HospitalityBiz India
Hotels FoodService Operations Ministry Associations Equipment Editorial HR Technology Technology Advisory Board Community
Follow us on Facebook Follow us on Twitter instagram
    Home > Cover Story

Cyber Security - Needs Absolute RED ALERT

Tuesday, May 7, 2019, 17:41 Hrs  [IST]

Recently, a number of well-known hospitality brands across the world have come under dangerously malicious cyber and data breaches. As the tendency to gather as much personal information as possible about the customer is increasing among hospitality players for providing highly personalised and customised services, the onus to ensure confidentiality of those information and data is also quite high. Any breach on it could put customers personal and private life at stake. Although hotel industry has started taking many precautions, they are too small and in between. Asmita Mukherjee dives deep into the current cyber security scenario in the hospitality industry, to understand its progress and learnings.

Marriott International reported a massive data breach of their reservation system by nation-state hackers last November raising serious apprehensions of personal and private data of around 500 million customers across the world. Reporting the hotel history’s largest data breach ever, The Washington Post said that the potential value of such information on such a large percentage of the world’s travelers might have been handiwork of nation-state hackers seeking to track the movements of diplomats, spies, military officials and business executives. Yet even if the hackers were mere criminals in search of profit, such data offered the raw material for a range of possible misdeeds, including identity theft. The kind of damage such thefts which gives access to the confidential bank details, credit card details, passport related details of very very important people is unimaginable.

This was not an isolated incident in the global hotel industry. Hyatt Hotels had reported similar system breach in 13 countries couple of years back of suspected theft of credit card data of guests. InterContinental Hotel Group (IHG) also reported attacks by suspected hackers of their Rewards Club data in the same year.

As per a study report released by Trustwave Global Security few years back, hospitality industry is “top three” industries across the world which is prone to frequent attacks by hackers. The reason for targeting the hotels is due to the fact they hold elaborate data like guests travel plans, air miles, personal information like passport details, credit card information and personal preferences all vital in aiding spear phishing attacks.

India, being a growing economy has been welcoming the entry of international hotel brands regularly. Also, the accessibility of emerging

technologies in the country has changed how the hospitality industry is run today. With the increased trading of information on digital platforms and changing cyber risk landscape, the Indian hospitality industry is becoming more and more aware of the need for countering data breaches and maintaining consistency with the global hospitality industry cyber security standards

Cyber security vulnerabilities:
The rising digitalisation of India has brought to the fore major security concerns across several industries, including the hospitality industry. Data analytics requires the capturing of valuable guest information like name, email addresses, passport numbers, date of birth, reservation, and travel details across several levels in the industry. According to Naveen Sharma, IT Manager, Crowne Plaza Okhla and Crowne Plaza Gurgaon (IHG Group), Hackers tend to target the businesses that involve dealing with the personal data of the customers. “Since day to day operations of the hospitality industry includes a collection of private data such as payment card details, addresses, phone numbers, identification related documents etc., it becomes a key target”, he said.

Hemant Sawant, Corporate IT Head of Sayaji Hotel Pune, elaborates by saying, “This rich personal information is pure gold to cybercriminals. Additionally, most hotels and resorts have structural IT flaws making hotels and resorts vulnerable to cyber breaches”.

Prakash Nair, IT Manager at DoubleTree Suites by Hilton Bangalore correctly upholds the current cyber security threats to the Indian hospitality industry by saying, “Cases of e-crimes have increased manifold in the last five years and Indian hotels are definitely a growing target. Hotels present a vast array of people including leisure travellers, business travellers, government officials and even those in the technology or academic fields who want reliable and fast Wi-Fi. This becomes critical to the hospitality sector with the introduction of privacy and security regulations. In addition to this, malware attacks are highest in this industry”.

A key point of contention is the multiple numbers of third parties associated with the hospitality industry, whose systems are deeply interconnected with those of the hotels and restaurants. As Nair correctly elaborates, “The hotel systems necessarily have to be accessible to many different levels within the company which increases the risk of data security breaches. Hotels are also highly dependent on a third-party vendor for their operations, which serves as an advantage for the attackers and increases a likelihood for e-crime”.

