Industry insiders say social engineering, artificial intelligence advancements and new technology streaming devices are major trends in the hotel industry, making hotels more vulnerable to cyberattacks than ever before. Despite this, hotel companies have significantly increased their attention and investment in actively fighting back against cybercrime.
stay Two prominent third-party management executives and a major brand representative were recently interviewed to get their perspective on the current state of cybersecurity within hotels. Paul Bushman, senior vice president of technology and enterprise solutions at Crescent Hotels & Resorts; Keryn McNamara, chief information officer at Aimbridge Hospitality; and Jason Stead, chief information security officer at Choice Hotels International, offer insights on the topic. The following Q&A represents a portion of those interviews.
stay: What are your hotels’ top concerns when it comes to cybersecurity? How are you working to mitigate these issues?
Paul Bushman: Many issues include but are not limited to ransomware, phishing (email and voice), DDOS attacks, hacking (cyber), PMS, POS and other systems, as well as advances in artificial intelligence to conduct sophisticated attacks and hacks. Additionally, social engineering is a top concern. According to many reports, as many as 98% of cyber attacks involve some type of social engineering. As many as 90% of data breaches target sensitive and personally identifiable information (PII), which can be used for the attacker’s financial gain and other malicious purposes.
Training is key to prevention. People need to know what to look for and what to do when they find themselves in these situations. Bad actors don’t gain access to personal and corporate information through IT systems; it’s humans who unlock and open the doors.
Kaylin McNamara: For our hotel owners, the top concern is always the security and privacy of our guests, including their information. Ensuring we protect this information, as well as hotel owners’ financial and technical operations and systems, is critical to our cybersecurity management program.
At Aimbridge, cybersecurity is always a top priority. We are committed to staying ahead of potential threats by implementing advanced security measures and continuously monitoring vulnerabilities, emerging threats and changes in the strategies, techniques and procedures used by threat actors targeting the hospitality industry. Our cybersecurity strategy includes top-tier tools and technology, as well as strong partnerships with brand cybersecurity teams, industry leaders, government entities and law enforcement to ensure our guests’ data remains secure and our properties are protected.
Jason Steed: The accommodation industry has been receiving a lot of attention over the years. It’s had its ups and downs, but for hackers it’s definitely cutting edge right now. It’s a bit like sharks, they smell blood in the water, so unfortunately when hackers succeed in one area, success leads to success in other areas. A lot of what we do is really about not only protecting Choice’s corporate assets, but also helping our franchisees put the right controls in place to help protect guest information.
LM: What investments has the company made in recent years in cybersecurity technology and/or personnel?
PB: Crescent has made strong, intentional investments in cybersecurity in recent years. We believe in diversity of conservation and isolation of pathways to ensure we create islands of protection throughout our portfolio. This includes our physical, virtual, logical and human protection layers. Cybersecurity awareness training needs to be done on an annual basis to continue to remind people not only to be vigilant, but to know how to identify potential risks and what to do if they happen.
Managed Detection and Response (MDR) systems must be implemented to help keep the environment secure and continuously monitored to alert cybersecurity staff to potential risks and be able to investigate these incidents as quickly and in near real-time as possible.
knowledge management: Aimbridge remains committed to investing in top-tier tools and leveraging the knowledge gained from our long-term partnerships. Our significant efforts to strengthen brand collaborations provide us with valuable insights and enhance our comprehensive strategy to ensure we maintain the highest level of safety for our guests, hotels and owners.
Moving our operations from the data center to the cloud with real-time backup and data replication improves our data integrity and enhances our ability to recover in the unlikely event of an event. We invest in top-notch firewalls, network intrusion detection and endpoint security protection. Email security through spam filtering, phishing, and using multiple solutions to automatically segment suspicious emails has proven invaluable in helping reduce the attack surface. Several years ago, we implemented a full-time staffed 7x24x365 Cyber Security Operations Center (C-SOC) that provides cyber threat monitoring and evaluates data from all of our servers, endpoints, applications and networks to detect and respond to potential threats .
