With the adoption of advanced technology to manage your property and provide the best guest service, have you ever wondered about the potential new threats posed to your hotel security? Nowadays, technology helps hoteliers everywhere manage hotel operations, optimize revenues, and enhance the guest experience. These tech tools give hotels more control over their business, guest satisfaction and profitability. And it’s not just software: the guest room has evolved to include all kinds of smart technology products, such as smart TVs, tablets and even voice-controlled curtains, thermostats and lights.
While convenient, this new wave of interconnected technology also creates new risks and emerging threats. Attackers and cybercriminals will exploit any weakness to gain access to critical systems, often in pursuit of guest data and payment information that can be used or sold.
Over my career developing security strategies at both large companies and smaller startups, I’ve seen all kinds of hacks and intrusion attempts. To stay safe amidst these constantly evolving threats, hotels must have clear, concrete security plans.
I’ve put together some useful guidelines to protect the most vulnerable areas of your property, as well as a glossary of key security terms and a few essential best practices to improve your hotel’s defenses overall. Let’s bulk up your hotel security!
A big part of my past role in security preparation involved performing what are called External Penetration Assessments, which simulate an external attacker trying to break into a company’s systems remotely via the Internet. These assessments involve non-technical reconnaissance, such as researching lists of employees and office locations, as well as technical research, such as learning what types of computers they use and what systems they have connected to the internet. This underscores vulnerabilities hotels face across their operations, as attackers exploit both people (non-technical) and systems (technical).
So where should you focus your security resources first? Here are the three areas that are commonly targeted by attackers:
Attackers and cybercriminals use a variety of methods to gain access to a company’s systems. Here are a few of the tools and techniques they use to penetrate hotel security and gather useful information.
Hotel security management is less about finding an absolute solution and more about taking a series of small steps that combine to form a shield and layers of protection to prevent potential attacks. In the security world, we call this technique defense in depth.
Here are a few of my recommendations for hotel security best practices. Keep in mind that every hotel and situation is different, and if you have any questions about your specific situation, you should consult with proper security professionals, attorneys/lawyers, consultants, etc.
Effective security is proactive, not reactive; with these best practices in place, you’ll be better positioned to prevent intrusions in the first place!
In the hospitality world, we’re always trying to meet – and even exceed – our guest’s expectations, right? Well, sometimes that spirit of helpfulness was exactly what I needed when performing social engineering assessments and/or phishing tests. When given a believable story, a helpful employee might have been willing to give me access to a computer, give me sensitive information or even the main computer/server room! That said, human nature is the hardest thing to “secure.”
I recommend that you incorporate security awareness training as part of your onboarding, as well as ongoing training. This will help make staff more aware of security-related concepts and issues, and less susceptible to social engineering and phishing attempts, whether in person, via phone, or through email.
One of the most frequent vulnerabilities for hotels is within the public Wi-Fi network. That’s because the public network is all-too-often thinly separated from critical back-office systems. All an attacker has to do is book a room and use your network to probe for vulnerabilities, steal data and spy on guests.
If a hotel does not have the in-house expertise to implement the practices below, then they should consider partnering with an IT consulting and/or management firm that does.
Additionally, any networks used by guests (wired or wireless) should keep guest devices isolated both from each other and any computer systems and networks used by staff. This prevents one guest computer from even being able to contact another, and thus prevents the spread of malware or other malicious activity. This also prevents guests from being able to listen in/snoop on any staff-related traffic.
This one is simple-yet-powerful: choose your passwords wisely and strategically.
First, password security standards set forth by the National Institute of Standard and Technology (NIST) are ever-changing. In recent years, NIST has taken a stance to suggest using longer, more complex passwords, but not requiring passwords to change as often (or even at all).
That said, choosing a password that’s hard for an unauthorized party to guess and easy for you to remember is the suggestion here. This practice will help prevent your hotel staff from writing passwords down and leaving them places where someone (like me in my consulting past) could find and use them to gain unauthorized access!
Secondly, require unique passwords for each login. If you use the same password for your email account as you do other systems (such as your Property Management System), an attacker could phish/steal your email username and password, and then try the same credentials on your PMS!
As part of your hotel security awareness training, teach your staff about password managers, generating random passwords, and securing them via master password and Multi-Factor Authentication.
Third, enable Multi-Factor Authentication (MFA) wherever possible: on every site, every system, everywhere! MFA, also known as Two-Factor Authentication (2FA) is an added layer of security that only grants a user access to a system after successfully presenting another authentication mechanism along with a password, such as:
Even if a username and password becomes compromised (by way of phishing, brute force, credential stuffing, etc.), Multi-Factor Authentication protects against unauthorized access to that account by requiring another piece of information, action, data, etc. in order to proceed with login.
It can get very expensive to upgrade a property’s technology, but cybercriminals love outdated technology! Whether it’s the computers in the back office or your property’s digital locks, older hardware running outdated software become easy targets.
It’s essential that you know who you’re doing business with. When it comes to hotel security, you’re only as strong as our weakest link. A poor or weak system opens your property up to all kinds of vulnerabilities.
Hotels should ensure they do their research on the smart technology vendors and/or companies they are looking to buy from. It’s always good to have conversations and ask questions about security before you implement something new, rather than having a guest ask “How does your digital key vendor secure my personal data?” and you as the hotelier have no answer for this.
When fighting an adversary, it’s helpful to understand their motivations. For cybercriminals, it’s pretty much all financial: Verizon’s 2019 Data Breach Investigation Report found that 100% of breaches in the accommodation industry were financially motivated!
Hotels and hospitality management companies should ensure they secure all computer systems and applications used for accessing financial information. This especially includes locations where properties might be holding and accepting financial information, such as at the front desk or in their Property Management System.
I’m not an attorney – and I definitely don’t even play one on TV! So, if you suspect a data breach, you should consult with both a data security expert and someone who has legal expertise in this area. That way you can ensure you comply with all applicable data protection laws, regulations, and industry standards while also working diligently to close any gaps exploited by attackers.
That said, I have always firmly believed that honesty is the best policy. Put yourself in the guests’ shoes: would you rather stay with a brand that’s proactive and notifies you of a (potential) breach? Or would you rather find out by someone misusing your personal information (such as opening a bank account in your name, making unauthorized charges on your credit card, etc.) It’s a no-brainer – protect your reputation and get in front of any breaches.
Unfortunately, in today’s digital economy, it’s no longer a question of if but when your company will face some sort of security breach. And a successful attempt can not only cost you money in consulting fees and lost revenue, but the public relations hit to your reputation can also be catastrophic.
Properties of all sizes and across all categories must be prepared for threats coming from multiple directions and sources, including guests, staff or public citizens. To protect your hotel from unwanted intrusions, take time today to prevent future disasters. A little preparation goes a long way in preventing security attacks and keeping your hotel’s systems (and your guest data!) safe and secure.
Noah G. Jaehnert serves as Cloudbeds’ Director of Security. Born and raised in Milwaukee and currently living in Indianapolis, Noah brings his personal passion for travel together with over a decade of experience helping companies understand the regulations, risks, and challenges they face while helping determine strategies for the people, processes, and technologies needed to surmount them.
Earlier in his career, Noah served as a security consultant, ethical hacker, and penetration tester. At Cloudbeds, Noah brings his ability to think like an attacker and works with his team to build, define, champion, and execute Cloudbeds’ security strategy. When he’s not focused on security, you’ll find Noah either serving his community as a Firefighter and Emergency Medical Technician or spending time with his wife and young son (usually plotting their next travel adventure).