Deep CyberSecurity Hacking, Analysis and Solution in Hospitality Industry

An E2E hospitality Cybersecurity solutions - architecture, attacks/threats, and defense development for the
upcoming 2021/2022 at all layers, followed by ISO27001, GDPR, and CIS V7.1 Standards Compliances
Deep CyberSecurity Hacking, Analysis

and Solution in Hospitality Industry –
Protecting all layers Privacy and
Vulnerability followed by GDPR, CIS
V7.1, ISO27001 compliances.
Eylon Raz, CTO; eylon@secure-stay.com
Abstract
This review aims to emphasize the importance of cybersecurity in the hospitality industry,
followed by GDPR, CIS v7.1, ISO27001 compliances. This study further identifies and
analyzes the urgency, needs, and several common network threats and recommends applicable
security practices and techniques to prevent cyber-attacks in hotels at all layers Data-
>Application->End-Points->LAN->Perimeter->WAN->Cloud. The methodology of this
article is a unique combination of qualitative method and review method for an in-depth
understanding of real-life issues within the industry and the most recent technical and
practical solutions that hotels use to handle and solve these issues. The findings of this paper
show that the techniques currently utilized by hotels to prevent cyber-attacks are mostly
rudimentary and outdated.
Furthermore, it indicates that most hotel staff lack the knowledge and expertise to handle
potential threats. Thus, hospitality industry becomes even more vulnerable to cyber threats
and attacks. Finally, the paper discusses some implications and recommendations to hotel
policymakers to help secure the hotels and guests’ information from security attacks.
This analysis is a rich source of information for Information Technology (IT) directors and
Chief Information Officers (CISO) to advance their policies and procedures for security and
data in hotels using the most recent and updated information available in the hospitality
industry.
Secure Hospitality Data - https://secure-stay.com/

An E2E hospitality Cybersecurity solutions - architecture, attacks/threats, and defense development for the upcoming
2021/2022 at all layers, followed by ISO27001, GDPR, and CIS V7.1 Standards Compliances
Introduction Data Privacy and Cybersecurity and techniques are currently used in hotels
needs in the hospitality industry are taking the regarding data privacy and security?
manifest of data-HUB, driven by increasing 2. What are the current threats and the ways of
transaction volumes, complex reporting handling security attacks at all layers (Data,
requirements, e-marketing, and international Application, end-points, LAN, perimeter, WAN,
communication needs. Information technology (IT) cloud in the hospitality industry?
can improve almost all areas of the hospitality 3. What is the importance of network security in
industry, such as guest services, reservations, room hotels?
and data access, sales, services, maintenance, 4. Which actions do hotels need to take in order to
security, and accounting. More recently, the internet secure their websites for data and financial
of things (IoT) is shaping the future of the transactions privacy?
hospitality management industry by opening up 5. What are the actions/steps that hoteliers need
new avenues for immediate, personalized, and to take, and what areas need to be covered to
localized services. For example, in-room IoT units keep their guests’ data private and secure?
like an electrical key for room access, In-TV The remainder of this paper is organized as
cameras, and motion sensors can penetrate follows. Section 1 provides an in-depth
customers’ privacy. Moreover, edge/fog computing background review of cybersecurity issues in the
can be utilized to provide location-based services hospitality industry. Section 2 outlines the Hotel
for the hospitality industry. Although technology security – main data assets to protect. Section 3
incorporation in the hospitality industry has details the most common compliances that the
transformed the way services are provided and hospitality industries need to meet to keep away
received and has helped improve guest experiences, hackers and meet the world’s best protection
it has also given rise to various challenges, among practices. The Practical Steps How Hoteliers Can
which ensuring the cybersecurity of these Improve Privacy and Data Protection which are
incorporated technologies in the hospitality industry the findings and results of this paper are
is of paramount significance. presented in Section 4. Section 5 concludes this
The use of technology in the hospitality industry study and provides recommendations for the
often requires gathering guest information and hospitality industry to help secure hotels and
thus can lead to data breaches and information customers’ data from potential security attacks.
loss. To prevent losses, organizations monitor
their computer networks for many security
threats, such as computer-assisted fraud,
espionage, sabotage, hacking, system failures,
fire, flood, etc. Since t h e hospitality industry
is data-HUB, a consumer-centric business where
consumer loyalty and trust directly translate to
revenue, hence to retain the public trust and to
prevent copycat hackers from hacking into an
organization’s computer systems, most of the
hospitality organizations try not to reveal the data
breaches and cyber-attacks against their
computer systems.
Research Purpose and Research Questions

The purpose of this paper is to e x p l o r e the
significance of cybersecurity in the hospitality
industry and the way of meeting standard
cybersecurity compliances (GDPR, CIS V7.1, 1. Background and Literature Review
ISO 27001, etc.). This could be enabled by 1.1 Hotels industry in review – segments, key
identifying and analyzing data privacy upon all players, and annual revenues
layers as well as threats assessments and The hotel industry provides short-term lodging,
recommending useful security practices and such as hotels and motels, as well as
techniques to prevent cyber-attacks. accommodation-related services. It is divided
The following research questions were created to into two main types of companies: C-
be answered leveraged by this study: corporation hotels and hotel real estate
1. What methods, standards, compliances, tools, investment trusts (REITs)[1]. C-corp hotels

offer hotel management, branding and But why are hotels particularly vulnerable to
marketing, and franchise licensing, while hotel these attacks?
REITs focus on the acquisition, ownership, and IntSights believes this is because of the volume
operation of hotel real estate. The table below of financial transactions that hotels carry out,
includes both types. use of loyalty programs, their database of
sensitive personal data and finally, their national
and international spread.
1-Year
Revenue Net Income Market Cap
Trailing Total Exchange
Put plainly, the bigger the organization, the more
(billion $) (million $) (billion $)
Return (%) of a target it becomes for hackers due to the
Marriott International volume of information held. And that’s
10.6 267 49.4 114.8 NASDAQ
Inc. (MAR) why cybersecurity is so important; protecting
Hilton Worldwide
4.3 715 35.2 98.5 NYSE your customers’ data should be a primary
Holdings Inc. (HLT)
InterContinental Hotels concern - right alongside safeguarding against
2.4 260 13.1 80.6 NYSE
Group PLC (IHG) COVID-19.[5]
Hyatt Hotels Corp. (H) 2.1 703 8.7 85.4 NYSE In this day and age, your customers will be more
Host Hotels & Resorts
Inc. (HST)
1.6 732 12.2 66.3 NASDAQ cybersecurity savvy, and this may impact their
Huazhu Group Ltd. choice of hotel.
1.5 307.7 18.2 94.3 NASDAQ
(HTHT) In May 2021, one of the leading hospitality
Wyndham Hotels &
1.3 132 6.8 145.3 NYSE chains claimed on hotel cyberattack: an
Resorts Inc. (WH)
Service Properties “unauthorized party” got access to the personal
1.3 311.4 2 162.6 NASDAQ
Trust (SVC) information of 150 million customers.
Extended Stay America
1 23.3 3.5 192.7 NASDAQ Unfortunately, breaches like these are a feature
Inc. (STAY)
Park Hotels & Resorts of life in the online age, and cases are rising.
0.852 -1400 5.2 203.5 NYSE
Inc. (PK) Cybercrime costs will grow to $6 trillion by
Total 27 2021.
Business becomes a cybercrime victim every 40
According to research and markets, the world’s seconds. There are more than 170 million
largest market research store[2], The global malware incidents per year. Earlier, hotel
hospitality market is expected to grow from management reported receiving a notification
$3486.77 billion in 2020 to $4132.5 billion in 2021 from an internal security tool specifying that
at a compound annual growth rate (CAGR) of someone had attempted to connect the hotel
18.5%, and Expected to Reach $5297.78 Billion in guest reservation database. The unauthorized
2025 Which mean that the growth at all segments in party had copied and encrypted guests’
the hospitality CAGR of 6%. information, including passwords, e-mail
addresses, departure/arrival dates, and passport
information. Unfortunately, this breach was only
1.2 A Hotel is Under Cyberattack
detected after the fact. The typical time to detect
The threat of cybercrime and data breaches has
a data breach is over 8.5 months.
never been so prominent. By 2021, damages
related to cybercrime is set to hit $6 trillion,
Hospitality industries plan to put more resources
according to Cybersecurity Ventures. In the
into security.
hospitality industry, hotel cybersecurity is a
There are several reasons why hospitality
matter that shouldn’t be taken lightly.
organizations have a more challenging time
That’s because security experts now estimate
securing their assets than similarly sized businesses
that cyberattacks cost businesses $1.6 million to
in different sectors.[6]
recover. And what’s scarier: in 2019, the
Hospitality industries have extensive networks.
average time it took to identify a breach was 7
A hospitality firm has several end-points, plenty of
months, according to IBM [3].
them located in publicly accessible areas. They also
A study by IntSights [4] found that in the past
use various automated systems for functions like
three years, the hospitality industry has had 13
venting and heating, which are just another entry
“notable data breaches”. They also looked into
point for attackers. Most hospitality businesses have
the dark web hacker forums (a section of the
large guest databases that are regularly accessed
internet that isn’t visible to search engines and
directly by a booking system by requirement. Any
requires an anonymizing browser to access) and
compromise into the reservation system will place
revealed that Hilton had 31% share of mentions,
the database in danger.
followed by Marriot at 28% and IHG at 19%.

