By: HFTP CEO Frank Wolfe, CAE, FIH
The recent conflict between Russia and Ukraine has prompted a new security alert from the United States Cybersecurity and Infrastructure Security Agency (CISA). The agency is encouraging U.S. organizations to proactively fortify their cybersecurity defenses against an increased risk for cyberattacks that could potentially reach the U.S. As the spokes group for the finance and technology segments of the hospitality industry, we want to ensure that HFTP members and stakeholders are aware of this latest update and can take steps now to better protect their business infrastructure and operations, technology systems and client data from possible breaches, hacking or malware attacks.
Theresa Payton, who has previously served as the first female White House chief information officer (CIO), is one of the nation’s leading authorities on cybersecurity and is the CEO of Fortalice® Solutions LLC. She advocates for diligent planning and preparation against cyber threats in the hospitality industry. “Every company, regardless of size or revenue, must act now. For corporations with limited resources, the thought of diverting funds from customer experience — the lifeblood of the hospitality industry — seems impossible or at the very least foolish. I get it — any dollar you spend on security is a dollar you cannot allocate to service improvements, better hotel rooms or guest perks.
“My best piece of advice I can give you is to determine your two most important assets. What are your crown jewels? Most hotels would cite their guests’ personally identifiable information and customer payment data. Develop a plan now to safeguard those two assets, then simulate a digital disaster, so you know who is in charge when the inevitable hits. Seek qualified partners and review your agreements with them to understand where responsibility lies. Focusing on cybersecurity shouldn’t feel scary or daunting. If I may be so bold, designing a cybersecurity plan is a business imperative.”
We also reached out to Mark Haley, CHTP+, who is a HITEC Advisory Council member, an HFTP Hospitality Technology Hall of Fame inductee, and veteran IT consultant, for his advice on how to protect your business in times like this when we should be on high alert. “Ideally, your defenses should always be at the proper level,” said Haley. “But a period of augmented threat is a good time to review your practices to 1) ensure your defenses against allowing malware in are effective; 2) remind your people to be vigilant about cyberthreats, particularly those using email as a vector; and 3) verify that if attacked, you can isolate affected devices and restore normal operations from backups and images quickly.”
“Ransomware is the biggest threat at present, because it allows the criminals to get paid well, yet anonymously using bitcoin or other cryptocurrencies,” Haley continued. A recent cybersecurity report released by HFTP revealed that the most common causes of ransomware attacks in particular are spam and phishing emails, poor user practices, lack of cybersecurity training, and weak passwords and access management. Therefore, there are some basic steps that your organization should take now to mitigate these common causes.
Be extremely vigilant when checking your email. According to Statista, spam and phishing emails accounted for a whopping 54 percent of ransomware attacks in 2020. Staff at HFTP have noticed a recent uptick in spam emails this past week, and you may begin to notice it, too. This is a reminder to take great care when opening emails, especially from senders you do not know. Do not click on web links or open attachments in an email unless you are expecting it and can verify the sender. If in doubt, throw it out.
Reduce human error with continuous staff training. Make sure that your employees are aware of your IT policies and procedures. Keep them up-to-date on the evolving threats that can negatively impact your cyber operations. Make sure you have your own clearly-defined policies and that your staff have access to them, as well as training that will help them understand how to correctly implement these policies.
Haley advised training employees to recognize “phishing and spear phishing attacks launched by email. Regular, mandatory training is essential. And follow up several times a year with fake phishing attacks to identify employees that need retraining.”
Make sure your IT policies address passwords. Staff should be encouraged to use strong, unique passwords and update them frequently. Do not share your passwords with other staff members. Also, try to implement two-factor authentication (2FA) if possible, as well as a VPN for remote access.
The compromise of usernames and passwords from your system is a huge concern, according to Haley: “criminals will then try to use the same credentials in banking and retailing sites – lower reward and higher risk for the bad guys, usually, than ransomware. That is why you should always use unique credentials as a consumer.”
When it comes to creating a strong password, “research shows that the strongest passwords are the longest ones,” said Haley, “not the ones with the most character types.”
Constantly monitor for cyber threats. Ensure that every system is protected by an active virus protection software and make sure you have a managed firewall in place. Consider setting up website filtering and blocking to restrict user access to certain websites on the blocked list, as well as country blocking that can also be managed through the firewall. Regularly monitor, conduct penetration tests and patch systems when necessary.
Frank Wolfe, CAE, FIH is the CEO of HFTP and an inductee into the International Hospitality Technology Hall of Fame and an HFTP Paragon Award winner. He often speaks on hospitality and travel related issues. He is an author, speaker and an advocate of careers in hospitality technology or finance.