Advice to Hoteliers: Protect Customer Data, Brand Rep Through Strong Cybersecurity

BOSTON—Did you know? Nearly half of guests say their trust in a hotel’s cyber defense influences whether they will book a stay with them, according to a report.

In June of this year, Morphisec found that FIN8, the financially motivated cybercrime group most known for targeting the retail industry, was actively targeting point-of-sale (POS) systems within hospitality companies in the U.S. and abroad.

“These crafty cybercrime groups, which also include FIN6 and Carbanak, are a huge threat to hoteliers and the valuable credit card details and other personal information stored within their POS systems,” said Andrew Homer, VP of security strategy, Morphisec.

POS systems are a weak security point for most networks and are often not patched or are irregularly updated.

“Groups like FIN8 are taking advantage of the fact that POS systems can also be difficult to secure with anything but the most basic protection tools, as many security products are resource-intensive and slow down performance. But since these groups are able to buy POS malware kits on the cybercrime underground, even the less skillful hackers can do severe damage,” said Homer. “Even though PCI DSS compliance is compulsory for any organization handling cardholder data, this doesn’t mean data is secure as POS attacks are engineered to evade these solutions. Security teams need to consider additional steps and technologies to mitigate risk and prevent the possibility of brand-damaging breaches.”

Morphisec provides a threat protection platform to hospitality companies to prevent advanced cyberattacks that traditional antivirus tools do not detect. According to Homer, these are the most dangerous types of attacks, such as ransomware, file-less attacks and remote access trojans (RATs), which can cause long-lasting damage to businesses.

“The Morphisec platform includes endpoint protection of the computers that hospitality employees use every day, as well as cloud workload, server and even point-of-sale protection. We understand how severe the ramifications of attacks are, so we offer an entirely different, proactive approach to thwarting unknown threats aimed at all of these entry points,” he said. “Rather than trying to detect threats that are increasingly difficult to identify, our moving target defense approach morphs the mission-critical memory on hospitality company networks to make it impossible to find for attackers.”

More than 22 million U.S. travelers self-report as being the victim of a cyberattack through their business with hotels, while almost 70% don’t trust that hotels invest enough in cybersecurity, according to findings in the Morphisec 2019 Hospitality Guest Threat Index.

“It’s no surprise that a huge percentage of travelers think about these issues when booking a hotel stay,” he said. “What this ultimately ties back to for hoteliers is brand reputation and brand value. So, for instance, the penalty inflicted on Marriott for their breach is actually only a fraction of the billions of dollars they’re projected to lose when you take into account how travelers’ perceptions of the company will change. It’s important for hospitality companies, and specifically chief information security officers, to invest not only in their cybersecurity defenses, but in their employees.”

As a result of the hospitality industry’s high turnover rate, Homer believes hoteliers should ensure that they have strong training programs in place to educate staff on the ways bad actors can enter into the organization—whether it’s through phishing scams, adware, malware or social engineering.

“Get rid of default passwords and make sure every staff member has their own login,” he said. “Patch software regularly and keep security solutions up to date. Consider new, innovative prevention technologies that can stop advanced attacks but are lightweight enough for POS terminals. Ultimately, the best way hoteliers can protect their customer data—and their brand reputation—is to build a strong, proactive cybersecurity posture.”

Morphisec’s platform is now safeguarding nearly four million endpoints globally.

“However, as hoteliers look to broaden the hospitality experience, automate at scale and use transformative technologies for digital consumer engagement, they’re also moving their operations to the cloud for better scalability as well as the opportunity to reduce costs,” he said. “It’s important that hotels also protect their cloud workload from bad actors. Morphisec recently achieved Amazon Web Services (AWS) security competency status for cloud server workload protection. This means that Morphisec can now add an additional layer of protection to hospitality companies using AWS cloud infrastructure.”

Morphisec protects cloud workloads by adding a dedicated memory defense layer that prevents advanced and file-less attacks from ever gaining a foothold—without slowing down operations.

“Traditional security tools are often both ineffective and unsuitable for cloud workloads,” he said. “Because of this many businesses use either end-user designed products for their workload protection or deploy without runtime protection at all, placing data and applications at risk. File-less attacks that leverage vulnerabilities in whitelisted applications pose a particular danger.”

Morphisec’s report also illustrated that attackers are increasingly targeting weakly defended point-of-sale systems as an entry point into the broader organizational network for hospitality companies.

“With many POS devices in the hospitality industry still running on Windows 7 or even Windows XP-based embedded operating systems, they are increasingly vulnerable, and cybercrime groups are taking notice. In addition to FIN8 targeting hospitality POS networks, Morphisec has tracked both FIN6 and FIN7 targeting this weak link,” he said. “They are aided in their efforts by the fact that legacy antivirus is ineffective and many newer tools are too heavy to run on POS systems. Today’s advanced attacks use multiple techniques to avoid detection—such as hijacking legitimate system resources to perform malicious actions—and can easily get malware past outdated and rudimentary POS defenses that aren’t equipped with advanced threat defenses. POS malware is really a broader definition for an ever-expanding number of memory-scraper Trojans that are designed to scan for, grab and exfiltrate guest credit and debit card data from the endpoints that process and store it. Cybercriminals easily cash in this valuable information through dark web markets.”