#WorldTourismDay: Improving Hotel Cybersecurity Essential to Safeguard Guest Data

In a post pandemic world, the latest World Tourism Barometer owned by the UN World Tourism Organisation (UNWTO), signifies exceptional optimism for recovery in the immediate term, and a return to pre-pandemic tourism in the years to come. This comes as great relief for a number of African nations that are dependent on their tourism and hospitality sectors for direct and indirect GDP and socioeconomic contributions. Amidst this optimism, however, hospitality providers must take cognisant of the potential cybersecurity threats to creating a valued digitalised guest experience.

Tourism and hospitality sectors worldwide have experienced what can best be described as a rollercoaster ride over the last three years. Research by Statista suggests that prior to the pandemic - and before the undoubted impact of the protection and preventative lockdown measures that ensued - tourism and hospitality sectors worldwide had seen almost uninterrupted growth for decades.

During the various lockdown levels, and as borders and markets reopen, successful hospitality providers have been able to market themselves as offering safe and secure travel and ‘staycation’ alternatives. In many instances, this has included constantly adding new technologies and features to their networks in response to guest requirements, such as, but not limited to, secure and uncapped Wi-Fi connectivity and contactless check-in options. And as in any business operations, adding new technologies and connections to the network expands the potential threat base and increases the security risks that need to be considered.

To put this into context; according to Morphisec hospitality cyberthreat index, 70% of guests believe that hotels do not invest enough in cybersecurity protection.

Take the RevengeHotels campaign as an example. This sees different cybercriminal organisations using Remote Access Trojans (RATs) to infect businesses in the hospitality sector. The main attack vector is emails with malicious document attachments. Each spear-phishing email is written with special attention to detail. Usually, the attack sees the hacker impersonating real people from legitimate companies making a fake booking request for a large group of people.

Once infected, the computer could be accessed remotely. Kaspersky researchers found that remote access to hospitality desks and the data they contain is then sold on criminal forums on a subscription basis. According to the underground forums and messaging groups, these criminals also infect front desk machines to capture credentials from the hotel administration software. The attackers can then easily steal credit card details of guests and sell those as well.

Of course, the hotel and tourism industry must overcome more than only phishing attacks. McKinsey writes that weak infrastructure defences could also put hotels at risk. For instance, a hotel solely reliant on a local utility for its power could easy be disrupted if that critical infrastructure is attacked or goes down. It therefore makes sense to find a redundant power source in the event of a crisis.

Fortunately, in a number of African countries, including South Africa and Nigeria, the experience of prevailing challenges with sustaining national grid power supply that leads to frequent bouts of continued loadshedding or rolling blackouts, most hotels and hospitality players have invested in alternative power supply options available in their markets to mitigate against the threat of the electricity grid going down.

Additionally, the Internet of Things (IoT) continues to revolutionise the hospitality industry, making it possible for guests to control everything from the temperature in their room to the drapes and lighting with the touch of a button. While this level of convenience adds significant value to creating a valued digitalised guest experience, it also presents a new challenge for hoteliers when it comes to cyber security. IoT devices are often not as secure as traditional computing devices and can provide attackers with a gateway into a hotel’s network. Therefore, integrating IoT protection with network security must be prioritised.

"Cybersecurity solutions play a critical role in enabling businesses in the hotel and tourism sector to protect not only sensitive data, but infrastructure as well. However, hotels need flexible and user-friendly options to defend against attacks. This is also where employee training becomes essential. The best software in the world cannot overcome people who still click on malicious links and open infected email attachments,” comments Bethwel Opil, Enterprise Client Lead at Kaspersky in Africa.

With more than 80% of all cyberattacks resulting from human error, finding more innovative ways to educate employees than traditional training programmes is vital. The Kaspersky Automated Security Awareness Platform (KASAP) has been designed exactly with this in mind. Created by leading cybersecurity experts, this easy-to-manage online tool builds employees’ cybersecurity skills level by level.

Hotels can choose whether to assign employees a basic express course that will help them quickly meet regulatory requirements for cybersecurity training or refresh their knowledge or opt for a full course broken down into complexity levels. More than 350 practical skills are available on KASAP to cover all cybersecurity topics making it an invaluable resource for those in the hotel and tourism sector.

Beyond training, hotels must consider multi-layered IT security solutions. These include advanced anti-malware, data encryption, and endpoint controls. Vulnerability scanning, Web and device controls, and centralised systems management and tools are also critical components in this regard.

XDR (extended detection and response) solutions analyse data not only from endpoints (workstations), but also from other sources – for example the mail gateways and cloud resources. This adds another layer of protection as attacks on infrastructure can come in via any and all kinds of entry points. XDR also adds analytical and automation functions for the detection and elimination of current and potential threats. An XDR solution should be a good fit for large hotel chains, while smaller hotels would benefit from employing a simpler EDR (endpoint detection and response) solutions.

"Hotels must rethink how they approach cybersecurity especially at a time when guests have become almost completely reliant on online systems, email, apps and social media for everything from managing their travel arrangements and bookings, to their stay experience and providing feedback or reviews. Protecting guests and their data is something that must be a business imperative,” concludes Opil.

September 27, 2022