During the recent HITEC 2022 conference, Jason Stead, CISO, Choice Hotels International, and Chris Armstrong, VP, Governance & Security at Loews Hotels & Co, sat down with Katie Lee, Sr. Director, IT Strategic Applications, Loews Hotels & Co, to discuss ransomware attacks. The conversation was fascinating and could have continued on much longer than their allotted 50-minute time slot. Here are some of my key takeaways from their conversation.
Key among the points Armstrong and Stead made to attendees was to create consistent communication during a ransomware attack among the IT team, C-suite executives, the PR team, and with the company’s lawyers.
“Communication is so important but using the company’s email system might not be the best idea when you’ve been attacked,” noted Stead. “Many times, bad actors gain access to your email system specifically so they can track how you’re responding to their attack.”
And don’t forget to cultivate excellent relationships with your lawyers.
“Not a day goes by that I don’t talk with my lawyers,” he adds. “They advise us on whether to pay the criminals or not and figure out the regulatory issues.”
Create a Payment Policy Now
Stead also recommended that organizations discuss – before they get hacked – if they’re willing to pay a ransom to bad actors. And, if the brand decides it is willing to pay them, make sure lawyers are involved to make sure you can – legally. In October 2020, OFAC (the United States Department of the Treasury’s Office of Foreign Assets Control) came out and said it is now illegal to pay a ransomware demand in certain instances.
But that’s not the only consideration when paying a criminal. If you can pay the ransom, how will you pay it? Many times, bad actors want bitcoin. Do you have that currency available to you? And what about negotiating how much to pay?
Plus, you’re often required to use some type of payment negotiator, Armstrong explains. But hoteliers need to ask themselves: Can I trust this person? Oftentimes, the negotiator is working on behalf of the criminals because they get a cut of the ransom.
Don’t Bet on Insurance
Most hoteliers are aware that ransomware insurance has become much harder to get than it used to be, Armstrong pointed out. Sometimes, just to get insurance, a hospitality brand will need to prove how they’re preparing for and working to protect themselves from an attack.
“Unfortunately, most standard policies are not going to pay for ransomware,” Stead added. “You need a dedicated policy and if you haven’t purchased a policy recently, you’re in for some sticker shock. Prices have doubled or more in the last few years. But even if you can afford to pay for it, insurance companies may not pay.”
[For a great in-depth look at the pros and cons of cyber insurance, check out: Marriott Data Breach is a Good Reminder to Review Your Cyber Insurance Coverage.]
Gaining Access to Your Data Is Not Recovery
After you finally pay the ransom and gain access to your data again, don’t think the long, hard road to recovery is over. It literally only just began.
“Now you need to destroy your entire technology stack and rebuild it,” Stead explains. “This is why cybersecurity professionals are so expensive and hard to procure. After an incident they get burned out from working day and night, especially with morale being so low. The whole process is just painful.”
Strategies for Prevention
To try and prevent an incident from happening, create containment zones and multiple types of backup, Armstrong notes. Then create an incident response plan and test it quarterly using a third-party. And always ensure you have the right tools in place to communicate with key members of the company outside of your brand's email platform.
Additionally, keep up with training your on-property team members. But, Armstrong begged the audience, make it fun! Talk about why the training is important, who they’re protecting by being cautious, the ways scammers try to make you lose your focus, etc. Don’t force them to sit through an hour-long video. Break it up into bite-sized pieces so that they can remember the information. And help them apply this information to their lives outside of work as a way of protecting them at home, as well.