By Marion Roger and Geneva Rinehart
Another week and another hospitality company is in the headlines after a security incident involving payment information was announced. This week the baton was handed to HEI with the announcement that 20 properties under the Hyatt, Marriott, Starwood and InterContinental brand names, were breached through POS malware.  Last week’s headlines followed the detection of malicious code in certain legacy MICROS systems, and before that it was Omni Hotels and Resorts in the news. And the list will continue to grow unless something changes.

Have we become apathetic to the drum of the constant headline stream of companies victimized? Not that long ago Hospitality Upgrade published the column, “The Cyberthreat Landscape in 2015,” where authors’ Richard Sheinis and Frances Parker described the criminal factions who treat hacking as a 9-to-5 corporate job. (Hospitality Upgrade, Spring 2015)

“Dozens of people sit at their desks in long rows of cubicles while working on their computers. Instead of handling customer service calls, they are sending out phishing emails by the thousands.

An office building might have several floors filled with dozens or hundreds of these hackers. They don't have to know much about hacking themselves. They are given a script or a specific malware-laced email to send. They go to work every day like so many other office workers. They even have quotas to meet, and pit bosses to make sure they meet them.”

John Christly, CISO with Netsurion, a provider of remotely managed security services, said, “Hospitality companies must understand that they are in a digital war with cybercriminals that are after payment card data. It’s a harsh reality that the war is being won far too often by these hackers. Any business, regardless of size or vertical specialty, that processes payment data or offers free Wi-Fi to guests, is a lucrative breach target, but unfortunately, large chains like HEI have bull’s-eyes on their backs — enticing hackers with large quantities of valuable information such as credit card data for patrons, sensitive employee data for staff, and sometimes even medical data used by in-house care facilities.”

The hotel industry continues to be too easy a target.  Security Validation CEO David Durko said, “Despite the poking and prodding by banks and payment acquirers, hospitality remains well behind the curve in terms of data security.” 

And, PCI SSC International Director Jeremy King said, “As we’ve seen with the latest breaches, no business is immune to attack, and security can’t start and end with compliance. Where companies fail is when they take a checkbox approach and don’t address security-relevant changes, like personnel changes, technology upgrades and new vulnerabilities discovered with existing technology.”

Staying Out of the Headlines

“It’s a harsh reality that the technology some organizations use today is as effective as installing a home security system that alerts you to a break-in after the robbers have already stolen everything, vandalized the house and left. By then, it’s too late,” said Zach Forsyth, a director of technology innovation at Comodo

Traditional defenses just don’t work anymore. Netsurion’s Christly said, “New defensive approaches, advanced cybersecurity tools and increased cyber intelligence need to be deployed. Possible tools include things like File Integrity Monitoring, Unified Threat Management (UTM) appliances, Security Information and Event Management (SIEM) and next-generation endpoint security solutions.  When systems like this are in place and managed appropriately, the processes within the programs and the computer operating system and memory will be watched for suspicious activity — and those tools will talk to other tools that have even deeper threat intelligence from a network of other deployed sensors.”

A line of defense certainly can help. Forsyth said, “The focus for IT departments needs to be on protection, not detection, and installing modern secure Web gateways and advanced endpoint protection solutions that can stop malware and cyberattacks from compromising data and negatively impacting their businesses and customers.” 

Christly agreed and added, “This proactive approach will help to keep organizations out of the breach headlines.”

It’s a PICNIC – Problem in Chair Not in Computer

New technology defensive approaches are just one pillar of the security triad. “When it comes to payment card security there are three factors that must be addressed; People, process and technology,” said King. “Proper security requires a multi-layered approach that incorporates PCI Security Standards.”
This is not a new revelation. According to an article by industry expert Marion Roger published in Hospitality Upgrade (June 2013): “Protecting data across so many platforms and with so many users is a challenge that is best met by requiring awareness training, policies and procedures and strict enforcement. To protect the integrity, confidentiality and availability of guest and employee information in a highly networked environment, every person who touches, sees or works in any way with guest or employee data of any kind must understand how to protect it as well as the consequences of compromise.”

Regular coverage in HU with articles by Roger and other industry experts, as well as new initiatives by HTNG and other hospitality industry associations are putting laser focus on one point: Educating staff about data privacy and information security must now be a key part of security training throughout the hospitality business for reasons beyond compliance. According to Roger, two of these reasons include increasing customer confidence and reducing legal liability.

Security Validation identified five key reasons the hotel industry lags behind other industries:

  1. Lack of Enforcement – Hoteliers are not feeling the pressure to become compliant.  We are almost 11 years into PCI compliance and still there is nothing meaningful in the way of penalties or punitive actions to force hoteliers to do what is right, let alone mandated.
  2. Apathy – Hoteliers are just slow to change. If they haven’t experienced the pain of a data breach they cannot relate to just how bad it can be for their business.
  3. Financial – Hoteliers are notoriously frugal. They cannot calculate the value of becoming compliant.  The return on investment (ROI) that comes with making their property more secure eludes most owners.
  4. Disbelief – A large majority of hoteliers surveyed still believe the brands are responsible for their compliance.  These hoteliers believe they have no level of responsibility despite statements to the contrary from the brands.
  5. Management – Legacy management contracts do not have provisions for technology expenditures let alone PCI compliance.  Management companies are reticent to renegotiate or materially change contracts for fear it will impact their own business.  Without management leading the charge owners aren’t likely to move ahead.

Hospitality consultant, Jeremy Rock, principle with RockIT Group, has some additional items to include to the list above. According to Rock, some of the PCI compliance requirements are behind from a development and implementation standpoint. A key example of this is EMV where the requirement calls for a pay-at-the-table solution, but most of the industry solution providers do not have a viable solution offering. “Additionally there is the issue of cost,” said Rock. “A number of the EMV solutions are costly and not operationally effective. As such companies are holding off on the deployments until a viable and cost-effective solution becomes available.”

There is the issue of risk vs. cost. With EMV the actual card-present risk for the hotel industry is far less, as perceived in the eyes of management and ownership, than the cost of trying to deploy an effective solution.

Lastly, the financial impact of not focusing on the human vector on your bottom line will be catastrophic. “Train all of your staff to understand data security, use the right technology for your organization, and have good policies that make the best of the people and the technology, then use them,” said King. “Organizations that make security an everyday priority can and do identify and mitigate threats to prevent compromise.”