Hackers also, as clients might be on-site too - could result in not only fraudulent credit card
Both airlines and hotels have clients on-site transactions but identity theft as well, the effects of
constantly, providing the chance to receive direct which are almost impossible to assess.
access to entry points to attackers. Many offer free We live in what has effectively become a cashless
Wi-Fi services, together with Wi-Fi for the society. Compared to the norm from even a few
company and employee usage. There is nothing years ago, today’s consumers are much more likely
”wrong” with this. However, it needs additional to make all their transactions via a credit card or an
layers of safety to make sure no unauthorized access app on their smartphone. Even the process has
is permitted to sensitive areas of a network. changed. You don’t even need a PIN confirmation
1. Staff churn. for small purchases anymore, as contactless
When you have high personnel numbers and high payments have become such a normal part of our
churn, it becomes challenging to guarantee that staff life.
members are accurately trained to handle cyber Our life has become much more connected. But,
threats. Worse, it is common practice in the unfortunately, all that connectivity gives hackers an
hospitality sector to utilize group e-mail accounts almost limitless number of access points to attack,
(e.g., Reception, Client Services, etc.), which are including Wi-Fi, Bluetooth, LANS, Cloud, hotel
shared with a constantly changing staff member. security cameras, check-in and out systems, hotel
This makes it impossible for proper password POS systems, and more. Every single one of these
change procedures. There is no wonder that could be an entry point for a hacker.
credentials for these accounts are often leaked via People go on holiday to relax. Hotel guests will
the dark web. probably not be at their most diligent. Even
2. Franchising. security-savvy individuals will likely let their guard
Franchising is normal in the hospitality sector — down a bit when on holiday, and that creates a
especially for resorts — and franchise owners take particularly tempting target for hackers.
responsibility for safety. Most franchise owners do It starts as a vast majority of room bookings tend to
not always take the appropriate precautions to be for short-stay visitors, who, typically, will use
protect sensitive assets and have minimal credit cards for the bulk of their charges and use the
comprehension of cyber danger. hotel’s Wi-Fi extensively.[7]
3. Third-party risk.
Hospitality companies have significant ecosystems, 1. We are rapidly moving to a cashless society -
including a variety of technology suppliers and Most people carry more and more information on
partners. Possession or the transfer of digital assets their mobile devices. That could be banking or other
or information may open hospitality businesses up financial information, including credit card
to a considerable amount of risk. It can be tricky to numbers and personal information, including
discover the risk profile of a third party – sensitive identity information such as a passport or
significantly since every company’s profile will ID copies.
change over time, and lots of businesses in the 2. Guests connecting to your hotel network are
hospitality sector don’t have a proper way to potentially opening themselves up to what could
measure how much risk they’re accepting when a severe privacy breach -
picking and building connections with third parties. If your hotel Wi-Fi isn’t secure, guests accessing
their data over the network or even just using their
Why is it essential? mobile phones could be exposing their data to any
According to statistics from the hospitality industry, hacker with access to your systems. If your hotel
the average number of rooms per hotel in Europe in cybersecurity isn’t up to the job, your guest data is
2019 was sixty-two. With the occupancy rate for the at risk.
same period at around 72%, it’s easy to see why 3. The problem with hotel Wi-Fi or any hotel
hotels would be a prime target for hackers. The system, for that matter, is that it has to be secure
sheer volume of people going in and out daily, while still being accessible for your guests to
and more importantly, the amount of credit card connect to and use -
transactions being processed around the clock How many complaints would your front-office desk
every single day of the year, make for a much get if you made your guests use sixty-four-character
bigger pay-day for the successful hacker. passwords, for example? Your booking.com and
Combine that with the amount of personal data Agoda reviews probably would not be glowing!
involved in hotel stays, and a successful hacker Never mind that hotel guests are usually too busy
could potentially get access to credit card details, enjoying their holiday to pay any attention to extra
passport or ID numbers, and addresses. That security steps.

4. All of the Sub-Systems links to the hotel targeted feedback surveys are now starting to take
network - Booking and reservation systems, POS center stage. Nonetheless, this isn’t to say that
in restaurants, coffee shops, bars, etc., So the conventional employees are eliminated from the
systems’ security will only ever be as strong as the equation. Their services are rather being
weakest link. strengthened with in-house automation.
2. Hotel security – main data assets to 4. Guest Apps
protect. Smartphones have taken center stage in daily
communications. From chatting with friends to
answering e-mails and buying products on the
internet, the simple fact is that the ordinary
consumer has begun to rely upon these advanced
applications. This innovation hasn’t yet been lost
inside the hospitality industry. Hotels are now
creating their own choice of branded programs so
that guests may enjoy a much more excellent way
of correspondence and connectivity. Modern apps
provide features like virtual payments, 360-degree
hotel tours, and instant contact with a concierge.
5. Artificial Intelligence
It may be argued that AI represents the most
Even when hotels have robust security policies and profound example of how hotel technology is
procedures in place, [8] they’re still vulnerable progressing. The best objective of artificial
to cyber-attacks, fraud, theft, and other crimes. intelligence is to provide guests with a smoother and
When guest’s check-in, they are probably more streamlined experience throughout their stay.
worried about sightseeing or making meetings. Artificial intelligence plays a profound role in resort
Security should not be on their heads during or after technology and, despite this technique, has just
their trip. lately entered into the mainstream market, and its
Technology is currently changing, improving, and existence grows.
easing the traveling experience. However, to 6. Big Data
permanently update the hotel’s cybersecurity, you Big data represents the capacity to collect, interpret,
must stay aware of what is happening and track the disseminate, and react to essential information for
changes.[9] hotels. This is very important for large businesses,
1. Facial Recognition System which may cater to the requirements of tens of
The main challenge for hotel managers and many thousands of visitors every month. Through a blend
others within the hospitality sector looking to of the information they collect themselves and
implement facial recognition is balancing the information available online, hotels can use huge
benefits with privacy for clients. Indeed, a lot of information (big data) that assists them with
customers have worries about facial recognition due revenue management strategy, identifying offers
to the simple fact that it means more information that could suit specific travelers or hotel guests.
about them being gathered and stored by hotels. In summary, technologies are developing, and
2. Payment system encryption cybercrime is developing along with them. In order
The payment transactions must be end-to-end to be able to repel cyber-attacks and offer the best
encrypted. The number of a credit card will never hotel room security, stay up to date with the
appear in the hotel installations, and the only innovations.
information that travels within the network is
scrambled. Encryption always needs an internet 3.
connection, and a stable large-scale service must be
used to make the reliability of payment methods
more probable. 3.1 Hotel Industry under ISO/IEC 27001
3. Service Automation compliance
Self-service automation plans to put the decision- ISO/IEC 27001:2013 (also known as ISO27001) is
making procedure from the hands of their guests the international standard for information security.
rather than hotel employees. This directly follows It sets out the specification for an information
tendencies that have been seen across several security management system (ISMS). The
businesses. Self-service kiosks, online enrollment, information security management system

