Cybersecurity In the Hospitality Industry
Like other industries that traditionally underinvest in cybersecurity, the hospitality industry has recently come under increased attacks from cybercriminals. As a result, it has been suffering from unprecedented losses.
Innovations in restaurant technology are radically transforming the way that the hospitality industry does business. New technology reduces costs, attracts new customers, and streamlines operations, bringing huge opportunities. But it also carries with it technological risk, cyberattacks, and information security breaches.
For a restaurant or any other organization in the hospitality industry, it’s simply not good enough to just play defense against organized cybercriminals. A business needs to have a robust and proactive plan to secure the business from cyber risks. This is done by correctly identifying risks, proactively protecting data, complying with payment processing regulations, and reacting appropriately when a cybersecurity incident does occur.
Why Target the Hospitality Industry?
While restaurants and hotels serve guests, they are also serving up valuable credit card and personal data to cybercriminals without even knowing it. Because of the sheer volume of payment card transactions, as well as the (often very large amounts of) CRM data on their systems, hospitality businesses need to identify vulnerabilities before cybercriminals do.
This was the case with restaurant chain Landry’s. Cybercriminals can illegally gain access to a business’s POS (point-of-sale) systems and install a specific type of malware designed to steal their customer’s payment card details as they transact.
Cybercriminals then sell that stolen payment card data on markets in the dark underbelly of the internet known as the Dark Web. Alternatively, they use it to further their identity theft activity against your customers. With an identity fraud and credit theft monitoring service, you can help mitigate some of the risks to your customers should such a break occur.
For the hospitality business, a breach of trust and the damage done to their credibility is often irreversible. Customers increasingly complain about credit card fraud and sue.
Why Invest in Hospitality Cybersecurity
The technology innovation in operations, marketing, and payments in the hospitality industry needs huge amounts of data to sustain itself. This is what attracts organized cybercriminals who want to profit from that data.
Despite most attackers focusing on card data, increasingly they are looking at your loyalty programs. These often contain valuable personal details, such as age, visit frequency, and addresses.
Payroll systems are also up for grabs because they contain valuable data on employees such as banking details, along with other personally identifiable information. Communications with vendors may contain intellectual property or confidential operational data that is also attractive to hackers.
Unless hospitality businesses protect themselves properly with a proactive cybersecurity strategy, all of this data is vulnerable to exploitation by organized cybercrime. If you think your business is too small to become the target of a cybercriminal, think again. Many small businesses are attractive targets to hackers because they probably do not have robust cybersecurity defenses in place and also because they are unprepared to deal with attacks.
Cyber attacks on restaurants and even cruise lines are starting to evolve into substantial risks for hospitality businesses. Good cybersecurity does require investment, but many restaurant owners find out far too late what that investment costs in relation to a successful cyber attack on their business.
Cybersecurity incidents can cost a hospitality business dearly and include:
- Legal fees and recovery fees in the event of a data breach.
- Payment Card Industry (PCI) fines if a breach involves payment card data.
- The cost of being forensically audited.
- The cost of notifying customers (legal requirement) in the event of a breach.
- Financial costs of lawsuits against a business.
- A loss of credibility and reputation from customers and the public.
Despite all of this doom and gloom, the hospitality industry can manage their cyber risks and proactively avoid becoming the target of cybercriminals if they adopt some of the strategies that the Digital Hands team recommends. All of these strategies enable you to become much more proactive about protecting your business and customers from attack.
Know the Information Security Risks
Hackers are usually most interested in stealing data that can be resold on the darknet markets, including payment transactional data, any personal or proprietary information, and payroll and employee data.
There is the risk of fraud, too. Most hospitality businesses usually have a large network of vendors and suppliers. In this case, criminals may pose as those businesses and invoice for services or products that have never been delivered. Or, if they have access to IT infrastructure, they can substitute bank details on invoices.
Audit IT Systems
A key activity is to ensure a business has been properly audited from a cybersecurity perspective. You need to properly audit your IT infrastructure, your POS systems, and ensure all endpoint software is up to date and properly patched.
Next, make sure that you know how your systems connect to other branches. Audit connections with vendors to minimize supply chain cyber risks.
Once you properly understand your own IT infrastructure and its digital connections you can begin to work out what data is being sent over those connections and why. When a data connection is no longer needed, it's best practice to close that channel.
You should also take a close look at exactly who has access to your network and who can access it remotely. Limit access to applications and systems that have a good reason for remotely connecting. A comprehensive IT audit will help you spot weaknesses in your cybersecurity and enable you to take steps to properly mitigate against them proactively.
Secure POS Terminals
In the hospitality business, the most common targets for cybercriminals are point of sale terminals. These often contain large amounts of data, as well as transactional data and payment card information. Therefore, it is essential to properly secure these terminals.
In addition to ensuring that POS terminal software is up to date and properly patched, make sure that you are following government-mandated and PCI compliance standards for these terminals.
Also, consider whether or not a cloud-based POS system that stores sensitive data securely is an option. It is also worthwhile implementing access control systems and permission-based tiers of data access for your own team, just to further lock them down.
Because the third-party providers of POS systems are increasingly a target for cybercriminals, choose your partner wisely and verify that they are taking all of the necessary precautions to secure their (and your) POS infrastructure. Inquire about application security, privacy policies, and data breach prevention measures.
Separate Devices With a Firewall
A firewall that keeps your network-connected devices from interacting with each other can stop infiltrations and malware infections from spreading across networks.
If your devices do not need to communicate with each other across your network, virtually separate them to cut off data breaches and lateral movement across networks before they happen.
The single best investment one can make in a hospitality business's cybersecurity is an investment in employee cyber training. When staff can recognize the warning signs of a cybersecurity attack, they form an invaluable line of defense against attackers.
Employees can be taught to avoid the common catalysts for a data breach, including avoiding clicking on suspicious links or attachments in emails that unleash malware or ransomware. You should also think about limiting access to the business’s internet-connected devices and/or prevent them from browsing the internet on workstations.
It is also important to train accounting and management employees on the importance of good password management, which tends to be a weak spot in the hospitality business. Implement strong password policies and force regular password resets.
While some may consider it inconvenient, the ground you gain in overall password security means that this strategy pays dividends.
Contact Digital Hands
Digital Hands employs a deeply experienced team of cybersecurity professionals who help businesses in the hospitality industry avoid attacks from cybercriminals.
If you or your partners need a competent security services provider to ensure that you are making the right moves with cybersecurity, call Digital Hands at (855) 511-5114 today.