During a highly interactive and engaging session on cybersecurity at HITEC 2024, attendees had a chance to learn more about the nefarious ways criminals are bypassing their security protocols with the help of psychology, hoteliers’ own apathy and AI.

People Are a Problem

“You can spend ALL the money on cybersecurity, but people will always be your biggest problem,” said Daniel Johnson, CEO, Venza Inc. “On property employees are trained to be extra hospitable, they typically don’t have a lot of cybersecurity knowledge, and they don’t have a lot of experience dealing with ransomware/phishing schemes.”

Cybercriminals know this, and they use it to their advantage. For example, they follow a tried-and-true method to execute fraud: establish contact as a trusted source, ask for assistance, require secrecy, apply pressure for an action to take place quickly, and provide affirmations of value to the contact so that they feel like they’re in a position of trust and respect.

For example, a cybercriminal may call up a night manager and tell them that they’re an IT member from the hotel brand. They’ll go on to say that they need to apply a new patch to one of the software systems right away for security reasons. The patch is actually a piece of ransomware, but the criminal preys on the manager’s desire to do what’s best for the company and to be a good employee.

Criminals are also very well aware that humans are wired to ignore most of the information that’s presented to them. To use this to their advantage, they employ virtual sleight of hand. While getting employees to focus on something in the foreground, they’re going behind the scenes to find and exploit weaknesses within the organization’s tech stack.

“We need to be suspicious of everything! It’s the most difficult thing to protect yourself from and the easiest way to become compromised,” said Lyle Worthington, CEO, Worthington Tech.

Apathy Within the Industry

Panelists also discussed a variety of common excuses that come from boardroom executives who aren’t interested in spending more money on cybersecurity. For example:

  • “My small hotel is not at risk.” Cybercriminals actually target small businesses as much or even more than large ones.

  • “Cybersecurity doesn’t generate revenue.” Look at it from a different lens, can you afford the losses that a cyberattack will create? The average downtime per attack is 22 days, and the average cost per minute during that downtime is $5k.

  • “Our IT team can handle security, so we don’t need to invest more.” IT people are expensive and are a limited resource that are often focused on just ensuring a property (or multiple properties) are running properly. They don’t have time to do the deep dive into all of the different ways the organization has become vulnerable to attack over the years.

  • “Data protection is covered by our brand.” Brands provide very few of the essential data protection and regulatory compliance tools needed by modern hoteliers. Additionally, many brands won’t even offer advice on cybersecurity because it’s a large legal risk.

  • “We don’t have the time or resources.” If you don’t have time or resources to invest in something that has a 179% ROI, where are your priorities? And how much time and resources will you have when the company suffers a breach and loses an untold amount of revenue.

Insurance Isn’t a Safe Bet

Cybersecurity insurance used to be a simple one-page document that any IT guy could fill out, explained Fred Santarsiere, VP, Cino Security Solutions LLC, and claims were regularly paid out by the insurance companies. Today, that’s no longer the case. Not only have the application forms gotten much longer and more thorough, but now insurance companies no longer pay out as easily as before. Instead, they often require hoteliers prove how they have been constantly working to improve their cybersecurity protocols and taking the necessary precautions to prevent attacks. If hoteliers can’t provide that proof, their claims are being denied and the uptick in denied claims is indisputable. For this reason, hoteliers cannot and should not rely on insurance payouts as a safety net.

Artificial Intelligence: A Blessing & A Curse?

AI as a tool can be wielded for good and evil. For example, cybercriminals are leveraging it to find information on specific brands and properties, then they’re using that information for social engineering attacks (including drafting more persuasive conversations), making hundreds of phishing calls a day (without needing a real person to make the calls), and sending thousands of text messages a day, etc. However, hoteliers can also use AI to their advantage to protect themselves from these attacks such as via continuous monitoring, to detect possible attacks and alert humans, to recognize nefarious patterns, etc. For hoteliers, AI could be truly beneficial to combat cyberattacks.

Michal Christine Escobar