standard’s best-practice approach helps 1. Identify stakeholders and their expectations of

organizations manage their information security by the company in terms of information security.
addressing people, processes, and technology. It is 2. Identify which risks exist for the information.
the leading international standard focused on 3. Define controls (safeguards) and other
information security, published by the International mitigation methods to meet the identified
Organization for Standardization (ISO), in expectations and handle risks.
partnership with the International Electrotechnical 4. Set clear objectives on what needs to be achieved
Commission (IEC). Both are leading international with information security.
organizations that develop international standards. 5. Implement all the controls and other risk
Certification to the ISO 27001 Standard is treatment methods.
recognized worldwide to indicate that your ISMS 6. Continuously measure if the implemented
has aligned with information security best practices. controls perform as expected.
Part of the ISO 27000 series of information security 7. Make a continuous improvement to make the
standards, ISO 27001 is a framework that helps whole ISMS work better. This set of rules can be
organizations “establish, implement, operate, written down in the form of policies, procedures,
monitor, review, maintain and continually improve and other types of documents, or it can be in the
an ISMS.” form of established processes and technologies that
are not documented. ISO 27001 defines which
The latest version of the ISO 27001 information documents are required, i.e., which must exist at a
security standard was published in September 2013, minimum.
replacing the 2005 iteration.
What is the purpose of ISO 27001?
ISO 27001 was developed to help organizations of
any size or industry protect their information
systematically and cost-effectively through
adopting an Information Security Management
System (ISMS).
Why is ISO 27001 important to the Hospitality
industry?
Not only does the standard provide organizations
(either Hotels or companies) with the necessary
know-how for protecting their data and their
customers/clients’ most valuable information, but a
company can also get certified against ISO 27001
and, in this way, prove to its customers and partners
that it safeguards their data.
Individuals can also get ISO 27001- certified by
attending a course and passing the exam and, in this
way, help their organization to be recognized and
well protected. In addition, because it is an
international standard, ISO 27001 is easily
recognized worldwide, increasing business
opportunities for organizations and professionals.
What is an ISMS?
An ISMS is a holistic approach to securing the
confidentiality, integrity, and availability (CIA) of
corporate information assets. It consists of policies,
procedures, and other controls involving people,
processes, and technology. Informed by regular The framework of ISMS Process
information security risk assessments, an ISMS is
an efficient, risk-based, and technology-neutral What are the 3 ISMS security objectives?
approach to keeping your information assets secure. The basic goal of ISO 27001 is to protect three
An Information Security Management System aspects of information:
- Confidentiality: only authorized persons have the
(ISMS) is a set of rules that an organization needs
to establish to: right to access information.

- Integrity: only authorized persons can change the security controls, and countless security checklists,
information. benchmarks, and recommendations.
- Availability: the information must be accessible So, we have a better understanding of the threat, as
to authorized persons whenever it is needed.
there is the emergence of threat information feeds,
reports, tools, alert services, standards, and threat
3.2 Hotel Industry under CIS V7.1 compliance sharing frameworks. To top it all off, security
requirements, risk management frameworks,
When a guest chooses your hotel, there’s a high
compliance regimes, regulatory mandates, and so
volume of trust involved. Clients trust that the bed
forth are required. Thus, there is no shortage of
they’ll be sleeping in and the toilet they’ll be using
information available to security practitioners on
are clean at a core level. Additionally, they trust that
what they should do to secure their infrastructure.
their favorite and private goods are secure inside the
hotel and the hotel room security has the best level.
If they have any reason to doubt these basic
requirements, they’d probably staying elsewhere.
In the present technological revolution, an
individual may feel that the hospitality sector has
entered the golden era. But instead of a futuristic
renewal and renaissance, hoteliers are experiencing
declining data safety issues.
The CIS Controls™ is a prioritized set of actions

that collectively form a defense-in-depth group of
best practices that mitigate the most common
attacks against systems and networks. The CIS
Controls are developed by a community of IT
experts who apply their first-hand experience as
cyber defenders to create these globally accepted
security best practices. The experts who develop the
CIS Controls come from a wide range of sectors,
including retail, manufacturing, healthcare,
education, government, defense, and others.
As we are at a fascinating point in the evolution of
what we now call cyber defense. Massive data - A family-owned business with ~10 employees
losses, theft of intellectual property, credit card may self-classify as IG1;
breaches, identity theft, threats to our privacy, - A regional organization providing a service may
denial of service – these have become a way of life classify itself as IG2; or
for all of us in cyberspace. - A large corporation with thousands of
employees may be labeled IG3.
As for defending main organization assets, there is
a need to have access to an extraordinary array of Most of the Hospitality industry, by its nature,
security tools and technology, security standards, categorized under class IG3 as the daily Data and
training and classes, certifications, vulnerability Guests Traffic and data sensitivity complied the
databases, guidance, best practices, catalogs of amount of “thousand”. Nevertheless, some are

