My quote was true six years ago and it still stands true today. If you haven’t gone through a data breach, you will – and that means you need to prepare yourself, your team, your executive leadership and your board.
Hospitality is very exploitable
First and foremost, our industry is blessed and cursed with very hospitable professionals. These folks are fundamentally accommodating, making them perfect targets for social engineering attacks by cyber criminals. How many employees in your company would share their credentials or print a guest’s presentation when handed a USB drive? This is the primary cause of many security problems.
The best medicine is to ensure that EVERYONE goes through some level of training on a recurring basis. Awareness, posters, or anything else that can keep cybersecurity at the top of mind is very important. Cybersecurity is not the job of just the CIO or Chief Information Security Officer (CISO), it is everyone’s responsibility, including the CEO.
Security through law enforcement
Imagine your own neighborhood and you see someone walking door-to-door checking locks, then entering the ones that are unlocked. You would naturally call the authorities. Well, there isn’t an entity out there that hasn’t been crawled – sometimes up to a million or more times a day. This is the electronic version of the person checking locks. They find a vulnerability or open door and exploit it.
Once you are a victim of this cyber exploitation, you should call multiple government authorities (FBI, Secret Service, and sometimes local law enforcement) and make sure you keep their contact information available. Don’t expect to see an immediate retaliatory response. Every once in a while, you see some low-level identity thief is apprehended, but rarely do you ever hear of a true cyber war where the bad guy’s infrastructure is ruined, and the data they captured is destroyed. The government’s response has been more watch and wait as opposed to seek and destroy. However, it is good to at least let the authorities know what is going on because sometimes they are the only ones that have the centralized perspective to see the criminal activity that could be spanning multiple players within hospitality and beyond. That’s one reason why HTNG has created the Travel ISAC – more on this a little later.
Low risk, high reward
If you have a vision of some juvenile delinquent in their mom’s basement as the primary perpetrator of cybercrime, you are sorely mistaken. The organizations after your data are professionally managed, have extensive recruiting strategies and are very well capitalized – it’s big business! There are also Nation States that are in the business of collecting and analyzing your data. The problem is that the penalties for many of these cybercrimes compared to their payoffs are pretty minimal. I get it, do you really cause an all-out war over a few personnel files or credit card numbers? However, some form of punishment needs to fit the crime.
Wouldn’t it be nice if the next piece of phishing email you get, you could reply back with an attack so severe that the infrastructure the malcontent was using would be rendered useless? Or, any crawlers would get a response that resembles a level of “Shock and Awe” that would prevent them from ever attacking again. Unfortunately, hacking back is illegal. I do think that a coordinated governmental response is the next best thing but as I mentioned before this response needs to have better visibility and priority within our legislative ranks. Call your legislators and let them know that cybersecurity of our digital assets is important and needs to be protected as much as our nation and borders.
What can you do? General housekeeping.
If you don’t have a CISO, the first thing to do is hire one. CISOs are well skilled in getting the most out of the current toolsets for your organization and they will help you stay on top of security developments within your environment. In addition, they can set the cadence of multiple education efforts that you will require.
Have you orchestrated a tabletop exercise with your leadership team? If not, you should get your CISO and executive team and go through one. Include all relevant parties (the CEO!) in your organization including a few you may not even think of. You want to have a binder on your shelf that you can take out and turn to page one as soon as you realized you have been breached.
The next thing you can do is work collectively. As mentioned in the book “The Challenger Customer” by Adamson, Dixon, Spenner and Toman, “… researchers have found that groups naturally gravitate to shared information. Psychologists speak of ‘social sharedness’, the idea that information and perspectives shared among group members tend to have a disproportionately large impact… Simply put, groups focus on and discuss shared information at the expense of unshared information.” This is what the bad guys do – they share and sell information to infiltrate networks brazenly in online forums.
Now the travel industry has its own team, The Travel ISAC, created to defend and protect guests, staff and corporate assets from complex threats. You may feel that you are alone in being a victim, but chances are the bad actor is also engaging in nefarious action toward your competitor. I have seen this group in action at very critical stages. I have seen this group call a meeting at 9 a.m. and get 100% attendance from everyone around the world at 1 p.m. At that 1 p.m. meeting, the parties were sharing information that they could immediately act on and improve their respective environments. The Travel ISAC is certainly an organization you want to be a part of at strategic and tactical levels. Evolving from the previous Hotel CISO Forum, most of the major hotel chains are part of the Travel ISAC, but there is always room at the table for other hospitality members.
Every day someone else enters the arena and launches a new virulent attack. In the short term, hire a CISO, call your state and federal representatives, join the Travel ISAC, prepare your breach response, train your employees and do as much as you can, but recognize even that may not be good enough.
About the author:
Michael Blake, CEO, HTNG