Wednesday, 17 May, 2017, 14 : 56 PM [IST]
Data Security No Room for Complacency
With the increasingly perilous and alarming threat landscape in recent times,
data security has become a topic of boardroom discussion, more so in
the travel and hospitality sector due to the immense customer information
handled by them. Emerging to be a key concern, with the rapidly growing
digitalisation, data security breach can adversely affect the brand reputation
as well as the shareholders’ trust, revenue and customer loyalty. Hence, in
this disruptive age, gone are the days of legacy trust and taking the security
systems for granted. Now it’s all about building new trust constantly, at
every channel of engagement. Akansha Pandey finds out.
A leading daily reported last year that cyber
criminals hacked into the computer network
of a New Delhi-based international five-star
hotel chain and stole some “loyalty points”. Even the
Hyatt Hotels in India were hit by malware found on its
customer payments system. In India, 20 of its hotels -
90% of its portfolio in the country had been affected.
This and many more of such cases acted as a wakeup
call and pushed all major Indian and global hotel
chains scampered to conduct cyber audits to analyse
and study weak spots in their information technology
systems.
Recently, India was also listed among the top five
in the world to be attacked
by ransomware, malware that
forces its victims to pay a ransom
through certain online payment
methods to regain their data,
as reported by Moscow-based
Kaspersky Lab. With increased
4G and 3G penetration, the
internet user-base in India
is expected to double to 600
million users by 2020 from the
current 343 million, so the threat
will only grow. ASSOCHAM and
E&Y have also revealed that mobile frauds are
expected to grow to 60-65% in the country by
2017.
Pavan Duggal, India’s leading cyber law
expert, lamented that Indian Cyber law does
not have adequate provisions to deal with
the growing cyber threats. He feels that the
Information Technology Act, 2000, amended
in 2008, still does not comprehensively deal
with all relevant issues in the cyber security
ecosystem. India not being a signatory to any
international treaty on cyber crime complicates
the intrinsic ability of the immense law and
legal frameworks to provide effective remedies against cyber crimes
which are committed from abroad.
VISIBLE THREATS
Similar to other industries in today’s hyper-connected world, the travel
and hospitality sector is not untouched from data security and cyber
breaches. This industry is exposed to enormous amounts of private data
from customers as part of their daily operations-from personal to banking
and financial details.
Hotels are now expected to provide Wi-Fi network access for their
guests. Further, there is increasing adoption of “smart systems” within
hotels, like controlling guest room access, heating, cooling and even the
lighting of guest rooms, ordering room service and other hotel services
(including ones often provided by third-party operators such as massage
and spa treatments), and even ordering drinks in the bars. These “smart”
hotel services run the risk of following the “Internet of Things” (of which
they are really just a part), placing functionality above everything else.
Nick FitzGerald, Senior Research Fellow, ESET commented, “Hotels
also usually have a web presence that provides an online booking
function, and running that service securely and with strict adherence
to good privacy practices is clearly of the utmost importance. Further,
Point-of-Sales (PoS) systems are widely used throughout hotel bars,
restaurants and so on. Malware specifically targeting PoS systems have
been around for many years now and as extensive users of PoS systems,
hotel operators should be well-advised to deploy strong defences
against such malware.” Also, many hotels are part of large, often
multi-national, brands and hence they are more likely to be specifically
selected for targeted attacks due to the size of the “parent” business,
he added.
Hotels chains are often targeted by hackers as they typically keep credit
and debit card details on hard copy for the duration of an individual’s
stay in order to cover extra expenses incurred. In classic scenario, within
hotel and tourism industry, customer card data is often stored longer than
typical, to maintain consumer bookings and for miscellaneous service
related charges after they check-in. Online booking systems often get
card data from various sources and third parties over the internet, creating
additional possible points of compromise, highlighted Nitin Bhatnagar,
Head-Business Development, SISA Information Security.
In recent past data breaches, it seems that decent portion of breached
data may have come from the
restaurant or front desk of the
hotel chains, as usually they are
integrated with point-of-sale
environments running various
applications. Also keeping
Indian hotel chains scenarios
in mind to an extent they store
card data on customer check-in
files for future reference which
is very prevalent across and may
be another exposure point for
the compromise. Most infections
occur in environments which are using remote
administration software with weak password
policies, he points out.
AWARENESS LEVELS
Awareness levels on cyber-security and
data privacy were almost negligible a few
years back and were acted upon only after
unfortunate incidents happened. Today, levels
of awareness are on the rise with recent cyber
and data infringements along with positive
conversations and actions in the public and
government domains.