“Small-Mid” size or related to the “Boutique” Data protection has countless aspects that protect
category and will be under IG2 compliance. data at rest, in use, and in movement. Below are
several technologies widely used by businesses to
3.2.1 All Layers Security safeguard information. But, first, let’s have a quick
The main of the described above usually involved look at types of data security:
attacks on several layers which need to be protected. 3.2.2.1.2 Data loss prevention
Some of the known cyber-threats due to DLP prevents users from transferring sensitive
Cybersecurity vulnerabilities include: information, and organizations may roll out it as a
business security program. DLP technology
provides a mechanism to help guard against a
sensitive information loss – and consequently
could be a mitigating element when dealing with
compliance agencies in the track of a data breach.
Therefore, DLP has come to be a top IT spending
priority.
Data security will remain a vital challenge in the
future, but modern cybersecurity companies will
always help you stay current.
3.2.2.1.3 Encryption
Among the basic concepts of data security is
encryption, as just encrypting sensitive
information may go a long way toward meeting
privacy and compliance mandates. However,
organizations need to choose the encryption
algorithm which matches their business security
conditions because encryption is not a one-size-
fits-all proposition. The most typical encryption –
- Phishing attacks symmetric – entails converting plaintext into
- Ransomware ciphertext with the same key for encryption and
- Distributed denial-of-service (DDoS) decryption. Asymmetric encryption uses two
- Remote hacking through third-party vendors/point interdependent keys, one to encrypt the data and
of sale malware you to decrypt it as x.509 security and key
- Botnet attacks management methods.
- Man-in-the-Middle (MiTM) attacks
- Location tracking and call interception 3.2.2.1.4 Tokenization
- More… Credit card data protection is a priority in hotel
As to face with the daily cyber-attacks and threats cyberattack prevention. Hotel’s experience
on the highest level, new there is a need to give a challenges in protecting the card information. The
well protective infrastructure and environment for main problem is the necessity to keep card data for
all layers: later charges. Storing credit card data should
always be avoided.
3.2.2 Layers 1-4: Data 2 Local Area Network Hotels must use a card processor that implements
(LAN) Security a tokenization service. With tokenization, when
Data security is among the most challenging tasks the hotel transfers credit card data to be
for hoteliers. Every year, hotels of all sizes invest a authorized, they send back the permission and a
sizable part of the IT security budgets protecting token that can be used for later charges. Even if
their businesses from hackers’ intent to access the token is compromised, it is only useful for
information through brute force, exploiting any kind transactions between that client and that hotel, so
of vulnerabilities. it is secure to be stored.
3.2.2.1 Data security is a trend for the hotel
industry. 3.2.2.1.5 LAN Protection
Data security is a critical part of cybersecurity. First, Wi-Fi is typically a weak link in a hotel’s
breaches will cost millions of dollars, including cybersecurity. There is no isolation between the
government fines and loss of reputation. devices connected to the hotel network, meaning
every guest can potentially be exposed to cyber-

attacks. Since the Wi-Fi password is visible, hackers Due to tokenization and encryption, the hotel’s net
could easily gain access, infect the entire network, connection must stay up constantly.
and spy on the traffic of all the guests. As such, No payments could be processed if the web is down.
Hotel owners should consider an investment into It is necessary to get support to maximize the
hotel network security to be essential and not an payment systems ’reliability. Therefore, it is
extra cost. The security includes setting up firewalls essential to have a dual-WAN or SD-WAN
and WPA2 encryption. broadband service to optimize the safety of payment
systems as well as cloud infrastructure and WAF
3.2.3 Layers 4- 6: Perimeter 2 Wide Area and DBWAF protections.
3.2.3.3 Addressing vulnerabilities.

At all hotels, the hospitality administration system
functions as a central hub for payments. In addition,
the point-of-sale systems for restaurants, stores, or
other services demand communication paths back to
the hospitality system, where protected information
is collected. This presents several weak points
where a cybercriminal can find their route into the
hotel’s storehouse of data. There are two safe ways
to keep data protected:
- First, designing the network with company
segmentation and particular pinholes between
network devices to ease the circulation of
information.
- Secondly, there has to be a stateful review of
their traffic between segments to detect anything
that might be trying to collect data or send it
outbound. Just about any hotel chain has a loyalty
platform in which data is stored in the cloud or a
data center. It’s strongly suggested to utilize
Network (WAN) Security encrypted connectivity between websites to avoid
Intrusion detection systems and intrusion that information being intercepted. These can be in
prevention methods (IPS/IDS), together with access the form of SD-WAN, an MPLS Network, or
control lists (White/Blacklists), stronger a hotel direct Virtual Private Network connections.
security perimeter and lower the possibility of
attacks that undergo. Meanwhile, security 3.3 PCI Compliance and General Data
management can monitor malware signatures and Protection Regulation (GDPR) [11]
prevent them from causing injury. Nowadays, hotels store massive amounts of data.
Every hospitality brand needs to take steps to
3.2.3.1 Types of perimeter security systems protect itself from hackers. Hotels have customer-
1. CCTV Security System sensitive information such as credit cards and e-mail
2. Access control systems addresses or personnel information such as
3. Ground Radar Systems employee Social Security numbers and other
4. Local and remote servers details.
5. Mobile devices The European Union’s new General Data Protection
Legislation, called GDPR, requires businesses to
3.2.3.2 End-to-end encryption capture and manage customer data in entirely new
The usage of a payment system that’s end-to-end and intricate ways. It requires that they socialize
encrypted also can help protect the transaction. With with clients based on very specific and time-
that plan, the card number is not present inside the consuming requirements and respect their privacy
POS or hospitality system, and the data that goes rights and freedom. Despite where they’re
across the network is encrypted. Encryption, headquartered, organizations with EU-based
however, requires a link between the two ends so customers or prospects need to comply.
that they can negotiate the encryption key that is Additionally, they must appoint a representative
derived. within the company to assume whole responsibility
for fulfilling GDPR’s many requirements.

- For many companies in the hospitality information, etc. This is a good deal of sensitive
business, either CIS or PCI compliance is required. information that may be utilized fraudulently.
You just can’t expect your visitors to give you their Couple that with information obtained from several
private information without safety assurance. resources, such as point of sale programs, third party
- GDPR, or The General Data Protection reservations, e-mails, own website inquiries, and
Regulation, is essentially a law that addresses data walk-ins, hoteliers are a simple target for cyber
privacy and protection for everybody that resides in offenders.
a country that’s a member of the European Union.
Essentially, it regulates any type of private data that 3.3.4 A person’s rights and hotel response
is exported out of the EU. It is a hotelier’s duty to recognize that information
- Every internal and external account must be belongs to the guest and specify a core data security
appropriately encrypted. Unfortunately, encryption policy. Here are some individual rights under the
can be hacked too, but encrypted network devices GDPR and what actions you can take to guarantee
can’t be breached as easily as those without any compliance:
level of security at all. 3.3.4.1 The right to be informed - Clearly
describe what data you are collecting, why, and for
3.3.1 Building a cybersecurity culture. how long.
Today a hotel Wi-Fi is public access network, and 3.3.4.2 The right to access and modify data -
employee computers allowing access into this cloud Give access to personal data promptly, in a simple
database. All those factors higher the worries about format, and edit on request.
cybersecurity in the hospitality sector. Despite 3.3.4.3 The right for data deletion - Respect the
security measures in place, the hotel network may individual’s rights against public interest when
continue to be vulnerable. The only reliable way to receiving a deletion request and delete where
stop cyberattacks initially is a holistic strategy that relevant.
includes both trustworthy technology and 3.3.4.4 Hotelier’s steps to action - Hoteliers need
cybersecurity awareness. Ensure all your workers to initiate action immediately to support data
are well trained to utilize hotel software and the web security and avoid the risk of breaches.
in a secure and responsible way. 3.3.4.5 Be Clear and Transparent
3.3.4.5.1All data collection must meet GDPR
3.3.2 Reliable software conditions.
If guest information is being saved on the cloud, you 3.3.4.5.2 Collect the minimum amount of data
cannot do much about keeping it secure. Each demanded that purpose.
reputable hospitality software company that 3.3.4.5.3 The user must be notified of the
provides cloud-based hotel PMS solutions provides purpose of data collection and the time of
24/7 technical assistance and performs routine processing.
software maintenance for your benefit. 3.3.4.5.4 Only use the data for that allowed
These firms are maintenance and safety specialists. purpose.
But you should keep an open dialogue with their 3.3.4.5.5 Store data for a restricted period and
technical assistance, remain informed about their then delete it.
detection and prevention services. 3.3.4.5.6 Data must be kept in appropriate
security, which includes protection against
3.3.3 Does this apply to my hotel business located illegal processing or accidental loss.
outside the EU? 3.3.4.5.7 Confirm your compliance with
GDPR applies to information collected and stored GDPR – Companies must be able to show
on EU citizens, wherever they are in the world. It documents that prove their compliance with
will have an impact on the whole global hospitality GDPR.
industry.
The hotel market is very vulnerable to information 3.3.5. Report Keeping
threats on account of the numerous factors of (1) 3.3.5.1 Build a clear guideline for how PII
payment, (2) e-mail, (3) internet booking systems is collected and handled. A hotel must
and (4) files comprising card information. A rather follow technical and organizational reports
large quantity of charge card transactions occurs to prove it is protecting data and have that
daily. Every single guest’s information may ready to show.
frequently be saved long-term. Ordinarily, a hotel 3.3.5.2 Mark on your website – to enable
database may hold guests’ names, addresses, and your hotel to store PII data. Describe the
dates of birth, credit card information, passport

