During these trying times we are seeing a meteoric rise in cyber security threats targeting user credentials, financial information and sensitive business data.  The current environment presents specific risks and opportunities for hoteliers.  Identifying and addressing these risks has not yet garnered support from the top of the hotel’s management structure.  This must change and will before long.  It is vital that hoteliers take this opportunity to review their data security processes and procedures in order to close the threat vectors.  The coronavirus pandemic has shone a light on serious process and technical security gaps that lead to an increase in the probability that hotels will suffer catastrophic data compromises. 
The most glaring gap is that Incident Response Plans do not include guidance on how to deal with disasters such as COVID-19.  Every major compliance mandate recommends that Incident Response Plans include processes and procedures for the protection of sensitive information during times of extenuating circumstances.  While properties are focused on securing and protecting business functions they are not considering how to best lock down and protect their electronic assets from damage or compromise.  As more and more hotels are being forced to temporarily close their doors no one is paying attention to securing systems and adding extra protection to ensure that the unattended, dormant systems are protected. 
Compliance mandates spell out the requirement very clearly that businesses have a Disaster Recovery and Business Continuity Plan.  This pandemic has made it very clear that hotels do not have a Business Continuity Plan in place and their Disaster Recovery Plan amounts to little more than a cloud-based data store for system back-ups.

Moving to a remote workforce has been difficult and has elevated the risk posture of the properties.  A Business Continuity Plan would have identified the need for SSL-VPN connections that incorporate multi-factor authentication.   The plan would require remote or home user’s systems be vulnerability free before connecting to the hotel network.  Additionally, Advanced Endpoint Threat protections would be required to manage zero-day threats, stop most malware pre-execution and provide USB and Bluetooth controls.   The implementation of an EDR/MDR product is necessary since open source, freeware or conventional anti-virus software is not enough.

As of March 27, 2020, more than 185,000 new domains were registered worldwide. The sole purpose of these sites is to lure unwitting users to fake websites where sensitive credentials can be stolen. This would then allow users to defraud or infect sensitive systems and networks. As of March 30, 2020, reported incidents of ransomware introduced from these mal-domains is up ten-fold.  

For properties that remain open, employee furloughs will lead to the assumption of day-to-day operations by corporate management.  We expect to see an uptick in data security incidents since management rarely participates in training and awareness programs. This makes them far more susceptible to phishing attacks. According to published data email phishing attacks are up 667% in the past 30 days. Fear, uncertainty and panic to obtain the latest information leads to the suspension of data security best practices and an increase in clicks on malware-laced emails. An example of one such email comes from an Eastern European source targeting associates already worried about losing their jobs and risking their health. This cleverly disguised email appears to come directly from the Center for Disease Control but is in fact a cleverly disguised phishing email. Another example comes from the Small Business Administration providing a link to the SBA Application.  In one email as soon as the link is clicked ransomware is delivered to the user’s computer.  In another variant clicking the link presents an online form that allows the bad actors to capture vital user information.

Here are the immediate steps a hotel can take to mitigate risk while they weather these difficult economic times.
  • Make sure the property has a current back up of all critical systems
  • Disable all non-essential user accounts
  • All VPN users must use multi-factor authentication
  • Remote users must have USB drives disabled
  • Perform vulnerability scans prior to connecting to the hotel network
  • Install an EDR/MDR (Advanced Endpoint Threat Protection) to ensure all threats are proactively managed.
  • Current AV will not remain current, receiving updates and definitions.

Well publicized breaches are more than a cautionary tale. The methods of attacks put the bullseye squarely on the backs of franchised and independent hotels. This leaves ownership holding the bag.