Cybersecurity Awareness Month, every October, is a collaboration between government and private industry to raise awareness about digital security and empower everyone to protect their personal data from digital forms of crime. The month is dedicated to creating resources and communications for organizations to talk to their employees and customers about staying safe online.
According to a recent Cyberthreats Report 2022 by security vendor Acronis, phishing continues to dominate as the “cyberattacker’s” favorite method of initial access, where 1% of all emails sent daily are malicious in nature. Additionally, Q2 saw a 10% increase over Q1 in the number of malicious URLs identified.
What does this mean for hotels specifically?
Hotel Brands are increasingly reliant on technology and the internet to conduct their business – for check-ins, content streaming, payments, PMS management, digital kiosks, IoT devices and more. This means that they are also more vulnerable to cyber-attacks. Cybersecurity awareness training is critical in order to protect their businesses’ and their guests’ data.
The hospitality sector is especially interesting to bad actors (hackers) as the systems used within the hospitality space often contain a wealth of sensitive information, including guest credit card data and contact details, and in some cases, passports and driving licenses are on file too. A cyber-attack on a hotel’s PMS can have serious consequences, ranging from the loss of guest data to the complete shutdown of hotel operations.
Cybercriminals have a wide variety of methods at their disposal these days and will use the one that is most effective. And based on some of the large data leaks and breaches over the past 12 months in the hotelier sector, phishing remains the most successful, tried-and-true method of the initial attack. On the dark web, there are actually PaaS (Phishing as a Service) organizations and suppliers, running these services as full businesses!
Hotels are seeing this happen more frequently where the cybercriminal has done their homework and is focused on a specific associate within the organization, their email address and communication patterns – known as “spear-phishing.”
The email will probably look like it came from a trusted source, such as a colleague or supplier, asking the recipient to click on a link or download a document or reply with some specific information required to complete a veiled request of leaking information.
If the associate follows the link or downloads the attachment and it is malicious, then the cybercriminal has the ability to do anything they want within the organization, effectively stealing confidential information or installing more malicious software on the network. This also rides into another subject matter within the cybersecurity space, often referred to as “privileged” or “restricted access,” where an associate’s account should only have the bare minimum access permissions to corporate resources required to do their job function, thus minimizing any intrusion.
So now what? How can you train your associates on what to look for to create vulnerabilities?
While the best way to do this is to conduct regular awareness training and testing as part of a comprehensive strategy, there are some simple things that everyone can learn to help recognize a phishing email:
- If it looks odd, it probably is.
- If you’re not expecting an email, it probably is.
- If there are spelling and grammar errors, it probably is.
- If the email seems urgent, it probably is.
- If the email asks you to click on a link or download a document, it probably is.
- If the email asks you to provide personal information, it probably is.
- If your anti-virus/anti-malware software or email security solution flags the email as suspicious, it probably is.
The simplest rule is if you’re unsure, don’t click on it or open the attachment – report it to your IT team immediately and ask them to check it out. Cyber security awareness training will help employees to know what to do in the event of an attack, and how to report it. By raising attention to the risks and how to protect against them, organizations can help to reduce the likelihood of a successful attack.
Don’t forget, globally 30,000 websites are hacked daily, and human error causes 23 percent of data breaches, according to IBM. No time like the present to take a look at what’s planned and actually happening and then provide a refresher for staff members.
About the Author
Dr. Spencer is the Chief Information Security Officer at Nomadix & GlobalReach and has been a technology leader in the Wi-Fi industry for well over two decades. Previously the Chief Technology Officer for GlobalReach for over 20 years, his team helped to design and build some of the world’s largest secure Wi-Fi networks, allowing seamless connectivity for users. A recognized thought leader in best-practice secure, seamless sign-on experience, and the use of Passpoint (Hotspot 2.0), Chris has been involved in the specification, and delivery of Next Generation Hotspots (NGH), and leads and co-leads several industry working groups for the Wireless Broadband Alliance (WBA), Hospitality Technology Next Generation (HTNG) and the Seamless Air Alliance (SAA).