process and allow access and modification systems with applications that are not as secure as
or deletion. modern payment systems. There are other
3.3.5.3 Know the location of all PII held weaknesses hotel systems have that might cause
and guarantee strict guidelines in ransomware attacks.
accordance with the hotel data protection 4. Access to personal information through guest
policy. Wi-Fi – The attack is called “man in the middle,”
3.3.5.4 Ensure effective security systems and it imitates a legitimate Wi-Fi access point. It
are in place for the highest data protection. allows cyber criminals to view all the online activity
of users of this fake connection. It includes their
3.3.6 Regular Training logins to banking systems, entering credit card
3.3.6.1 Every staff member in your information on websites, or reading e-mail. It also
organization who deals with Personal Guest happens that hackers incite users of guest Wi-Fi
Information should be informed of GDPR. networks to visit websites that are actually scam
Hotel staff must be informed of how to versions of original websites. They gain more
collect, access, use, and disclose personal access to guests’ personal devices when
information. cybercriminals trick users into installing so-called
3.3.6.2 Additionally, how to limit access to “critical” updates.
cardholder data. Employees must also be There are now enormous amounts of private data
notified on how to create solid passwords shared online. As a result, client privacy and data
and know-how to accurately dispose of security have become significant issues in industries
records containing payment card data. worldwide, including hospitality.
3.3.7 PCI Compliance and GDPR Data Inspection processes

If you’re already PCI compliant, then this The very first step is to comprehend all the private
accreditation places the basis for GDPR information your property accumulates, why it is
compliance. To be PCI DSS compliant, a hotel gathered, how the information is stored and
must have taken proper steps when processing managed, who of your team gets access to it, and
payments. Secure stay can consistently help to some other outside partners or providers suppliers
deal with this. with whom the information is shared (and what are
their policies and safety methods are). Identify the
4. Findings and Results: Practical Steps to manager who’s in charge of privacy and
How Hoteliers Can Improve Privacy and information security in your hotel.
Data Protection [12] This can provide you a beginning point to
Most of the Cyber virtual attacks are focused around understand what things you might want to alter to
these next top five areas: guarantee compliance with all the CIS V7.1/GDPR
1. Remote hacking through third parties – and how you can normally improve procedures,
Cybercriminals might break in through a remote reduce information collection, and enhance
access point. Hotel IT representatives should security.
control vendor access to sustain a constant
observation of all activity coming from the third An assessment of IT infrastructure and safety
party. The largest data breach was performed by
third-party vendors when hackers obtained access to
more than 70 million credit cards.
2. Phishing scam-
Some fake websites pose legitimate booking
websites while trying to obtain guests’ personal
information and credit card information. Also, hotel
owners are being tricked into a similar scam when
they pay fees to fake websites. These days it is
important to make sure that the websites used both [13]
by customers and hotels are legitimate and are not Stay assured that your data is protected. Have you
run by hackers. got relevant security systems that minimize the risk
3. Ransomware – of external access (hacking) to sensitive information
Hotels are at risk when it comes to ransomware and prevent access to data by staff members that
attacks. As we mentioned earlier, hotels use PoS should not access it? Even though there’s absolutely
no way to eliminate hotel cyberattacks, there are

lots of practical measures to guarantee guest cybersecurity precautions, so your hotel safety is
information storage. always on their mind.
Guarantee data transparency and guest control Insider dangers

Ensure data transparency by establishing clear Staff members might purposely share hotel data
privacy policies, communicating them to guests, with third parties. Such data breaches are more
and making sure that employees take them. Reduce difficult to identify as the access can be granted to a
the amount of unnecessary information gathered hacker by an employee. For that purpose, there is a
and stored and make sure that the processes are set need to:
up for guests to ask that their information be deleted 1. Restrict access to downloading software to the
or request copies of the information. staff’s computers, minimize web browsing on
company laptops and PCs that hold sensitive
Train the staff on cybersecurity processes. information, instructing staff to use strong
Compliance with all the GDPR and CIS V7.1 will passwords, and identify potential malware.
need staff training and the execution of procedures 2. Hold employees accountable for their adherence
and the policies set from the laws[14]. A number of to the cybersecurity policy.
these resources will give more detail. It is crucial to 3. Provide access to the company’s systems only to
develop a culture that respects guest privacy and a small number of staff members.
considers data security at every level. IT 4. Ensure that your employees can access only as
infrastructure is ever-changing. That’s why much information as they need to get their job done.
continued monitoring is required to ensure that
processes are kept up to date. 5.Conclusion, Implications, and
It is often the case that hotel employees accidentally Recommendations
provide access to hackers, although, with proper This article aims at emphasizing the importance of
training, the chances are enormously lower. Stuff cybersecurity for the hospitality industry. The study
training needs to be done in order to avoid such discusses the tools and techniques that can help
incidents and protect the hospitality business. They prevent cyberattacks in the hospitality industry[15].
have to keep up with the security standards and Findings and results from this study reveal some of
compliance rules and understand all applicable the main causes that create security vulnerabilities
documentation: for the hospitality industry. However, due to the
1. Establish the cybersecurity needs for your sensitivity and confidentiality of the topic, the
hotel needs - Outlining your needs is the first step. authors certainly cannot figure out many other
Next, a suitable training package should meet your factors during the interviews that may affect the
industry and company needs. You may need to set information security of hotels.
up a separate program for different departments. For After reviewing many academic and professional
example, the staff that has access to computers resources, we summarize five significant risks and
should be trained on how to detect phishing. Most challenges that hotels have faced so far.
likely, you will have to conduct simulated exercises
for better results. As noted by Neda Shabani and Arslan Munir [16],
2. Include cybersecurity training during the these five challenges are:
hiring process - The training for the hotel staff
cannot and should not wait. Data breaches or other 1. Identity theft leading to credit card fraud
cyberattacks may occur at any given moment, and has caused many data breaches and information
new employees are the most vulnerable to them. stealing from hotel’s network systems.
Providing training during onboarding will help you 2. Silent invasions are cyber-crime attacks that
make sure that there are fewer weak spots. Staff employ powerful tactics such as social
members should understand that cybersecurity is a engineering (e.g., phishing) and recently
fundamental issue. Encourage them to use the given advanced persistence threats (APTs) that bypass
tips to protect not only company technology but also the defenses in place by hotels.
their personal devices. 3. Most hotels have either no security audit or
3. Make employees ’cybersecurity education a longer security audit cycles that put the investors
continuous process - Conduct instructions and guests at high risk for security attacks.
regularly so your staff will always be on guard. This 4. Physical crimes like terrorism put hotels at
way, your employees will always be ready for an risk.
attack. You may send them e-mails with 5. Loss of competitive advantage and negative
outlook that hotels experience after cybersecurity

