How to protect your hotel? 11 recommendations to apply to your establishment
Data leaks from hotel chains, OTAs or booking platforms are commonplace in the field of cybersecurity, and are shaking up the entire hotel and tourism sector. All hotels are affected by this threat and could be subject to an attack, even a small independent hotel. The reason for this is that the data managed by hotels is confidential and not always well protected (bank details, identity documents, personal data, contacts, etc.), the first weakness being that hotel staff are not always well trained to deal with the simplest attacks.
In this article:
➤ What are the main threats and the methods used?
➤ What are the basics for securing your environment and data?
➤ How do you train your teams to deal with cyber attacks?
➤ What should you do if you are a victim?
Firstly, a few key figures:
- It takes 277 days on average to identify and contain a cybersecurity breach - IBM
- Hospitality is the 3rd most targeted sector for cyber attacks - HRIMag
- 72% of companies affected by ransomware attacks have fewer than 100 employees - HRIMag
- 95% of cybersecurity breaches are caused by human error - World Economic Forum
The most common cyber attacks
Crytomining / Cryptojacking
Hackers take possession of the computer to carry out secret cryptocurrency mining. Cryptomining can be very aggressive, rendering the computer unusable for long periods.
A Botnet is a network of computer devices infected with malware, controlled remotely by an operator. Hackers take possession of these devices to make them perform malicious tasks and gain access to the system.
It's the taking of data hostage in exchange for a ransom. The cryptolocker / cryptoverlocker "locks" the location of the data. Succumbing to blackmail by paying the ransom is never a good idea, as hackers know how to cryptolock but not necessarily how to erase their passage correctly.
Phishing is a technique used to tempt people by sending them an e-mail, SMS or other type of message, usually with a booby-trapped link or attachment. CEO fraud is an example of phishing, which uses the influence and urgency of a request to entice the target to click on the link as quickly as possible, pretending to be the CEO. The target is then asked to leave personal information(bank card, health card, login details, e-mails, etc.).
Malware is malicious software designed to infect, damage or compromise a computer system without the user's consent, and can include viruses, worms, Trojan horses, ransomware, etc.
Myths to forget
❌ You should change your password regularly
This creates an easy-to-remember pattern for remembering your password. You don't need to change your password regularly, but rather use a secure password.
❌ Use the same password (however complicated) on multiple accounts
A hacker who gets hold of a password will try to use it on all accounts, and will therefore have control over all accesses.
❌ Hackers try to guess passwords
Hackers use robots to crack passwords, which can retrieve personal data (dates of birth, postcode, hotel name + year, etc.). They even use dozens of strategies to regularly test targeted systems.
❌ An infection is visible
You're not always aware that a hacker has taken control over your data, and it's in their interest not to make it visible so as to gain more time. An IBM study has shown that on average, it takes an institution 277 days to detect an intrusion on its network, which gives hackers plenty of time to take everything they want. And that's only an average! The case of the Marriott hacking announced at the end of 2018 brought to light the fact that the attack had been committed four years earlier without being detected; it would have affected 5.2 million customers.
❌ Small establishments are not targeted
A survey by HRIMag revealed that 72% of companies affected by ransomware attacks have fewer than 100 employees. So it's not the biggest companies that are the most affected. And above all, the the threat of an attack is constant, with hackers waiting to pounce.
❌ The establishment is not responsible
Responsibilities are generally shared, but the establishment is obliged to train its employees in security. It is also responsible for the security of its customers, and even more so for their personal data.
❌ Double authentication is not required
Double authentication is the additional step after logging in to ensure the user's identity. It is used, for example, by all banks for online payments. It takes the form of a code sent by e-mail or SMS. This makes it exponentially more difficult to take control of the account.
❌ All you need is anti-virus software or to avoid opening e-mail attachments
It takes a multitude of ways to secure systems, and just like a house, there is no such thing as inviolable security. In addition to the tools you need to ensure your systems are secure, you must also use common sense and educate your teams to be wary of e-mails and messages on a daily basis, as human error is often the weak point (responsible for 95% of cybersecurity breaches).
Basic recommendations for your hotel
1. One password per application
If a site or software is compromised, the hacker has access to all accounts using the same password. That's why it's a good idea to set up a different password for each piece of software, using a password manager.
2. Use a password management tool
A password manager lets you manage and generate complex passwords, and automatically enter them on the login page without them being in clear text.
