Fran Worrall
Jun 1, 2020

Cybersecurity in the Age of COVID-19: What Every Hotelier Should Know

Recommendations for Protecting Hotel Data During the Pandemic and Recovery

Cybersecurity in the Age of COVID-19: What Every Hotelier Should Know

Fran Worrall
Jun 1, 2020

Recommendations for Protecting Hotel Data During the Pandemic and Recovery

As hoteliers are increasingly distracted by a host of new pandemic-related requirements ranging from cleanliness and hygiene standards to rules of social distancing, occurrences of cyberattacks are on the rise. In fact, according to a recent report issued by Atlas VPN, remote desktop protocol (RDP) attacks grew by more than 300 percent since early March in the United States alone. Other countries, including China, France, Germany, Italy, Russia and Spain, also have seen skyrocketing incidents of cyberattacks.

“There has been an astronomical increase in spam, spear-phishing attacks and other malicious activity in direct relation to the COVID-19 pandemic,” said Eric Luke, senior director of forensic investigations at SecurityMetrics, an Orem, Utah, data security and compliance company. “Hackers are capitalizing on the disruption in operations to compromise both businesses and individuals.”

Home offices typically lack the security measures built into hotel protocols and thus are more vulnerable to hacking and other cyberthreats. “We’re asking people to work remotely, but we’re not always addressing how to do that,” said David Durko, chief executive officer of Security Validation, a managed security service provider in Fairfield, N.J. He cites a recent spike in the creation of pandemic-related domain names and the potentially dangerous consequences should remote workers fall prey. “In March alone, more than 185,000 new domain names were created, 90 percent of which had URLs related to COVID-19,” he said. “It’s hard enough to prevent employees from clicking on these kinds of links when they’re working on premise; and now, with many of them working from home, you’ve lost a lot of security oversight.”

Vigilance in Safeguarding Data

Experts and hoteliers alike agree that this is no time to relinquish data security best practices. “Cyberattackers are looking for every opportunity to take advantage of organizations that aren’t accustomed to remote workforces,” said Benjamin Vaughn, vice president and chief information security officer at Hyatt Hotels Corporation. Properties must be vigilant in safeguarding data, implementing strong cybersecurity programs as well as reliable computing, networking and telecommunications services. In addition, they should have a plan to respond quickly to outage events.

Tariq Valani, vice president of IT for Middle East and Africa operations at Accor, agrees, noting that hackers are launching phishing campaigns that deliver malware and ransomware specifically targeted to employees working from home. “Proactive monitoring of email and devices is critical,” he said. “And, given the fact that IT personnel are working remotely, you must ensure that remote monitoring of systems is possible.”

Hoteliers can take some simple steps not only to minimize the risks of cybersecurity attacks now, but also to position the property for success upon reopening. Following are six ways to mitigate vulnerabilities and ensure data protection, both immediately and in the long term:

Unplug. Keep in mind that data can be stolen, even if the property is closed. “The bad guys can still hack into your network and into your hotel,” said Jeff Venza, chief executive officer at VENZA, an Atlanta-based data security and compliance company. He advises properties to physically unplug devices such as servers and workstations from the network. “You can’t just turn off the lights and send everyone home. You have to take it all the way to make sure you’re secure from the outside world.”

Prohibit personal computers. Staff shouldn’t use personal laptops for hotel business. Likewise, they shouldn’t use their personal email addresses to communicate hotel information. “If you want to ensure secure operations, utilize only dedicated devices and networks,” Durko said.

Use a VPN and multi-factor authentication. Mandate the use of a virtual private network, or VPN, to create a private encrypted tunnel for off-site users to access the hotel network. Then, add multi-factor authentication to protect against credential theft. “This one-two punch provides consistent and secure access to applications,” Durko explained. Also, require the VPN software to scan the computer for vulnerabilities prior to allowing connectivity.

Provide the latest firewall and anti-virus software. According to Venza, one of the best ways to ensure data security is to stay current with updates for computer operating systems and programs. “Security patches for firewalls are often overlooked with potentially devasting results,” he said. The hotel’s IT vendor or IT services company can offer help in this area, making sure proper procedures are followed and software is installed correctly.

Block furloughed and inactive staff. Disgruntled staff can log into the hotel network and create havoc. In fact, Durko notes, more than 70 percent of data compromises come from ex-employees. Block their access to all hotel applications, including the property management system. “You have to do more than merely deny access to email accounts,” he said. “You must prevent access to the network if you want to ensure data safety.”  

Provide proper training. During the pandemic, hotels will lose a significant portion of their workforces to other industries or jobs. So, as properties reopen, training will be vital to seamless and safe operations. Even returning staff will need instruction, particularly regarding new processes and procedures that surround COVID-19. “You must take the time to onboard new employees correctly and retrain returning staff,” Venza said. “It’s critical to the hotel’s success.”  

Finally, the COVID-19 pandemic has highlighted the importance of including technology and electronic assets in the hotel’s disaster recovery and business continuity plans. “Many organizations have found themselves in a position where employees didn’t have company-issued laptops; or employees who did have laptops didn’t have the ability to use secure remote connectivity,” said Accor’s Valani. “Those hotels lost valuable time as they rushed to enable remote working scenarios.”

In the past, disaster recovery and business continuity plans typically focused on recovering from natural disasters, such as floods, tornados and earthquakes, and on rebuilding physical facilities. In today’s interconnected and technology-based world, these plans must also incorporate recovery from data loss. “With employees increasingly working remotely and relying on electronic communications, malicious actors are constantly ramping up their attempts to introduce ransomware into company networks,” said cybersecurity expert Luke. “Critical systems and data not only must be backed up, but they also must be backed up in a way that protects the back-ups themselves from being compromised if ransomware is introduced into the network. Paying a ransom to get your data back should never be your plan.”

PRIVACY VS. SAFETY: The New Challenge for Hotels

The coronavirus pandemic has presented hoteliers with a number of new challenges, one of which is balancing privacy and safety. If a hotel asks guests to discuss their health prior to check-in, the hotel can be opening itself up to liability. On the other hand, the hotel has a duty to take reasonable precautions to ensure the safety of its employees and other guests.

It’s a sticky situation to be sure. “The moment a hotel denies a guest a room because an employee doesn’t know how to use the infrared thermometer, that property becomes a steward of personal health information,” said David Durko, chief executive officer of Security Validation in Fairfield, N.J. Hotels that already have access to all sorts of guest reservation data, such as addresses, phone numbers and passport information, now have medical information as well. “The guest’s privacy has evaporated.”

In other industries, such as healthcare, some of this data is considered ‘protected health information,’ or PHI, and is subject to HIPAA guidelines and restrictions, noted Eric Luke, senior director of forensic investigations at SecurityMetrics, a data security and compliance company in Orem, Utah. “Guests may not be comfortable sharing that kind of information with a business that isn’t required to protect it.”

Indeed, when it comes to the issue of privacy vs. safety, hotels are navigating uncharted waters. “COVID-19 has created the new lepers,” Durko said. “And technology–if used incorrectly–could create the virtual leper colony.”

Luke agreed, cautioning hotels not to overstep. “If businesses go so far as to ignore civil liberties, they will need to find different–and legal–ways to achieve their goals.


Let's Get Digital

7 Questions to Ask Before You Invest in a Hotel Mobile App


Make a Better PMS Choice!

Not all properties are ready for PMS in the cloud. The good news is, at Agilysys it’s your choice on your timing. State-of-the-art leading PMS in the cloud or on-premise PMS. Either way we say YES.