attacks. several websites. Also, customers can be

In general, cyber-attacks can occur in any of the informed to check and monitor their account
following three forms: activity more often. Managers can also reward
1. The intruder may obtain unauthorized access customers for being security cautious.
to the network. 2. Sending the customers an automatic e-mail and
2. The intruder may destroy, otherwise corrupt, notification in case of a password change or login
or alter the data. to their account. If they have not logged in to their
3. The intruder may acquire fake permission account or change the password, they can
for t h e system user and then implement some immediately be aware of potential abuse and
malicious procedures to fail, hang, or reboot the report it.
system. 3. Empowering the system to employ two-factor
authentication so that for log- going into
There are many implications and accounts, in addition to providing username and
recommendations available for users in the passwords, guests would also be required to
hospitality industry to take advantage of. submit the security code that they will receive on
However, in this paper, we present a few the same e-mail address or phone number that
important ones. they provided while singing up for the account.
Checking a website domain and secure socket Hence, in case of attempted masquerade attacks,
layer (SSL) certification of websites plays a a cyber attacker will not be able to access the
significant role in the Internet era. Users must be account if they do not have the e-mail account or
cautious in entering their personal and financial the phone (number) that the account was
information on websites. We suggest a few tips registered with as the attacker will not be able to
and advice for hotel customers while traveling acquire the passcode sent by the authentication
and especially during the hotel stay: (i) not use system.
online banking on public computers and public
Wi-Fi, (ii) not access e-mail inbox when traveling There are various tools and techniques available
to scan the vulnerability of the computer system
and connected to an unsecured Wi-Fi, (iii)
and network. The hotels can utilize these tools
prevent computer or smartphone from automatic
and techniques depending on the affordability to
connection to unknown Wi-Fi networks, (iv) use
protect guests’ data and personal information.
remote desktop applications instead of saving
Furthermore, it is advised that each hotel should
sensitive information on the laptop or smartphone
have a contract with an IT company or a
when traveling, and as well as utilizing WAF dedicated IT manager whom the hotel trusts so
upon the WEB application Server and DBWAF that the hotel computer systems and networks are
before the customers’ data (v) utilize a VPN security audited on a regular basis. Additionally,
network for browsing and entering personal hotels should dictate internal regulations and
information on websites when connected to an policies for the hotel’s employees regarding
unsecured Wi-Fi network (vi) complying with all cybersecurity and computer network usage. The
compliances and standards (CIS v7.1, ISO27001, hotels should also have a cybersecurity training
GDPR) as well as cybersecurity communities. program for employees whose job is computer-
related and are tasked with handling e-mails and
Research has shown that hotels with loyalty social media.
programs are more vulnerable to security attacks
because attackers know that these hotels have Furthermore, hotels must have a secure and
access to more consumer data than those that do certified website that leverages extended
not have this program. Thus, the information of validation or at least domain validation. The
guests and customers of the hospitality industry guests must book the rooms or amenities
who are members of these loyalty programs is provided by the hotel online without being
more vulnerable. Managers of those hotels can concerned about being hacked or abused. Finally,
take a few measures to protect the information the hotels should acquire cyber insurance to cover
and data of loyal customers: the loss and liabilities if the hotel experiences a
data breach or cyber-attack.
1.Giving the customers information about the
possibility of being hacked by cyber attackers and
advise/notify them to regularly change their
passwords. Further, managers can inform the
customers to avoid using the same password for

References
12. Hiller, S.: Top 5 Risks and Security Challenges
for Hotels in 2015
1. https://www.investopedia.com/articles/investing/0
https://insights.ehotelier.com/insights/2015/01/22/
61015/top-5-most-profitable-hotel-companies.asp -
top-5-risks-and-security-challenges-for-hotels-in-
MAR, HLT, and IHG lead the 10 biggest hotel
2015/ (January 2015), Last visited on December 26,
companies and REITs list
2019
2. https://www.globenewswire.com/news-
13. Kansakar, P., Munir, A., Shabani, N.: A Fog-
release/2021/06/08/2243615/28124/en/Global-
Assisted Architecture to Support an Evolving
Hospitality-Market-Report-2021-Market-is-Expected-
Hospitality Industry in Smart Cities. In: Proc. of the
to-Reach-5297-78-Billion-in-2025-Forecast-to-
16th International Conference on Frontiers of
2030.html
Information Technology (FIT). IEEE, Islamabad,
Pak- istan (December 2018)
3. Bilgihan, A., Karadag, E., Cobanoglu, C.,
Okumus, F.: Research Note: Biometric Technology
14. Kansakar, P., Munir, A., Shabani, N.: Technology
Applications and Trends in Hotels. FIU Hospitality
in Hospitality Industry: Prospects and Challenges.
Review 31(2), 1–18 (2013)
IEEE Consumer Electronics Magazine 8(3), 60–65
(May 2019)
4. Hotel Cybersecurity: A Guide to Avoiding Threats
August 21, 2020 Hospitality Technology; By Olivia
15. Rusch, J.J.: Computer and Internet Fraud: A Risk
Cal; https://www.cvent.com/uk/blog/hospitality/hotel-
Identification Overview. Elsevier Computer Fraud &
cybersecurity
Security 2003(6), 6–9 (June 2003)
5. Butler, J.: Not Just Heads In Beds –
16. Neda Shabani and Arslan Munir, A Review of
Cybersecurity for Hotel Owners. https://
Cyber Security Issues in Hospitality Industry. Kansas
www.hospitalitynet.org/opinion/4073687.html
State University, Manhattan, July 2020
(2016), Last visited on December 26, 2019
6. Clark, C.:The Serious Cyber Security Threat That

Could Hurt Hotels
http://www.pcma.org/news/newslanding/2015/04/13/
the-serious-cyber-security-threat-that-could-hurt-
hotels#.VqhHLGCZaJV (2015), Last visited on
February 26, 2016
7. Cobanoglu, C., Demicco, F.J.: To Be Secure or

Not to Be: Isn’t This the Question? A Critical Look at
Hotel’s Network Security. International Journal of
Hospitality & Tourism Administration 8(1), 43–59
(2007)
8. Collins, G.R., Cobanoglu, C., Bilgihan, A.,

Berezina, K.: Hospitality Information Technology:
Learning How to Use It. Kendall Hunt Publishing
(2017)
9. Eubanks, N.: The True Cost Of Cybercrime For

Businesses. https://www.
forbes.com/sites/theyec/2017/07/13/the-true-cost-of-
cybercrime-for-businesses/ #764083449476 (July
2017), Last visited on December 26, 2019.
10. Greenberg, A.: Cybercrime Checks into Hotels.

https://www.forbes.com/2010/02/01/cybersecurity-
breaches-trustwave-technology-security-hotels.html#
4f1684853c8c (2010), Last visited on December 26,
2019.
11. Hahn, D.A., Munir, A., Mohanty, S.P.: Security

and Privacy Issues in Contemporary Consumer
Electronics. IEEE Consumer Electronics Magazine
8(1), 95–99 (January 2019)

