Anyone who has ever waited in line at the check-in desk of a busy major hotel, with customers checking their bills and paying them, will have no illusions about how big a part credit cards play in doing business there.
So that’s why I am tackling today one of two commonly held major misconceptions about cyber security – first, that it is a technology issue, something for the IT experts to worry about – and second, that it is only really an issue for big business, global organisations and governments “because serious cyber criminals are less interested in going after the little guys.”
Two years ago a report by Trustwave Global Security identified hospitality as one of the top three industries targeted by cyber criminals, after breaches at a string of major hotels.
They found that 50% of attacks involved the theft of card holder data and personal information including dates of birth, passport numbers and contact details.
In fact, cyber criminals have targeted everyone from private individuals right up to major corporations and beyond – and the number of attacks and the level of their sophistication are growing all the time. Hotels are only one of their many, many victims.
Increasingly it is a question of when, not if, with a stark warning from former FBI Director Robert Mueller who says, “There are only two types of companies: Those that have been hacked, and those that will be.”
The hackers have managed to plant viruses into the companies’ point-of-sale (PoS) systems. The viruses – or ‘malware’ – work by imitating a legitimate programme before trawling through systems to find card details and the data which can then be sold onto organised criminals or used by the hackers themselves.
Hotels are particularly vulnerable to cyber attacks because of the sheer volume of cards used and personal data recorded on a daily basis – from check-in to bars, restaurants and on-site shops.
Additionally hotels often keep card details on file and may access them many times during a guest’s stay . Each occasion is an opportunity for cyber thieves to strike unless you have robust security measures in place.
Vibhu Gaind, Chief Information Officer at independent hotel management company Redefine BDL Hotels, explains, “Hotels are probably one of the few industries that retain a lot of guest data, from the stage of booking right up to post-departure communication.
“Hotels have had to retain information because they sell a lot of products before any payment is taken, and we used to be very conscious of guests walking out,.
“So, as an industry, we took the approach that we should hold onto as much detail as possible, and that makes us very vulnerable to all sorts of breaches.
“What we have seen over the last three years is malicious activities targeted towards hotels, especially our PoS systems and Property Management Systems (PMS). Those are targeted regularly and there have been reports of major hotel corporations, big brands, having breaches and ultimately it’s their reputation that’s at risk.”
He adds, “What’s been happening over the last year with Payment Card Industry compliance, has been really pinpointed towards hotels, and that has allowed us to be at the forefront of security, rather than lagging behind.
“There are also the new EU rules which come into force in May 2018. What that looks at is whether we need to hold on to so much data, do we need to keep it in this day and age.
“A lot of it comes down to end user training – when staff ask for any information are they storing it in a protective manner?
“We are also seeing better investment coming into the technology sector.”
So just how cyber resilient is your firm? Could it be vulnerable to attack and what can you do to safeguard your customers, your business and your reputation when it comes to cyber security?
Ask yourself questions such as how the IT equipment in your business is currently managed and stored, and who has access to it? Do you need to comply with personal data protection legislation and Payment Card Industry compliance? Remember that meeting legal and business requirements is not the same thing as being cyber secure.
What practical steps should you take before, during and after a breach and how would your business recover from a cyber attack?
It is not just about prevention but also how you handle an incident, and how you come back from it, which is important. Should you consider cyber insurance?
Speaking at the launch of the National Cyber Security Centre in February, Chancellor Philip Hammond highlighted how important it is for businesses to tackle the issue – and why there is an onus on them to do so.
He said, “The fact is that the greater connectivity that will enable the development of the digital economy is also a source of vulnerability. Just as you would expect a shop on the high street to fix its locks and burglar alarms, so businesses operating digitally need to fix their online security.”
For the hospitality sector this talks to the fact that guests expect to be kept safe – both in terms of their person and their possessions, including payment cards and personal data – from the moment they check in.
Yet the hospitality industry as a whole, like many other sectors, may still be behind the curve when it comes to cyber security.
