By Nicole Di Tomasso
As technology becomes more advanced, so does cybercrime. As a result, hospitality businesses need to take a fresh look at their cybersecurity measures.
The hospitality industry is one of the most vulnerable industries to cyber-attacks for several reasons. First, hospitality businesses collect, process and store a large amount personal information about their customers and employees. Second, the adoption of mobile and contactless technologies creates additional opportunities for attackers. Lastly, without the challenge of a global pandemic, the industry is generally slow to adopt new security measures, leaving it vulnerable to emerging threats and scams.
According to the Cybersecurity Annual Research Report 2022 commissioned by Rackspace Technology and conducted by Coleman Parkes Research, more than half (56 per cent) of hospitality IT leaders cited cybersecurity as one of their C-suite’s top three business concerns, ahead of issues such as inflation (52 per cent), hiring and retaining talent (48 per cent) and supply chain/logistics management (50 per cent). However, less than half (37 per cent) of hospitality professionals said they’re fully prepared to respond to cybersecurity attacks.
Top threats include phishing attacks, which are often delivered via email spam or text message in an attempt to trick individuals into giving away sensitive information or login credentials; ransomware, which takes information and certain systems hostage to gain financially from those who pay to free the data; DDoS (distributed denial-of-service), where regular items, such as sprinkler systems or security cameras can be hijacked; POS (point-of-sale) attacks, where customers’ credit-card details are stolen; and DarkHotel hacking, where cyber criminals use a hotel’s Wi-Fi to target business travellers.
Recently, Hyatt Hotels increased its investment in cybersecurity to safeguard its systems. “Hyatt manages and mitigates cybersecurity and privacy risks through a number of solutions,” says Benjamin Vaughan, Chief Information Security Officer, Hyatt. “Some recent examples include testing Yubikey technology [from Yubico] for hotel colleagues at a limited number of properties across Canada and the U.S. Hyatt also works with HackerOne on a public Bug Bounty Program in an effort to proactively identify issues in our systems. To date, Hyatt has paid out more than USD $700,000 in bounties to security researchers around the world.”
Headquartered in Stockholm, Sweden and Santa Clara, Calif., Yubico’s solutions enable passwordless logins using the most secure form of passkey technology to prevent phishing attacks, streamline employee authentication and improve the guest experience.
“Passwords are a flawed technology because they rely on a symmetric secret,” says Derek Hanson, VP of Standards and Alliances at Yubico. “The server has a copy of the password and [the employee] needs to have a copy of the password. This scenario is problematic because no one can prove that the person who possesses a password is the person that’s supposed to be logging in.”
Previously, Hyatt was using mobile-based MFA, with one-time passwords (OTP) sent via SMS messages to authenticate to apps or re-authenticate at random intervals. However, the high volume of prompts conditioned users to hit approve for every prompt. Now, Hyatt has provided front-of-house employees with the YubiKey 5 NFC (USD $50) to support portable tap-and-go authentication and call centre and back-of-house employees with the YubiKey 5C Nano (USD $60).
“The YubiKey is assigned to an individual user,” says Hanson. “It’s similar to the experience you’d have using a debit card to take cash out of an ATM. There’s a device and a PIN that securely unlocks access to your accounts. Once a device receives a PIN, the YubiKey can be removed and employees can go about their day. Rather than pulling out a mobile device, nobody is going to think twice about an employee plugging a key into a computer from a customer standpoint.”
When it comes to selecting the right YubiKey, Hanson says it depends on organizational requirements and the technology already in use. And, from a security perspective, Yubico doesn’t support updates to its firmware to ensure the updating process can’t be abused.
“YubiKeys are designed with no moving parts. They have an indeterminate amount of life,” says Hanson. “To help organizations who want to refresh their tokens, we’ve launched subscription models for enterprises to make sure their users have the latest and greatest features,” adding that new versions of firmware are something the company continuously looks at updating according to customer needs. Furthermore, the company has started to look at tying the YubiKey to shift work where employees can store the keys in lockers onsite.
Hanson continues, “It’s not often that [hospitality] businesses can deploy a piece of technology that improves security, usability and customer experience at the same time without draining budget and resources. Building phishing-resistant user accounts should be at the top of every IT executive’s wish list for 2024.”