It was a normal day at an industry conference. We were meeting with fellow CIOs to discuss strategy, innovation and leadership across the hospitality industry. Mid way through the meeting the phone rang, it was a reporter, after the initial salutations she said this:

“I’m working on a story about the breach I’m hearing happened at your hotel, thousands of records are out on the Dark            Web. Are you aware of this situation, can you provide more details? Do you have a comment … what about your                    guests, clients, stakeholders … how are you responding?”  -Reporter

The reporter was firing questions like a machine gun set on rapid fire. The truth of the matter was that the reporter already had her story, she was just looking to verify and add some salacious comments to an article that will garner a lot of attention with an edgy headline. In hindsight, that call was the precursor of what was to be a really bad day, not just for us, but for our industry. Our hotel was being ransomed by threat actors who were targeting the hospitality industry in a sophisticated and coordinated attack, we were one of many. All the phones began to ring with multiple alarming issues. Personally identifiable information was allegedly compromised. Industrial control systems were encrypted and inaccessible by technicians, shutting down elevators, people were trapped. Demands for cryptocurrency were rampant. Social media was reacting negatively, loudly and instantly. Business emails were compromised by elaborate whaling phishing campaigns carried out by patient threat actors who, in hindsight, were sitting on our networks for some time. They were learning how we operate, our tools, how we might respond, and how they would react to our countermeasures. Our industry, our business, our customers, our leadership; we were under siege. The last words I recall from the reporter were, “I’m on a deadline, I am running the story in an hour, do you have a comment?” Later that day a news agency was asking if I would be fired for the absolute failure of our security.

TRAIN LIKE YOU FIGHT, FIGHT LIKE YOU TRAIN
As it turns out this was military grade leadership reaction course designed to challenge participants to their individual and collective points of failure. The experience was an immersive, realistic, flight-simulator-like training scenario, that is designed to test the ability of individuals, leaders and organizations in a crisis environment where collaboration and coordination are keys to success, while emphasizing the unique attributes of cybersecurity threats and their impact. The experience was hosted by IBM’s XForce Command Center at IBM Security’s headquarters in Cambridge, Mass. The experience rises above table-top exercises, executives and senior leaders exercise and practice their crisis response plans that extend beyond the technical response teams. Business best-practices indicate that successful cybersecurity involves the whole-of-business response that includes the board of directors, C-suite, business lines, as well as human resources, internal counsel, and other key aspects of the organization. Most important, a cybersecurity crisis is not just the technical team’s problem, far from it, planning, preparing, practicing, and defending is everyone’s responsibility.

THREATS TO THE INDUSTRY
The threats to the hospitality industry are driving the shift to defending the whole-of-business infrastructure that includes the technical network and extends beyond it as well. The social-technical infrastructure extends to practices, processes, and procedures that threat actors are exploiting. The attack surface for the hospitality industry is widely distributed across geography, business lines, external dependencies, like vendors and partners, and extends to each employee. For example, the housekeeping staff, with keys that open entire floors is reflective of individuals having elevated privileges that may require specialized training yet at times an overlooked exposure to risk. Threat actors use social engineering to exploit the industry’s tenant of “be helpful” to gain unauthorized access. The hospitality industry is especially vulnerable to social engineering and phishing attacks. For the large organizations of 1,000 or more employees, the hospitality industry led 19 other sectors with an astounding 48.4 percent likelihood to fall victim to a phishing scam and put their companies at risk for potential compromise (KnowBe4, 2019). A highly connected ecosystem creates its own challenges and risk exposure. A threat actor will attempt to exploit the ecosystem that includes third-party partners and vendors, geographically dispersed activities, retailers and the associated information systems that, by design, give the client a seamless experience. Targeting the “seams in security,” where control measures and responsibilities often meet, but don’t overlap, is a standard modus operendi because that gray space is an often overlooked or ignored attack vector. 

AN OUNCE OF PREVENTION IS WORTH A POUND OF CURE
The cyber threat environment is driving the change in security practice, where incidents happen at machine speed, and social media may be the first indication of a looming storm that will propel an organization into action, and where actions, or the lack thereof, can have a decisive impact on the end state or the aftermath. Organizations need to prepare for a worst day with an intense, immersive experience that builds your team’s critical cybersecurity and leadership skills in a realistic and gamified environment. The X-Force Command Center brings cybersecurity’s best business practices, frameworks, and principles to life, in a non-threating environment designed to inspire a culture of cybersecurity. Many participants have gone as far saying that they had fun experiencing and learning cybersecurity.