Appendix A: Case Study and notified them of the data breach for their further
1. Choice Hotels Data Breach action.
The Choice Hotel chain does seem to have an Nobody needs this kind of publicity. With hotel
unhappy (or very happy – depending on your point guests increasingly sharing their experiences on
of view, of course) relationship with data security, online review boards, the effects of a data breach
over the last few years, the chain has been the victim can be costly and very far-reaching. An ounce of
of at least two data breaches of varying magnitude prevention is worth a pound of cure, so drop us a
and severity, involving different entry points. line and let our security experts show you how to
keep your data safe and secure!
Data breaches at the Maryland lodging giant have a
far broader impact than their hotel guests. Choice 2. Cyber Security Threats in Hotels And Lessons
Hotels manages bookings for over seven thousand We Learned
hotels and properties around the world. These The hospitality business represents a profitable
bookings include major hotel and hospitality chains target for hackers cyberattacks: Hotels, casinos, and
such as: restaurants are interesting to cyber thieves as they
- Ascend Hotel Collection frequently handle large amounts of financial
- Cambria Hotels transactions containing client information.
- Clarion, Comfort Compared to banks and insurance companies which
- Econo Lodge handle similar information, restaurants and resorts
- MainStay Suites aren’t bound by regulations to maintain the
- Roadway Inn maximum safety standards. Moreover, they don’t
- Sleep Inn have the resources to develop the optimal cyber
- Woodspring Suites defenses. Therefore, it’s not surprising that the
In December 2019, an unsecured database exposed hospitality industry ranks highly in the “Data
guest data after a metasearch engine indexed the Breach” listing.
database contents. The data set included full names, The hospitality industry, restaurants, and casinos
e-mail addresses, and home phone numbers. The experience crises in cyber defense for a long
irony was the data breach happened during a time. Let’s have a look at the most resonant cases
planned security data test run! (includes phishing attacks, hacktivism, malware,
According to Choose Hotels, approximately 5.6 and identity theft) that have occurred over the past
million records were affected, but only 700,000 of few years.
these had to do with real guest information. The a. 2016: Kimpton Hotels and Restaurants
bulk of the exposed data comprised dummy Malware on the point of sale
information the chain had created specifically for Kimpton Hotel and restaurant is a part of the
their security test run. That may well have been the Intercontinental Hotels Group (IHG) declared that
case, but even if that was the situation, Choice their payment terminals had been harmed by
Hotels should have secured or excluded any real malware. In this way, the guest’s credit card
guest information from what a trial of an untested information might be compromised. Later, the
system was. company determined and removed the malicious
A subsequent investigation into the breach by software that took credit and debit card details. But
cyber-attack protection researchers discovered a who knows, it wasn’t too late.
ransom note, purportedly from a hacker, who b. 2017: InterContinental Hotel Group
claimed the 700,000 exposed records had been Remote installation of malware on point-of-sale
backed up and demanded approximately $4,000 InterContinental Hotels Group Plc (IHG.L) claimed
from the hotel chain to delete his files. 1,200 hotels in the United States, including Crowne
An earlier data breach incident at the hotel chain Plaza and Holiday Inn, were victims of cyber-
involved a technical issue on one of Choice Hotel’s attacks for 3 months. In that period, cyber thieves
websites, which left guest information accessible to attempted to steal customer payment card data. The
hackers. expertise conducted by an independent cyber
Visitors to the hotel website using the Safari defense team revealed that criminals were able to
browser left their entered information exposed to install malware on the servers that the hotels’
third parties. This exposure only occurred if the payment card processing systems relied upon,
Safari browser crashed, but it seems to have been which in turn collected the data contained in credit
quite a frequent event, taking place approximately card tracks such as card numbers, cardholder names,
88,000 times from June 2015 through November and verification codes. Such information may well
2019. Choice Hotels did identify the guests involved

be used to make fraudulent payments through 3. During the reconnaissance, they also managed to
cloned cards. gather several user accounts with their credentials.
c. 2018: Marriott International Hotel Chain 4. Eventually, one of the harvested credentials led
Eavesdropping attack the attacking team to an internal server in the hotel
The Marriott International Hotel chain faced an network, which was managing the PMS system of
enormous security breach. Sensitive data of 500 the hotel. The attacking team now had full control
million hotel guests globally was stolen and of the hotel’s network and could make bookings,
exposed. control the smart TVs of all of the rooms in the
This compromised information had details hotel, and extract sensitive guest details.
regarding credit cards, passports, and birthdays. By
2018, it had been among the biggest data breaches Appendix B: Why cybersecurity matters in
reported in the media. However, the most hotels.
frightening fact about this story is when the In an era in which personal data is worth more than any
criminals had access to the network – about 4 years. bank heist, industries processing massive amounts of
Cyber analysts discovered weaknesses and personal information are the preferred target for
vulnerabilities while the Starwood reservation cyberattacks.
Hackers breaching systems in the hospitality and tourism
system had merged with the Marriot chain.
industry are reported regularly, as the amount of
Lessons we learned. information processed through the industry’s systems
As we know from the above-mentioned cases, many daily makes them a major target.
cyberattacks against the hospitality industry follow The data processed by the industry is a gold mine
a common pattern: sending malware or viruses via for cybercriminals looking to carry out credit card fraud
e-mail. and identity theft crimes, as the information customers
The Marriot resort chain might have been alerted to provide to hospitality companies often includes a copy of
unusual entry action, even prior to the Starwood the client’s passport, including its full name, address,
merger. Utilizing automated analysis tools, date of birth, country of origin as well as its e-mail, and
organizations could ascertain whether the source of credit card details – to name only the most frequently
gathered and documented details.
the attack was external or internal. Suspicious links
Although credit card data seems the most coveted,
that are not easy to detect with human intervention personally identifiable information (PII) is considered the
would have averted malicious malware at the most valuable.
Kimpton hotel instances. Smaller hospitality Failing to guarantee your guest’s confidentiality and data
companies with limited human resources need to safety would cause major detriment to your organization,
put money into highly automated, artificial whether it be to its reputation, legal or financial standing.
intelligence and machine learning options which Published research from Cisco determined that 22% of
may imitate specialist analysts and operate round breached companies lost clients following the attack,
the clock to restrict unauthorized remote access, showing just how seriously customers take the
enhance network security and protect against commitment of a company to secure their data.
It is estimated by The World Tourism Organization
infiltration of IoT apparatus and systems.
(UNWTO) that by 2030, there will be approximately 1.8
The matters of regulations remain unsolved. With billion international tourists crossing borders; keep in
the huge degree of financial transactions and their mind that these numbers don’t include local tourism.
vulnerabilities due to millions of travel websites, it’s With these numbers in mind, the understanding of the
the right time to get regulated at the same level as need for immediate actions regarding handling the
the financial industry. gargantuan amount of data that is being collected,
processed, and safeguarded becomes clear.
3. The security team for demonstrating hacking Typically, when you think about cybersecurity, virus
vulnerabilities in 2019 attacks through malicious malware come to mind.
In a recent hotel cyberattack simulation, our attack Despite these common security threats, human error
remains the underlying concern for business owners.
team managed to take full control of the hotel just
In fact, according to Decode the Human Threat, only
from the minibar’s network connection. This is how 18% of data breaches are caused by an external threat,
it was done: and up to 82% of all cyber-attack claims are due to
1. Our attack team connected their computers to the human error.
minibar’s ethernet port. They discovered a router 1. The primary factor of security breaches: human
and managed to gain access to it by guessing its error
password. The business structure of the hospitality industry is often
2. From there, they managed to jump to the built out of complex ownership collaborations, consisting
corporate network and breach their way into the of a management company that runs the business, a group
corporate structure of the network. of owners, and often a franchisor.