The user has only one password to remember to unlock their manager, and does not know any other passwords, since log-in to registered systems is automatic. This software also makes it easy to share logins with another team member, without them knowing the password.
3. One login per employee
In a hotel, some software or systems don't always allow you to create multiple logins for each member of the hotel staff. Above all, not all employees always have a personal address (and share generic e-mail addresses contact@, info@, reception@, etc.).
However, whenever possible, create as many accesses as there are employees. Not only will this give you greater control over security, but it will also make it easier to revoke access when an employee leaves - all you have to do is delete the access.
4. Install a VPN on team laptops
A VPN is a virtual private network that establishes a point-to-point relationship between a piece of equipment and a remote site, much like a secure tunnel between the network server and the computer. The information exchanged is encrypted. The VPN can therefore be used to protect a laptop connected to a public or unsecured wi-fi.
5. Favour software with multi-factor authentication
Software that manages personal data (of guests or employees) must offer multi-factor authentication to secure access. Two/double-factor authentication (2FA) is a two-step verification process, and the most widely used. The best-known methods are: a unique code sent by SMS, an authentication application, facial or fingerprint recognition, a security key, etc.
6. Manage access to tools and sort through them regularly
Software administrator rights should not be given to all employees if they have no use for them, as this is the highest status for modifying items (configuration modification or complete deletion rights).
Giving different accesses to different employees makes it easy to sort them out as soon as an employee leaves the company, without having to reset the password. All you have to do is delete the accesses from the account.
It may also be a good idea to create for the same person (with administrator rights), another account with fewer rights for everyday tasks that don't require full access.
7. Secure your wi-fi network
Never use a personal Internet box for your business, as it doesn't provide a sufficient level of security (in fact it is non-existent), both for your own safety and that of your guests. All the users are easily accessible to anyone who connects to it, including your in-house workstations. Always rely on wi-fi network providers to set up a secure network that allows you to separate connected devices. Remember not to connect printers to the guest network either.
8. Clearly name your wi-fi network
Tell your guests the name of your wi-fi network and how to connect to it. Malicious networks can be named with the hotel's name so inattentive guests connect to them.
Remember to regularly check the wi-fi networks around the hotel to detect those that have usurped the hotel's name (Nomdelhotel_GUEST, WIFI_NOMDELHOTEL, etc.).
9. Provide regular cybersecurity training
Including cybersecurity in team training is essential. The greatest weakness is human error, so raising awareness is essential to minimise risks and educate employees to be attentive on a daily basis. It is precisely on the most day-to-day tasks, when you are not paying as much attention, that attacks occur.
Regular reminders (e.g. about attack methods or how to detect attempts) help to keep attention focused. It may also be useful to provide training in alert detection and the procedure to follow in the event of suspicion. The first step could be to draw up documentation to provide training in basic cybersecurity techniques.
10. Practise good habits
It's important to adopt good habits that make cybersecurity an integral part of daily life: always lock your workstation as soon as you leave it, disconnect from tools, deploy password management software within your teams, alert employees who aren't paying attention, keep up to date with threats and intrusion attempts, keep yourself updated on industry news, etc.
One way of keeping employees on their toes is to use services to test employees with fake (harmless) phishing e-mails that simulate attempted attacks, as elaborate as those by hackers. Compromised employees are warned gently and reminded to maintain their distrust at all times.
11. Never plug anything into a company computer
Decline when a guest asks to be able to charge their phone on the reception computer or hands over a USB to print a document. Hotel computers must be protected. Watch out for printers connected to the hotel wi-fi network. If you need to print something for a guest, ask them to send it by e-mail, and only open the pdfs.
How do you choose your technology providers and what questions should you ask them?
Surrounding yourself with professional solutions that comply with the RGPD is necessary to secure the personal data that passes through your tools. You are responsible for equipping yourself with solutions that comply with current regulations.
Here are a few essential questions to ask your technology providers before establishing a partnership with them:
- Where is the data stored? Which type of data is stored where? GDPR requires you to know exactly what data is located where so that you can take action on it.
- Do I own the data? Data Processor (the service provider) versus Data Controller (the hotel) status
- Is there dual security for logging on?
- How do you manage shared logins?
- Is there a clear system for assigning administrator rights? Not all employees need to have full access: User account versus Administrator account
- Do you have a document outlining your security policy? What happens in the event of an emergency - do we have a dedicated number or chat? Can we block the account?
If you'd like to learn more about cybersecurity in the hotel industry, watch our latest webinar on the subject: