As the recent British Airways breach shows, cyber security is a constant and ongoing challenge, and all staff should be educated. Pamela Whitby reports

Back in 2015, Classic Hotels & Resorts was looking to make the most of the annual Super Bowl championship between the Seahawks and New England Patriots. Ahead of the event, Esteban Velez, who is VP of information technology & cyber security at the $200m chain, which has six hotels, worked with the US Department of Homeland Security to stage an attack on the hotel’s network. The idea was to test whether its security procedure stacked up, and whether staff were well prepared.

“I didn’t tell anybody that they [homeland security] were present, but they were physically on the property,” says Velez, who will be speaking at EyeforTravel North America.

What he didn’t bargain for was homeland security being able to hack into the hotel’s network, and with the help of the hotel’s staff!

“By nature, hoteliers are people pleasers and so everybody at the front desk went out of their way to help – even to the point of moving a desk and helping the ‘attackers’ to plug into a wall,” Velez says.

A lot of businesses, still don’t respect IT enough until something happens

Since then, what led that to happen has been addressed but the cyber security challenges that hotels face remain a constant battle, with attacks happening daily.

In fact, Velez isn’t surprised by the recent British Airways’ security breach, in which the credit card details of 380,000 customers were compromised. From his experience the bigger the name the bigger the threat; prior to joining Classic Hotels & Resorts, Velez spent 14 years at Starwood, which as a global company was, he says, “constantly being breached”.

From phishing attacks to hoax phone calls trying to sell you something you don’t actually need (like toner for all the printers spread across Classic Hotels’ 742 acres) to thieves in smart suits physically entering a property, the threats keep coming, and are evolving rapidly.

So, what are the lessons from the BA attack?

Keith Dewey, a UK-based cyber security and data expert says BA has set a good example by moving quickly to report the breach. “It has also been clear on what has been compromised (dates; payment cards and so on), and they’ve offered to compensate for losses,” he says.

Velez, meanwhile, sees it as another wake up call and one to learn from; and he hopes others will too. “A lot of businesses,” he says, “still don’t respect IT enough until something happens”.

So, against the backdrop of the recent BA breach, here is some advice:

• Ensure that you have right security in place and keep testing

This includes email filters, spam guards, antivirus programmes and so on.

Phishing attacks are one of the common ways that criminals gain access to passwords and other confidential information. A fake email, purporting to be from a bona fide organisation, tricks people into opening a malware-containing attachment, or a malicious link that solicits passwords.

“Once a user opens that and enters credentials, any attacker out there can use those to break into the network and get that data out on the dark web,” says Velez.

At Classic Hotels, the group regularly runs phishing attacks on its staff, as “just by being human, users are our largest gateway to challenges”.

However, not everybody agrees that conducting mock phishing attacks on employees is the way to go; this article in New Statesman argues that it can, for example, harm productivity and destroy trust.

But Velez disagrees: “Organisations must test users, so they can learn, just as if they were taking a safety exam or [learning about] OSHA (occupational safety and health administration).”

However, prior to launching a phishing attack Classic Hotels utilises mandatory online training with two partners namely compliance and GDPR firm Venza, and Knowbe4, a cyber-security training expert.

Once compliance training is 90 to 100% complete, Knowbe4 and Venza wait around week before sending out phishing attacks to all users to gauge if the training has been effective.

According to Venza, this approach has paid off: “When I started originally we did a random phishing campaign with Knowbe4 and we were at a high rate of clicks and users entering passwords. After revamping our systems and virtualising, and creating backup solutions over a two-year period, our IT team has brought the average click rate of phishing links in emails from a high rate of clicks to almost zero.”

Velez’ eight-strong IT team is always on the look out for new tools. Although they have chopped and changed with antivirus programmes, he says he has now stuck with Comodo for two years in a row. The group also uses Mimecast, which has a database of known threats, to filter out emails.

•  Don’t be complacent

New threats are appearing all the time. Dewey explains that emerging fraud trends include the rise of Ransomware, in particular one coined Dharma, whereby attackers claim to have encrypted computers, and are calling for a ransom paid in Bitcoins. Meanwhile, there are a growing number of ‘sextortion’ campaigns claiming to have hacked a person doing ‘dodgy’ things on a webcam. Particularly prevalent is the practice of ‘Vishing’, which involves cold callers posing as bank anti-fraud teams.

Velez also sees a rise in “brave and brazen” social engineering attacks, whereby employees are deceived through the use of believable tactics. Completely plausible emails from somebody purporting to be the GM are a common occurrence, says Velez. One recent example read: ‘Hi there, I need 800 apple ID cards (at $300 a piece), and I need them for a group coming in-house. I need you to scratch off the panel and send me all the codes”.

• Educate and train

From the front desk to the cleaners to senior management, Velez cannot stress enough that everybody across the business needs to get IT. And, not only do you need to educate staff, you need to educate their families.

“I offer staff a link for home to teach their kids, because this isn’t going away,” he says.

As Dewey points out, everybody needs to protect themselves by checking bank statements regularly, avoiding less ‘mainstream websites’ and considering the use of tokenized mechanisms like Paypal until the banking system moves away from static card data.

• Understand your third parties

“You’re only as safe as your partners and right now I don’t trust anybody,” says Velez.

One of the challenges is that many hotel software vendors, and database management companies have not moved to become PCI compliant. The now discontinued FoxPro, is one example, and was used by Classic Hotels. As Velez explains, FoxPro hadn’t been supported by Microsoft since 2014 and required a complete overhaul, but that was going to cost the business hundreds of thousands of dollars. Although the chain no longer uses FoxPro, Velez says that not only are companies held hostage by criminals seeking ransom payments, they are also held hostage by partners. “If you have 50 different programmes from different suppliers and just one piece is broken that leaves us vulnerable,” he says.

To make matters worse, unprepared firms often want compliant partners to shoulder the financial burden. “But they should have been incrementally planning and building that into their service fees so that they could upgrade their systems,” Velez complains.

For this reason, Velez is exploring the possibilities for DevOps, a software engineering culture and practice, which aims to unify software development and operations, and blockchain, with Chinese tech-firm Lenovo. “That’s looking good to me, as we are able to secure the database and evolve it as we want,” he says.

• Listen, take advice

“As I sit in meetings, and meet with my team and with other people with experience, I listen to everything. Because I don’t know everything,” Velez says.

One hard lesson is that cyber security is not the only thing that IT teams must contend with; there are also physical threats like weather. Velez points to a casino down the road that has been closed for two months, and will be closed for another two because a storm flooded the IT room. “There were no back-ups, so no chance of a restore. How do you recover from that? All the guests were kicked out in the middle of the storm, but now they have no way of reconnecting. That’s ground zero,” he says.

Events like this are also something hotels need to pay attention to. Velez says brands need to distinguish between disaster recovery (how do I fix it) and contingency (what you actually do during an outage). This is something that he has learnt on the job, and he continues to learn.

In such a fast changing environment, where attacks can costs hundreds of thousands of dollars and make or break your business, listening and learning is probably the best advice of all.

To hear more advice from Esteban Velez, VP Information Technology & Cyber Security, Classic Hotels & Resorts, join us at EyeforTravel North America (October 18-19)