Rob specializes in strategic intelligence collection and threat analysis. He is very pragmatic and focuses on relationship and contact management. He is communicative, knowledgeable, commercially minded and a driver of protel’s security policies.
Can you imagine what the implications would be if the personal and financial information of every guest in a hotel were leaked to some data thief? The 5.2 million guests of the Marriott sure can.
They were the victims of an email phishing scam where company-wide W-2 forms (or tax forms for our non-US readers) were sent to an imposter pretending to be the CEO.
But the Marriott isn’t the first or only company to be targeted by the attacks of phishers, hacktivists, and cybercriminals.
And phishing isn’t the only strategy these computer thugs use, either. Just about every hotel in the world could be vulnerable to malware, ransomware, spam, hacking and social engineering.
Don’t think hackers can harm you physically?
Well, in 2010 Stuxnet reportedly ruined almost one-fifth (tenth, 1000 out of the 10.000 in use at that time) of Iran’s nuclear centrifuges.
Targeting industrial control systems, the worm infected over 200,000 computers and caused 1,000 machines to become physically damaged.
Could you imagine the devastation that would have caused if even one of those centrifuges had exploded?
Another example would be the hacking attack on the website of the Epilepsy Foundation of America that began on March 22, 2008.
As recently as last week (18 September 2020) the University Hospital of Düsseldorf was attacked by cyber criminals.
They used ransomware which is where hackers encrypt data, vital medical records, and hold it hostage until the victim, the hospital, pays up.
As a result of this attack a woman in a life-threatening condition was rerouted to a hospital 20 miles away. She suffered terribly and eventually died because she was unable to receive proper treatment in time.
“This was absolutely inevitable. We are fortunate it hasn’t happened sooner”, said Brett Callow, a threat analyst at Emsisoft.
Are you sufficiently alarmed? Are you one sentence away from marching down the hall to the IT manager to request emergency cybersecurity training for all of your employees?
If you aren’t, maybe you should be.
Why Should Hotels Offer Cybersecurity Awareness Training for Employees?
The argument for educating staff on cybersecurity is a simple one: if staff don’t know how to recognize a security threat, how can they be expected to avoid it, report it, or remove it?
They can’t. If you’re looking for some jaw-dropping statistics to back you up, you’ll find those by the plenty, too.
For example, the 2019 State of IT Security Survey found that email security and staff training were listed as the top problems faced by IT security professionals.
Yet, more than 30% of staff surveyed by Wombat Security Technologies didn’t even know what phishing or malware was.
This is probably why scams like the Business Email Compromise (BEC) result in whopping losses of over $3 billion (according to the FBI).
Hang on. Don’t these hotels have firewalls and security software?
They do, but it’s just not enough. Staff, not technology, are the most common entry point for phishers.
And when it comes to hotels, well, let’s just say there are many “phish” in the sea.
Now, this doesn’t mean that staff is conspiring to bring about the downfall of the hotel.
Nothing that sinister. But as humans, hoteliers make mistakes, they’re trusting of fake identities, tempted by clickbait, and vulnerable to other sneaky tactics used by criminals to gain access to company information.
Unless, of course, they have participated in rigorous cybersecurity training programs.
Staff need cybersecurity training to protect themselves and the hotel against cyberattacks.
By making employees aware of security threats, the impact they might have on your business, and what procedures to follow when a threat has been identified, you’re strengthening the most vulnerable links in the chain.
So, phishers are more likely to move on to someone else’s splash pool and leave the well-protected dam in peace.
How to Train Hotel Staff About Cybersecurity
The World Economic Forum in their latest report, The Global Risks 2019, puts cyber-attacks and data theft into the higher-than-average likelihood bracket during 2019.
To achieve these record levels of data breaches and cyber-threats, cybercriminals are focusing their attention on the manipulation of human behavior. There is no longer a question over the part that humans play as catalysts for cybercrime. The internet has opened a Pandora’s box servicing the cybercriminals in their malicious actions, oftentimes using hotel staff as their weapon of choice.
So how do we counter these threats? Education, education, education.
With this in mind, how do we train our staff to be security-aware and to become our front-line defense against cybercrime?
The Security Awareness Training Process
Security awareness training is not a point event or solution, it is a process.
Security awareness comes out of a series of ideas, thoughts, and preparations that are used to develop a holistic security awareness training program.
Here we have a look at some of the fundamental areas that should be on every hotel’s training schedule.