Hotels today need to focus on more than just room sales and make a
more concerted effort on working to protect the information that their
guests trust them with, stresses Prashanth G J, CEO, TechnoBind. Most
hotels, including high-end luxury brands hire third-party vendors to
manage sensitive data. This data may include personal and financial
information of their guests and thus, they should be protected in such ways
that even accessing, transferring or making copies shouldn’t be possible
without authorisation. To achieve this, hotels can start with ensuring that
their technology partners provide their services as per updated security
regulations and standard protocols so that their organisation and their
guests are protected always.
When it comes to data security breach, all categories of accommodation,
whether high-end, budget, standalone or boutique is equally at risk
to cyber and data security threats. High-end hotel brands are already
gearing up to secure their operations; however, budget, standalone and
boutique hotels need to up their game, asserted Prashanth.
Currently, most data protection measures in hotels are very basic,
from firewalls to physical security checks and do not focus much on
cyber-security. IT security solutions at hotels are still at a nascent stage,
since data exchange is largely unorganised. “However, due to the
demonetisation, hospitality organisations will need to step up their game
as we are already seeing an exponential increase in digital payments,
either through third-party vendor sites or direct payment portals. This
will always remain a potential risk to the business and to their guests if
data is not secured as it travels. Typically, hotels have always looked at
IT and cyber-security as firewall investments. However, lately, high-end
hotel brands are looking at data security in a more holistic manner and
are seen making the right investments. While they are still far away from
being fully secure, the current signs are positive,” shares Amit Malhotra,
Vice-President-Sales, India, Middle East & Africa, Seclore.
On the customer’s end, findings from the Intel survey indicate that
84% of Indians connect to the internet while on vacation. While doing
so, they often access and share sensitive information without considering
the potential cyber risks of divulging credit cards details, works mails
and personal information on unsecured public Wi-Fi. There is still a
need to raise awareness to adopt safe digital habits and share security
measures to prevent personal information from being compromised
while travelling,” stated Venkat Krishnapur, Head of R&D Operations,
Intel Security’s India Development Centre.
Quick Recommendations by SISA:
- Review all accounts with administrative access for password
complexity.
- Check your firewall logs, remote connection logs or Windows
Security Event Logs for successful logins from foreign IP
addresses.
- Regularly check POS systems for physical tampering.
- Vulnerability Assessment and Penetration Testing (VA-PT)
for both Network and Application layer on quarterly basis
through recognised Information Security Companies or
CERT-IN Emplaned Auditors.
- Ensure Security Risk Assessment has been conducted
following ISO27005 OR OCATVE Methodology.
INTEL SECURITY FINDS
- Indians are far ahead than global peers in sharing sensitive
information using public Wi-Fi which can lead to cyber risks
- Majority of Indians (54%) are not willing to leave their
smartphone at home while on vacation and in fact 69% claim
to have felt a sense of anxiety over being unplugged
- Indians (31%) that travel, access or share sensitive information
while using public Wi- Fi, which is highest amongst the 14
countries surveyed
- Indians lead their global counterparts in willingly sharing
personal information such as credit card number or log in
name/password. More than one out of three Indians (36%)
shared their personal data even when they realise that this
will make them vulnerable, which is highest amongst the 14
countries surveyed
- 37% of Indians could not last a day on vacation without
checking social media This is second only to Japan (45%)
when compared globally
SAFEGUARDING
IT maturity is good within hotel industry, the importance being given to
IT, and subsequently security which is above average in the hospitality
industry, agrees Bhatnagar. Awareness level within the hospitality industry
has obviously seen a drastic participation proactively by initiating several
compliance initiative for securing card data environment by following
industry best security practices and security standard.
Bhatnagar goes on to add that if hotel brands think that they are
immune from cyber-attacks then it is wrong. Companies with even
mature security programs can be breached. The threat landscape is
increasingly dangerous and alarming. IT security models followed across
have multiple layers of protection and each layer serves a purpose that is
intended to safeguard sensitive business and customer data. Data-centric
security is evolving rapidly and allows organisations to overcome the
disconnect between IT security and the objectives of business strategy
by relating security services directly to the data they discreetly protect.
Safeguarding is also significant as data breach would have long-term
impact on the brand reputation, customer trust and guest loyalty. When a
hotel brand is able to demonstrate reduced risk of data theft that would
ensure more guests’ trusting the hotel brand. As more satisfied guests
translates into more business and enhanced revenues, hotel brands
should focus on protecting sensitive business and guest credit card and
payment card data, he states.
Malhotra too agrees that hospitality brands cannot afford to store
sensitive data haphazardly without proper protection. When people
choose to stay at a certain hotel, they trust the hotel with these personal
details. In today’s disruptive marketplace, hotels can no longer depend
on ‘legacy trust’ that has been built over years of being in the business.
Today, it is about building new trust constantly, at every given point and
channel of engagement. This is the ‘new normal’ in the world of travel
and hospitality, he outlines.
akansha.pandey@saffronsynergies.in