JS: Choice and many other hotel organizations have invested heavily in endpoint detection response capabilities (commonly known as EDR). I think EDR will bring a huge change to the industry and help stop these common attacks. Hackers don’t just target an organization; They target everyone and use the same techniques. Hopefully, solutions like EDR will help the entire industry stop these attacks because we see the exact same threat actors every day.
LM: What steps are hotels taking to ensure your guests are confident their personal information is protected?
PB: Implement physical and virtual security measures, maintain compliance with PCI DSS and other security standards, provide ongoing security awareness and training, and ensure all passwords, software, and antivirus programs are regularly updated. The protection of personal information must be of high concern to hotel owners and operators. A good example is maintaining the latest patch versions of the PMS and guest room entertainment platforms.
The rise of streaming services has given bad actors the opportunity to access the streaming service accounts of previous guests. Additionally, if the PMS does not completely delete this information at checkout, there is a good chance that the guest profile may also be available through the television and in-room entertainment platforms. Many times, names, billing addresses, phone numbers, etc. are still accessible through the previous guest’s TV. This can be valuable information for bad actors looking to commit malicious acts.
knowledge management: We take the handling and protection of guest information very seriously. It starts with a training program that all new employees must complete, as well as annual refresher training, which includes consumer privacy awareness and covers things like PII, CCPA and GDPR, as well as Payment Card Industry (PCI) training on protecting credit card information and privacy. Prevent fraud. We also perform monthly vulnerability scans of hotel property networks and quarterly security compliance scans of point-of-sale (POS) infrastructure to ensure these environments remain secure and guest information is protected. Through our Vendor Security Risk Management Assessment Program, we evaluate any new technology vendors and their products before purchase and installation to ensure the solution is secure and data is protected.
LM: How important is the role of hotel personnel in helping to combat potential cybercrime? How does your company support these employees?
PB: Our number one asset in the fight against cybercrime is our people. While we focus on technology to prevent cybercrime, we know our greatest risk and strongest defense are our teams. Educating our team on how to best protect our guests is key to our success. We pride ourselves on utilizing top-of-the-line tools and ensuring our employees are fully trained in cybercrime prevention strategies to protect our properties and guests.
knowledge management: Training our employees is an important line of defense in protecting our guests and property from cybercrime. As part of our comprehensive talent development program for our employees, we prioritize extensive ongoing training for our employees to ensure they are equipped to identify and respond to cybersecurity threats. This proactive training is not only critical to safeguarding our operations, but it also helps our employees acquire the critical skills they need. We recognize that a strong, well-trained team is critical to maintaining our position as an industry leader, and we are committed to honing the expertise needed to stay ahead in an evolving environment.
JS: Choice Hotels publishes training materials for our franchisees through the award-winning Choice University platform, and these training sessions are open to everyone at the hotel; it could be housekeeping, it could be engineering, it could be front desk staff . I think training is a key component for hotels to truly deter attackers. The most likely way a hacker can infiltrate a lodging organization is through social engineering. It is absolutely important that everyone at the hotel understands these threats and when they see something they need to say something.
LM: What is your overall view on hotel cybersecurity in the future?
PB: As the technology landscape (especially artificial intelligence) changes, hackers will become more sophisticated in their attacks. Technology solutions need to keep pace to prevent future attacks. Additionally, IAM and PAM are great opportunities to help protect against bad actors and attempted cyberattacks. Increased education for owners and operators is needed to ensure everyone understands that while people are often a company’s greatest asset, they can also represent the greatest risk. Hotels must prioritize investing in technology and employee education to protect against the malicious intent of bad actors. However, a change in attitude is urgently needed as this area is often the first to face budget cuts and only receives the necessary attention and resources after a breach has occurred. This is a classic case of not having enough time to obtain the correct insurance after the damage has already occurred.
knowledge management: The cybersecurity landscape is constantly evolving, requiring continued vigilance and collective awareness. Protecting our guests and property remains our top priority as we work closely with our technology partners and industry experts to develop effective solutions and prepare for eventualities.
JS: I would say that investment in network-controlled accommodation has increased dramatically over the past five to ten years. You see this at the brand level as well as at the individual hotel level.
