Most hotel companies have organized the responsibility for cybersecurity under information systems (IS) or information technology (IT). Although technology is at the heart of a successful cybersecurity program, there are several aspects that technology isn’t well equipped to handle.
One key source of failure in effective cybersecurity is the misconception that it’s wholly the responsibility of the technology team. On top of that, the person in technology charged with leading cybersecurity may not be in the best position to collaborate with other departments across functions. High level descriptions and examples of the need for cross functional engagement in cyber-security include:
Human Resources
Human resources (HR) plays a critical role. In order to control and manage access to systems and data, HR needs to communicate – on a timely basis – information about terminations, new hires and contractors. They also need to review employees who change job roles or locations for access changes. Further, HR expertise is needed to plan and implement training programs for technology end users. This type of training, which can make or break cybersecurity defenses, is often called the “human error factor.”
HR training managers have the knowledge and skills to evaluate features of third-party training programs in terms of what will work best for various job roles and the corporate culture. Members of the IT security can provide subject matter content expertise, but typically aren’t well equipped to roll out training programs. All employees who use technology should have ongoing training on an annual basis. HR has the records to identify all eligible people and document completed training.
Another important aspect for HR participation in cybersecurity is to reduce or mitigate “insider risk” by conducting background checks on new hires. This can lower financial fraud and embezzlement risks as well. These checks could be conducted for critical positions (people who have access to confidential data or system level access), at least every three years.
Sometimes, existing employees acquire a criminal record after their initial hire. If the person doesn’t serve jail or prison time, but incurs other penalties, like fines, the employer may remain unaware. This can lead to unpleasant surprises in the form of security and fraud incidents. For companies concerned about the cost of background checks, the most frequent falsified information on resumes is education, a check that usually has to be done manually. Simply verifying education given on job applications is a necessary risk control.
HR expertise in policy development can also help IT develop the right security policies. HR can be particularly helpful in making the distinction between technical standards and procedures that apply only to IT and overall policy that applies to all colleagues. Finally, HR is well equipped to distribute and secure acknowledgment of new policies.
Legal Counsel
Another significant team partner in cybersecurity is the legal counsel. They’re in the best position to maintain a current inventory of contracts with all third parties who have access to any type of confidential information. This includes guests, employees, suppliers and contractors. Due to the escalation of ransomware risk, the scope now needs to expand beyond confidential information to consider systems or data that are essential to company operations.
Legal counsel should also review new or renewal third-party contracts to ensure they address data/cybersecurity clauses. It’s particularly important to include clauses related to notification and cost responsibilities in the event of a breach or security incident.
Finally, legal counsel is the appropriate source to identify laws and regulations relevant to the organization and implement compliance measures. Although many security professionals have training and knowledge in this area, their role should be to provide input to qualified legal counsel.
Finance and Accounting
Typically, legal and finance professionals have the training and experience in risk management concepts and practices to give excellent advice and support to the cybersecurity function. A combination of these functions may be most helpful.
Cyber risk insurance is still emerging and evolving as an insurance product. But the decision to purchase it, determine appropriate coverage and negotiate terms and conditions relies on the finance team’s skills and knowledge. It’s important to consider cash reserves, risk tolerance and what amount of cyber insurance would be beneficial. This should be done in consultation with cybersecurity expertise in order to evaluate likely scenarios and impacts.
Another consideration: Cybercriminals often target finance and accounts payable teams, along with chief financial officers because they are authorized to make payments and transfer funds. Email phishing and email account hacking is a typical technique in these attacks. In the event that specific departments have authorization to make payments, such as facilities, sales and catering, etc., they should be considered potential targets. This group needs specialization and additional training along with best practice procedures for making electronic payments and transfers.
Finance can be a valuable partner to ensure that cybersecurity has an adequate budget and resources. Even the most talented security professionals still need the right tools and skilled resources to carry out their responsibilities.
Finance usually manages audits, whether they’re internal or led by an external, independent auditor. Cybersecurity audits should be conducted against an established and relevant security standard. Examples would be the ISO standards, US NIST standards, Center for Internet Security etc. rather than standards used for financial controls, although there is some overlap. For the purpose of check and balance, a valid security audit should not be controlled by IT.
Public Relations and Communications
Public relations – often called external affairs – along with internal communications functions, is a critical success factor in the event of a major security incident. This group has crisis management knowledge and skills. In the event of a data breach statements to investors, plus notifications to guests or employees, can make all the difference in whether the company is perceived to be responding well or not. Naturally this is a collaborative effort, but this role can’t be overlooked or minimized.
Hotel Operations
Operational departments such as food and beverage, sales and catering, rooms, spa services, email marketing, etc. are on the front lines when it comes to collecting and handling all kinds of sensitive, confidential information. A simple error like accidentally emailing a list of guest contact details to a large group email address can have devastating results. These groups need to be well-versed in policy and procedures. This underscores again the need for the right policies, procedures and – most important – training.
One operational area that’s often missed is tracking and escalating guest complaints. This can be an early indicator of a data breach. These types of complaints should be handled carefully, escalated and reviewed. Although guests often have misconceptions about credit card fraud, they also may have valid concerns.
Governance
The high level descriptions above explain why governance and oversight is always recommended for cybersecurity. This is also why an incident response team must be cross functional. The person leading your cybersecurity program should have the authority and the established relationships to allow them to work across functions.
There’s no single solution or approach that fits every organization and culture. But developing unified key performance goals is one proven way to drive and improve collaboration. Ultimately, recognizing the need for cross-functional engagement in cybersecurity and understanding the respective roles and contributions of each area should lead to effective management.
Lynn Goodendorf is a cybersecurity expert whose previous roles include group information security officer with Mandarin Oriental Hotel Group and corporate risk and chief privacy officer with IHG Hotels & Resorts.
©2021 Hospitality Upgrade
This work may not be reprinted, redistributed or repurposed without written consent. For permission requests, call 678.802.5302 or email info@hospitalityupgrade.com.