawled — sometimes up to a million or more times a day. This is the electronic version of the person checking locks. They find a vulnerability or open door and exploit it.
Once you are a victim of this cyber exploitation, you should call multiple government authorities (FBI, Secret Service, and sometimes local law enforcement). But don’t expect to see an immediate retaliatory response. Every once in a while, a low-level identity thief is apprehended, but rarely do you ever hear of a true cyber war where the bad guy’s infrastructure is ruined, and the data they captured is destroyed. The government’s response has been more watch and wait as opposed to seek and destroy. However, let the authorities know what is going on because sometimes they are the only ones that have the centralized perspective to see the criminal activity that could be spanning multiple players within hospitality and beyond. This is one reason HTNG created the Travel Information Sharing and Analysis Center (Travel ISAC).
The Travel ISAC (https://www.htng.org/page/TravelISAC) was created to defend and protect guests, staff and corporate assets from complex threats. You may feel that you are alone in being a victim, but chances are the bad actor is also engaging in nefarious action toward your competitor.
I have seen this group in action at very critical stages. I have seen this group in the morning call for a meeting for later that afternoon and get 100% attendance from everyone around the world.
At that afternoon meeting, the parties were sharing information that they could immediately act on to improve their respective environments. The Travel ISAC is certainly an organization you want to be a part of on strategic and tactical levels. Evolving from the previous Hotel CISO Forum, most of the major hotel chains are part of the Travel ISAC, but there is always room at the table for other hospitality members.
Every day someone else enters the arena and launches a new virulent attack. In the short term, hire a CISO, call your state and federal representatives, join the Travel ISAC, prepare your breach response, train your employees and do as much
as you can, but recognize even that may not be good enough.
What Else Can Hotels Do?
1. Call your legislators and let them know that cybersecurity of our digital assets is important and needs to be protected as much as our nation and borders.
2. If you don’t have a CISO, hire one. CISOs are skilled in getting the most out of the current toolsets for your organization and they will help you stay on top of security developments within your environment.
3. Orchestrate a tabletop exercise with your leadership team and all relevant parties.
4. Work collectively. “Psychologists speak of ‘social sharedness,’ the idea that information and perspectives shared among group members tend to have a disproportionately large impact.” (“The Challenger Customer” by Adamson, Dixon, Spenner and Toman)