Although funding is not a major issue in the industry, the appropriate allocation of funds is. Many a time, smaller hoteliers find themselves at crossroads regarding the correct utilisation of available funds. Most of the funds are spent on services and activities ensuring guest satisfaction, and less on the background systems and processes, which hurts cybersecurity by quite an extent. But another aspect of the low spend on cybersecurity by small hotels could be the reason that the amount of guest data that they hold is also low, which makes them unappealing for prospective hackers.

Animesh Damani, Managing Partner, Platinum Hotels, sheds light on these aspects by saying, “Hotels like The Taj, The Oberoi, and The Marriot, have a strong central IT team and they spend a lot on cybersecurity. So, within the hotel premises itself, the chances of a breach are highly negligible. When we talk about the independent and comparatively smaller hotels, not every single hotel has the budget to ensure the setup of high-level security. Another issue is the lack of awareness and know-how on the IT front. However, the propensity of an individual hotel being attacked is very low because the gain is comparatively less as opposed to the chain hotels. And since the bulk of this sector comprises of these unorganized independent hotels, the vulnerability of security breaches goes down considerably. Therefore, despite the lack of data security measures, they are not very prone to be hacked”.

It is quite appropriate to say that although differential spending by various hotel types can be accounted for, the heavy losses due to cybersecurity and data breaches in the hospitality industry cannot be. As Pankaj Kothari, IT Manager, W Goa, correctly states, “Many companies have failed to keep their employees’ and consumers’ data safe as data breaches over the past few years have resulted in the loss of billions of private records and sensitive data. They have not just affected the organisations but have also affected the consumers. The worst part is that even after witnessing all the breaches that have happened in recent years, it seems cyber security experts across the world are not able to match up to the level of the cybercriminals. Every year several companies are getting added to list including hospitality industry as well.”

Key causes of cyber security breaches:
Identification of the loopholes in the cyber security systems of the hospitality industry is key to preventing breaches. If the industry wants to halt dangerous and costly attacks, there is a great need to first understand the causes. The presence of internal bad actors in addition to the external ones has to be accepted by the hospitality industry to correctly address concerns revolving around data breaches.

According to Sharma of IHG Group, a number of internal risks exist in the industry such as untrained or careless employees, disgruntled former employees, and heavily interconnected supply chains. Kothari echoes by saying, “Cyber security cannot be achieved without addressing the human factor.” Sawant shares his insight regarding the importance of employees in cyber security, as according to him, most hotels and resorts run a massive number of endpoints and remote connections including HVAC controls, Wi-Fi systems, electronic doors, and alarm systems and so on. It requires one single breach to enter the system and compromise the entire IT system. Also, these multiple endpoints are used by multiple employees in the hotel. Hence, it takes only one mistake by one of the employees to open the system to the cyber breach. Most of the employees managing hotel POS system are not IT professionals, nor are they trained about cyber security concerns.

Nair puts forward some of the most important causes of breaches by saying, “Major causes for such breaches include weak passwords, sharing or leaking of passwords and falling for phishing scams. The use of direct and indirect malware (malicious software) is on the rise. Overly complex access permissions are a gift to a hacker. Insider misuse as well as physical theft of a device that holds the company’s sensitive information are other common causes of cyber security breaches.”

Most hotels in India nowadays provide complimentary Wi-Fi connections which do not always have the most robust network protections in place. These weakly protected Wi-Fi networks make any information stored on a smartphone or a laptop accessing the network vulnerable. Damani throws light on the importance of using appropriately protected devices and networks by saying, “The biggest cause is the use of company devices such as computers, USB drives, laptops, etc. for indulging in downloading content from unsecured and unreliable sources. This although is not an intentional act, it opens the door for breach without the knowledge of the user. One of the more important reasons for this is the lack of oversight of the company to block access to such unsecured sites from company appliances”.