Calum Ross, General Manager of Glasgow Hilton comments, “Cyber security is front and centre with us. Hilton is a pioneer when it comes to technology which is helped because we own our property management system outright in that, we own the app platform and everything. We are able to invest and push on beause we are not working with third parties. We are super sensitive in terms of that whole security risk and everything we do is well tested and incredibly robust.”
However in the last 12 months, 65% of large businesses in the UK have reported a cyber breach or attack, the majority of which involved viruses, spy ware or malware. The average cost of the worst breach ranged from £65,000 to £115,000 yet astonishingly, 90% of businesses do not have an incident management plan prepared.
However it is not just big business that is vulnerable – small and medium-sized firms are often seen as soft targets because they do not have the same resources as larger firms. A survey by the Federation of Small Businesses (FSB) found that small firms lose an average of £4,000 a year to fraud and online crime.
But financial loss is not the only issue. There are other penalties too – including the threat of huge fines under the EU’s new General Data Protection Regulation, and legal action.
Reputational damage as the result of a breach could also be hugely damaging – especially in such a people-centred sector as hospitality – and may take years to recover from. What this means is that the responsibility for keeping a company safe online is no longer the job of a single department. It has to come from the top down, and every staff member needs to be properly trained and have a thorough understanding of cyber threats.
Tokenization is just one tool which the hospitality industry can use to avert a cyber attack. Tokenization renders payment card data meaningless to hackers because it involves (and now we get technical) substituting a sensitive data element (such as a credit card number) with a non-sensitive equivalent, referred to as a token, and which are generated using proprietory algorithms which cannot be mathematically reversed. The Token format also fits legacy payment card data fields. When tokens replace live data in systems, the result is minimised exposure of sensitive data to those applications, stores, people and processes, reducing risk of compromise or accidental exposure and unauthorized access to sensitive data. Applications can operate using tokens instead of live data these systems may be operated in-house within a secure isolated segment of the data centre, or as a service from a secure service provider. Tokens also support all payment actions and checkout models including one-time authorization, capture and settlement, recurring and subscription billing, credit and partial credit, split capture, reauthorization, and standard checkout.
Of course there are numerous ways to hack into computers – through a network system, by getting a user to click unknown links or connect to unfamiliar WiFi or by downloading software from unverified websites.
Criminals can also target data via third-party providers like room booking sites or car hire companies and a cyber breach could also enable a hacker to access a hotel’s internal systems such as door locks, air conditioning systems or other key structural elements.
Banking giant HSBC says that one of the most recent threats to emerge is the Business Email Compromise, also known as CEO or Chairman Fraud.
It involves the fraudster emailing a firm’s payments team, impersonating a contractor, supplier or even a senior manager, asking for an urgent payment to be made, or that future payments go to a new account. The sender’s email is usually very similar to a legitimate email address so the fraud is often not picked up until it is too late. Unsurprisingly, the financial loss can be huge.
Websites that accept online payments or even store credit and debit card details are obviously prime targets for cyber criminals.
Government advice on cyber security includes using strong passwords and anti-virus software and deleting suspicious emails. They recommend downloading software and app updates, which contain security upgrades, as soon as they appear, and training staff so that they are aware of cyber threats and how to deal with them.
The FSB also suggests a number of steps, including carrying out regular security updates on all software and devices, securing your wireless network, testing back-up plans and disaster recovery procedures and carrying out regular security tests on your website.
Angela Vickers Chief Executive of Apex Hotels suggest hoteliers check out various advisory bodies including the Security Standards Council (PCI) and The National Cyber Security Centre (NCSC) as well as the Information Commissioners Office for advise, checklists and guidance documents. All the websites are detailed below.
Given what is potentially at stake, cyber security is clearly an issue that nobody in the hospitality business can afford to ignore.
The message is clear: We all need to be aware of it, and we all need to be responsible for it.
Websites that offer advice are:
Also check out: www.ncsc.gov.uk – a new government body recently set up to deal specifically with cyber crime. Similarly the Information Commissioners Office
(www.ico.org.uk) has plenty of information on what exactly organisations have to do to adher to the Data Protection Act.