Ali Neil, Director of International Security Solutions at Verizon, discusses why data security is likely to be paramount in the hospitality industry as technology in the sector advances at a rapid pace – can security keep pace with change?
Technology in the hospitality sector is advancing more rapidly than previously thought possible. Such unprecedented change is altering the expectations of consumers, as well as the means by which companies serve them. Hotels, casinos, restaurants and other hospitality organizations are increasingly adopting new technologies such as chatbots, virtual and augmented reality and interactive guestrooms to provide improved customer service. The implementation of 5G, which will soon offer massive advancements in network capacity, opens up new and efficient ways to store company and customer data. But with every advancement comes new challenges, particularly in the area of cybersecurity, where hackers are taking advantage of companies undergoing digital transformation during this pivotal period of change.
According to Verizon’s annual Data Breach Investigations Report (DBIR), the hospitality industry has been far too hospitable to cyber criminals as of late. Across multiple industries, financially-motivated actors are targeting point of sale (POS) environments, allowing them to collect customers’ payment card data. In hospitality, 95 percent of all cybersecurity incidents were caused by external actors. While the report found that the number of POS intrusions in the hospitality industry decreased since 2017, there is no indication that the decrease is part of a larger, optimistic trend.
So, how can hospitality organizations help combat increasingly complex cyberattacks, especially when many companies are shifting their focus toward adapting new technologies to keep up with the expectations of their consumers? There are a few steps companies can take:
1. Analyze the threat landscape: Whether leveraging default credentials or stolen credentials, organized criminal groups often target the smaller businesses within the hospitality industry. Think about where your organization stands—are you on the smaller end of the spectrum, and therefore more likely to be sought out by cybercriminals? Considering how attackers perceive your company is an important first step toward combatting them.
2. Protect your assets: The most recent data shows that year-over-year, there is a malware problem affecting POS controllers and terminals. To combat this trend, implement anti-malware defences across these environments and validate the breadth of implementation of controls. Focusing on detective controls is just as important. There should be additional means of detection other than the external correlation of fraudulent usage of payment cards. Restrict remote access to POS servers and balance the business needs of interconnectivity between POS systems to defend against the potential spread of malware from the initial location of compromise.
3. Develop a security operations team: As hard as one might try, it’s impossible to build a perfectly secure security system. A security operations team can help monitor for threats and fill in the gaps where the security system might falter. If your company’s budget allows, a security operations team can be an invaluable asset. If developing an in-house team isn’t feasible, consider contracting security operations as a service.
4. Upgrade POS terminals: When a chip-enabled card is inserted into a properly-configured EMV-enabled POS terminal, the reusable magnetic strip information is not exposed or stored. Along with contactless payment methods, this can disrupt how attackers would attempt to steal sensitive information. Like the hospitality industry, cybercriminals are adapting. Continuing to embrace and implement new technologies raises the bar and helps protect against payment card fraud.
Data from the DBIR suggests that while there is work to be done on preventative controls around POS compromise, there is equal room for improvement in detecting compromise. Realistically, it is important to understand that many of these victims are “mon and pop” operations, and that asking for sophisticated file integrity software is not a feasible plan of action. However, working with POS vendors to ensure that someone knows how to detect a threat is a simple but valuable start.
Despite the diversity of organizations within the hospitality sector, the industry is undergoing significant change across the board. Companies should learn from industry data, and perhaps most importantly, disseminate knowledge to their employees and franchises, if applicable. While technology is vastly improving hospitality, cyber attackers are developing more complex means of intrusion to keep up. While implementing security protocols may seem inconvenient, small steps can go a long way in keeping your company’s data, as well as that of its customers, safe.