In many of the recent attacks on the hospitality industry, unprotected point-of-sale (POS) systems were attacked, to acquire credit card numbers and expiry dates along with cardholder names, and have become a key cause of data breach in the industry.

Zahid Memon, Director- IT, Keys Hotels, highlights a key concern of data breaches by saying, “Since hospitality is becoming a technology-driven sector, it has led to storing and sharing more information than ever before. Hospitality Industry Tools deployed for such tasks are subscribed via third-party solutions providers. Third party solutions commonly deployed are channel managers, booking engine, marketing automation platforms, etc. Such tools are hosted on a shared managed cloud infrastructure. Lack of data compliance and audit processes of the third party providers can lead to cyber security breaches.”

Indian hotels taking steps to bolster cyber security
In the wake of cyber and data breaches across the global hospitality industry, hotels in India have started ensuring proactive steps to implement effective cyber security. These steps include complying with global security standards and updating the latest security patches to systems.

Appropriate and efficient utilization of firewalls along with timely software upgrades are one of the key steps which Indian hotels focus on, for cyber security. Nair lets us know about the various steps taken at Hilton by saying, “The use of firewall for internet connection and guest Wi-Fi network have been secured and hidden. Software updates are downloaded and installed in operating systems as soon as they are made available. Email safeguards are used to protect from phishing scams and other malicious behaviours. Also, antivirus and antispyware software have been installed on every computer and regularly updated”. The efficient usage of firewalls and anti-virus software in Indian hotels is further reinforced by Damani, when he says, “We have always been a step ahead in terms of cyber and data security. We have a firewall installed in our premises and we use various anti-virus software. We also use an additional tool that blocks out any malicious and unwanted threats to the system”. Sharma also adds, “Our team ensures that all the systems are upgraded with the latest security updates. Old systems are most vulnerable to cyber security threats. Also, we have prohibited the download of any unauthorised programs or applications on the company systems. Our hotel has invested on the latest Firewall, and Next-generation anti-viruses to ensure that our networks are protected.”

Most of the hotels in India are maintaining compliance such as The Payment Card Industry Data Security Standard (PCI DSS) from year to year. Joy Fernandes, Information Technology Manager at Novotel Goa Resort & Spa and Novotel Goa Shrem Hotel, says, “Our hotels are PCI DSS compliant by VigiTrust. Also, we follow a strict GDPR policy.” Memon also adds, “At Keys Hotels, all core property technology solutions implemented are certified or in compliance with international data protection norms such as PCI”. He also stresses the importance of a cyber security focussed organisation culture by stating, “We firmly believe in creating an organisational culture that emphasises data security among our associates at every level. This is critical and accordingly is addressed at various forums. Our website is secured (i.e. https enabled). We have initiated audit checks to ensure that all data is handled with the utmost care”.

Expressing similar extra-caution, Sharma says, “It is mandatory for IHG employees to complete Cyber Security and Data handling training. We also train our employees on how to detect malware or phishing emails, and how to report them”. Kothari puts forward the importance of organisation culture through his one-liner, “Hotels need to create a culture of security”.

Segregation of data and limiting access to specific networks through effective authentication is another key strategy being adopted by the Indian hospitality industry to effectively counter cyber security breaches.

Regular audit of cyber security systems and reinforcing of existing standards is necessary for being up to date with the latest trends. The Indian hospitality industry understands this key aspect and has begun taking steps to ensure that they are at par with global standards of cyber security. Sharma says, “While we continue to follow existing policies, we still review them regularly to ensure that the protocol keeps up with the evolution of data security risks. Other regular policies include revoking of access to the employees who have left the organisation and regular password updating”. Kothari also informed us that regular IT audits are conducted at his hotel. Memon reiterates the same, when he says, “We have initiated audit checks to ensure that all data is handled with the utmost care”.

