Increasingly sophisticated phishing attacks are among the top of the laundry list of possible threats for hoteliers in the cyber security space.
LOS ANGELES—The world of cyber security is seemingly in a state of constant flux, making the sources of possible threats hard to nail down for hoteliers.
To that end, sources speaking on the “Cybersecurity: What to do when your next guest is a hacker” panel at the 2017 Meet the Money conference shared their take on the latest threats in that realm.
“There are new threats happening every day,” said Robert Justus, a managing director for Optiv Inc. “The velocity of change of threat landscape is very challenging for organizations.”
Here’s a look at what panelists identified as some of the top threats.
1. Phishing attacks
Phishing, or sending scam emails that appear to be from a reputable source in order to convince people to share sensitive information such as passwords and credit card information, is not new. In fact, it seems to be one of the oldest nefarious practices on the internet.
But the practice is growing more and more sophisticated, panelists said, and phishing attacks are increasingly targeting high-ranking executives, including those in the hotel industry.
“It runs a wide gamut of the purpose of these attacks,” said Brad Maryman, a former forensic investigator with the Federal Bureau of Investigation and founder of Maryman & Associates.
He said attackers will now try to take over the email accounts of someone like a company’s controller or CFO, which they will use to almost perfectly replicate the look and style of one of those executives’ emails. In such phishing emails, the scammers will order subordinates to authorize large wire transactions under the guise of the transfer being for some sort of acquisition or other major transaction.
“It’s more than likely that (the attacker) has built a dossier on this person and the types of projects (they’ll do), along with the methods and styles of communications between the executives and persons outside the company,” Maryman said. “They’ll even have the same signoff.”
Maryman and other panelists said to combat this, executives must follow through on the multiple checks that should already be in place within the organization so that employees aren’t authorizing large payments, sometimes to overseas banks, without checking with multiple sources and having face-to-face conversations.
He also said gaining access to an executive’s email is a massive breach even without trying to create inappropriate transactions because of the amount of information an executive’s account could contain about the company and its employees.
“It’s a literal treasure trove of information that can be converted to dollars,” Maryman said.
Ransomware is the practice of finding some vulnerability in a company’s systems to abduct their information or the functions of those systems and then keep it hostage until someone gets a payoff. This got some notable coverage across the globe recently with the widespread hit of the WannaCry attacks.
“In some cases, it can be actually taking control of your hotel because there are so many systems,” said Robert Braun, a partner at JMBM.
3. POS/payment card breaches
Probably the most likely thing to get you unwanted attention as a hotel business, be that from the media, potential guests or even the credit card companies, is a breach of your point-of-sale systems and loss of customer payment card information.
Jackie Collins, senior director and VP of the hospitality practice at Arthur J. Gallagher Risk Management Services, said hoteliers are often shocked by how much liability they hold in the case of such an attack.
“We had a client that had a $1.4-million bill from MasterCard, and from Visa about ($500,000),” she said. “So there are huge fines that go along with this.”
Collins said it’s important to know the extent of your insurance coverage in the case of such an attack.
Braun called point-of-sale attacks the single biggest cyber security threat to the hotel industry.
“That’s because they’re third-party and they’re not attacking the hotel itself,” he said. “They’re typically attacking a vendor and exploiting some sort of weakness in the system. Typically, it’s a human error. (Attackers) get some sort of credential.”
Justus said in most instances “the problem exists between the keyboard and the chair.”
Braun noted another primary threat for the hotel industry in particular is distributed denial of service, or DDoS attacks. He said hotels are particularly vulnerable to this sort of attack because of the wide array of systems in use.
“It happens because everything around here has a computer in it,” he said. “It can even be things like closed circuit televisions. Even the management of my sprinkler system—all of those things can be hijacked and then used to send little pulses to bring down systems.”