Hotel Security Awareness Training Checklist:
1. Identify the Specific Cybersecurity Needs of the Hotel/Property
This may seem obvious, but knowing what you need and want is a first step to making sure the program is successful.
A good security awareness training package can be modified to reflect your company and industry needs.
It may be that you need to adjust the program for individual departments.
For example, the crime of Business Email Compromise (BEC) may be more likely to impact the people at C-Level than those in housekeeping.
Whereas, email phishing is likely to affect only staff with access to computers; therefore, a general package that trains staff with computer access on how to spot the signs of phishing, as well as simulated phishing exercises, will be needed across the organization.
2. Include Cybersecurity Awareness Training During Onboarding
Cybersecurity training for staff can’t wait.
A cyberattack can occur at any minute. And guess who’s more likely to slip?
New staff members are usually anxious and still adapting to their new work environment.
Understandably, cybersecurity is not their main concern. That means they might be careless about things like passwords or physical security.
They’re also easier victims of social engineering attacks because they haven’t established who is doing what in the company.
Raising cybersecurity awareness during onboarding ensures there are no discernible weak links among your staff.
It’s also a way to communicate to staff that cybersecurity is a shared and ongoing responsibility.
Onboarding is also the best time to promote cybersecurity practices that extend beyond your hotel.
Staff should realize that online security is a fundamental issue.
Prompt them to apply the tips to protect their personal data and devices as well.
3. Cover Relevant Topics
Topic choice is very important when building your security awareness campaign. Choices to consider include:
In all of its forms. Being able to spot the tell-tale signs of phishing scams is a key topic on the security awareness list.
Phishing is still the number one way that malware ends up on a network.
But to train a diverse group of individuals across an organization needs a diverse training regime.
Education works best when you actually physically get to apply it.
Use a training program that offers life-like or true-to-life scenarios.
This way staff can feel what it is like to be on the receiving end of a phishing attempt.
Taking them through the process, for real, will make the training more memorable and more successful.
Don’t rely on non-interactive video training.
Get staff involved in the nitty-gritty of cybersecurity and what it feels like to be scammed.
Staff should be taught about cyber hygiene.
This should reflect the hotel’s general security policy.
It will include areas such as password sharing and having a clean desk (e.g. not leaving sensitive documents, like passports and ID cards) lying around.
Teach your staff about safe-surfing.
This typically includes: checking a site is secure before entering login credentials or other data, disabling pop-ups, and being cautious about downloading apps.
4. Make Staff Cybersecurity Training An Ongoing Process
Staff might develop a false sense of safety as time goes by.
Eventually, they’ll lower their guard against cyberattacks and become easier targets.
One of the most important cybersecurity training tips is repeating security awareness training regularly.
This way, you’ll keep staff armed and ready for any attack.
In the meantime, send staff occasional emails with basic cyber-hygiene rules.
For example, reminders to change their passwords or update antivirus software.
Also, keep an eye out for new, high-profile incidents in the news and communicate them to your staff.
The methods of attack don’t change dramatically overnight. But cybercriminals shift their focus to more profitable targets or easier points of entry.
For example, payment-card related breaches through web applications have increased. While previously, the main point of entry was physical terminals.
Good physical security and cybersecurity practice leads to reduced data breaches.
By being vigilant and having awareness training programs in place, it will make it very difficult for attackers to fool staff into accidentally installing ransomware.
Online security is very important, but if we want to reduce the security threat of our hotel, we need to be vigilant at all times – it’s all about making staff be more aware throughout their day-to-day work.
Open Door Policy
We all make mistakes and occasionally slip up. It is really important that staff know that they can come to you and that they are free to report problems without there being a risk of them losing their jobs. This will come from your personal management style.
Onboard Flawlessly and Without Exception
Cybersecurity is everyone’s responsibility, whether you are C-level, management, accounting, housekeeping, maintenance, or reception, it does not matter.
Everyone needs to be made aware of the hotel’s individual cybersecurity policies, attitude, and culture.
Education, Education, Education
Continuously send reminders via email, Slack, or any other messenger your hotel may be using with reminders to change passwords, to update anti-virus programs, and with information about the latest phishing techniques.
Special cybersecurity classes should also be conducted at least twice a year.
If you create a culture of cybersecurity awareness within your organization, then the chances of your organization becoming a victim are greatly reduced.
At protel, we love cybersecurity and if you would like to find out more about how protel PMS can benefit your hotel, please reach out to us here.