Expert Advice:
The cyber security demands of the Indian hospitality industry are poised to grow in the coming years due to a number of factors, such as increasing application of IoT and mobile devices, an evolving collection of guest data for service personalisation, growing reliance on third-party vendors, and rapid expansion across multiple locations. In the evolving cyber security environment, Indian hotels need to be wary of the various threats looming around and must take proactive steps to counter them. Memon advises by saying, “Hotels should be vigilant with the entire gamut of the cyber security domain and data breaches. Accordingly, it is vital to create a sustainable cyber-secure environment for their guests, employees and vendors alike. The hotels should engage with reliable technology partners, and propagate the message that data governance is business management”.

Fernandes gives some tips for new hotels by saying, “Newer hotels under development should relook at their design aspects with greater attention towards integrated surveillance systems, advanced lock, and access control systems, and sophisticated asset protection tools.”

As it is not possible for a hotel to cover the entire gamut of holistic cybersecurity, considering the complexities involved, experts advise taking the help of qualified and experienced vendors for the same. As Damani rightly says, “One must hire a good IT agency that knows what it is doing”. Sawant reiterates the importance of this point. According to him, a large chunk of the problem can be solved by hiring IT professionals who are qualified, competent and have a thorough knowledge of how to detect, investigate and mitigate the risks as quickly as they occur.

Last but not the least, proper education and training of the employees is key to holistic cybersecurity in the Indian hospitality industry. Sharma explains the importance of developing a culture of cybersecurity within. As per him, security at a hotel has to go beyond installing the latest technology. It should also encompass training employees so that they do not inadvertently give hackers access to the network.

Print News Email News Back
Bookmark to Add to NewsvineNewsvine Bookmark with Digg ItDigg
Add RSS to Add to Google Add to My Yahoo! Subscribe with Bloglines Subscribe
* Name :    
* Email :    
* Message :  
»  Dillip Dalai joins as Security Manager at Grand Mercure Bengaluru Gopalan Mall.
»  Absolute Hotel Services India promotes Prashant Shewale as The Regional Manager - Revenue & Distribution
»  Kempinski grows in Saudi Arabia and expands portfolio with stylish luxury hotel on the Red Sea
»  Absolute Hotel Services expands its footprint with 550-key multi brand hotel
»  Red Dot Representations appointed to represent Al Habtoor City Hotel Collection by Hilton
»  Sanchez UB City and Indiranagar introduces Red Tacos Menu for Valentine’s Day
»  Absolute Hotel Services India appoints Avani Dedhia as the Associate Director- Marcom & PR, South Asia & Middle East
»  Kshitij Jawa appointed as General Manager of India’s first-ever yet to be launched Radisson RED
»  Absolute Hotel Services announces Eastin Estates, first hospitality brand in Asia for seniors
»  Ascott offers Global Telehealth, Telecounselling & Travel Security Advisory to Guests
»  Absolute Hotel Services expands its portfolio in Indian market with Eastin Residences and U Resort & Spa
»  PallyCon, a Multi DRM and Forensic Watermarking Service launches app security service
»  Novotel Hyderabad Convention Centre honours Society of Cyberabad Security Council (SCSC) Volunteers and healthcare workers
»  Qmin Introduces Homely Meals For Everyday Food Needs
»  Absolute Hotel Services expands its footprints in Maharashtra with U Hotels & Resorts brand property at Karjat
»  Prateek Dharkar elevated as Director Of Operations, Absolute Hotel Services, South Asia & Middle East
»  'Hospitality professionals should adapt fast, listen well, and think critically to meet the needs of employers in the hospitality industry'
»  India needs to focus on its infrastructure to organise large format MICE events, say industry experts
»  Absolute Hotel Services announces signing of management contract in Igatpuri
»  Sheraton Grand Palace Indore receives the Red Achievers Award
  The Indian Institute of Architects (IIA) Natcon 2020 virtual event concludes successfully
  Winners of The Park Elle Décor Student Contest felicitated at Indian Design ID 2020
Receive the best of Hospitality content in your mailbox.
Weekly e-Newsletter
Events Calendar

© Copyright 2016 Saffron Synergies Pvt Ltd