Each of the entities above is storing crucial data in McAfee estimates that 97% of people are unable to
different computer systems, moving it around frequently, identify a sophisticated phishing e-mail making phishing
and possibly sharing it with different external third the most dangerous and successful of all cyberattacks (
parties. 91% of all cyberattacks start with a phishing e-mail).
This complex ownership structure is on its own a possible 3. How Can Businesses Mitigate Exposure?
source of breaches, as proven in the case of the Wyndham Beyond the imposed requirements, data management is a
Worldwide breaches, which occurred back in 2008 and business reality, and it is imperative as a hospitality
2010: by gaining access to the entire corporate network company to take care of your guests the best you can. For
of the organization, hackers stole credit card and other this reason, securing data must be a strategic process
details about customers resulting in $10.6 million in involving everyone within the organization.
fraudulent charges. The company’s first step is to implement a cybersecurity
As the primary form of payment in the hospitality management plan, with actions to prevent data loss and a
industry is a credit card, infecting point-of-sale systems continuity plan ready to go in the case of a breach.
with malware is one of the preferred practices of hackers The main defense will be to train staff on the security
to reach a massive amount of credit card details. risks, how to minimize them, and how to detect
The breach doesn’t need to occur remotely. It can very infiltration. This is an ongoing process that needs
well be carried by affecting an unattended device and continual maintenance: making sure software and
spreading the virus to the whole computer system from systems are up to date, as well as firewalls and antivirus
that one location. programs.
Protecting this sensitive data becomes particularly tricky It’s imperative that business owners put together a form
when considering that when talking about keeping of a training plan for new and old employees alike to keep
personal data safe, human error is the number one them up to date with cybersecurity basics that may
reason for breaches. It implies that business owners must prevent the loss of crucial information.
invest more in employees, both through the provision of
education & awareness; a full reeducation needs to be Joining forces with an experimented cyber risk
carried amongst all personnel and third-party service management company that offers business owners and
providers. In addition, recurrent training programs and their employees with the training, the knowledge, the
new Protocols need to be implemented as well. tools, and the support to building a healthy and efficient
safety policy around their existing IT infrastructure will
Considering that one-third of hospitality business owners not only help hotel owners reduce the likelihood of a
admit to not having protocols or even policies in place to cyber-related incident, but it also offers valuable training
store and dispose of confidential information stored on services to ensure employees are up to date with the latest
devices, enforcing policies for document destruction and security policies.
their digital storage is the first step in creating a more Always remember that being compliant is not the
secure line of protection for customer information. same as being secure!
These numbers should be a great source of concern for
customers who trust these hosting companies with their Appendix C: Dependability on IoT devices
sensitive information, and this should be a strong manufactured with a lack of security together
incentive for those brands to protect their clients and with 5G Require New Approaches To
understand that although 36% of them believe that data
Cybersecurity
breaches are not a real issue and are blown out of
proportion… It isn’t so: instead, it is a genuine threat that
needs to be addressed by intensive training programs and 5G is the “Fifth Generation” mobile network, the latest
the implementation of strict protocols. global wireless standard. It will eventually replace or at
2. Falling Culprit to fraudulent e-mails
Another way of taking advantage of employees’ lack of
training and supervision is through fraudulent e-mails,
commonly known as phishing. It is one of the most
dangerous security threats. Regardless of how skilled
your employees may be and despite what they may think
they know about phishing, the skills of cybercriminals
invested in creating extremely sophisticated e-mails
least augment the 4G LTE existing connection standard.
replicating trusted business communication can fool an
With 5G, you’ll be able to experience exponentially
untrained and gullible clerk. Opening such an e-mail or
faster download and upload speeds, and the time it will
its attachment would launch a trojan horse or a virus
take for devices to communicate with wireless networks
which will extend its ramifications through the whole
(Latency) will drastically decrease.
computer network of the organization, giving attackers a
foothold into the business from which they can extract
It is designed to connect everything and everyone at
sensitive client data, account passwords, intellectual
higher data transfer speeds:
property and much more.
1. First and foremost, speed is the most attractive perk
of this new generation network!

5G should reach a speed of 10 gigabits per second,

5G is more responsive
which means 20 times faster than 4G.
Latency- milliseconds
than 4G with lower
2. The second reason is latency: by shortening the “lag latency, referring to the
time” between device communications, the possibility of time taken for device-to-
performing remote live actions such as remote surgery, 20-30 >10 network
or coordinating the communication between self-driving communications. Since
cars, is now something that can be seriously considered. devices can “talk” to the
3. The third reason would be connectivity. While the network faster, you’ll get
existing Network 4G LTE is powerful, we are quickly data faster.
outgrowing this network by overloading it and pushing it
to its limits. Current LTE networks are becoming 5G is faster than 4G with
overloaded at peak hours in major cities; 5G could more bits-per-second
support 100 times more devices per square mile versus able to travel the
Average Speed
200- network. With the new
4G, and with the rise of internet-connected “smart” 25mbps
400mbps upload and download
gadgets, such as IoT (Internet of Things) there is a need speeds, you could be
for a faster and higher-capacity system to support the downloading movies in
billions of devices already in use and the many more to seconds versus minutes.
come.
mMTC (Massive Machine-Type Communications) is a 5G uses less power than
brand-new service category of 5G that can support an 4G since it can rapidly
extremely high connection density of online devices. switch to low-energy use
Currently, IoT is communicating through sensors; those when cellular radios are
LTE Developing
Technology
sensors require a lot of resources and are quickly not in use. This extends
depleting the existing 4G LTE data capacity. the device battery life to
let devices stay
Compared to current smart devices on the market, MTC
unplugged for longer.
devices will require fewer resources since a huge number
of these devices will be able to connect to a single base
station, making them much more efficient by using the Incredibly
5G can carry more
speed and the low latency of the 5G network. fast
Ultra-fast devices than 4G as it
download
internet, low- expands the available
5G vs. 4G for speeds
latency and radio waves. Congestion
paved the
5G transmits tons of data over shorter distances than 4G improved issues that lead to slow
way for
Features
LTE.This helps speed and increase the consistency of HD

reliability. service will be reduced
connection signals and the network itself — even when Streaming.
once 5G steps in.
in motion. The 5G network can also support more
devices due to the use of new signal spectrums.
On top of all of this, energy-efficient tech allows less
power to be used. That being said, there is one major downside to the 5G,
4G 5G Impact which is keeping 4G from being fully replaced right now:
1. 5G is hard to install and deploy. There is a need for

Deployment
more transmitters to cover the same area as the current

2006-2010 >2020 4G networks. Placement sites for some of these “cells”
are very challenging for cellular companies to come up
with. This delay in coverage might seem negative for the
future of 5G, but it gives a window of time for providers
5G gives vital, fast to address another big concern: security.
service more reliably 2. 5G cybersecurity needs to undergo some meaningful
than 4G due to better improvements to avoid the growing risks of
bandwidth and more
200mbps >1gbps connection points. With
hacking. While some of the security worries are about the
network itself, others concern the devices connecting
Bandwidth
less stress on the

network, data costs can to the network.
fall lower than 4G 3. Traffic routing points –
networks. Pre-5G networks had fewer hardware traffic points of
contact, which made security checks and maintenance
easier. To be completely secure, all the Traffic routing
points need to be closely monitored, as any unsecured
areas might allow the threat to spread to other parts of the
vulnerable network.
4. Dependability on IoT devices manufactured with
a lack of security – With many low-end smart devices

available on the market, originating from manufacturers - Turn off Universal Plug and Play (UPnP)
with low concern about cybersecurity, the use of 5G will - Set a clear Bring your own device (BYOD) policy
encourage the connection of more devices between them for your employees.
and ultimately through its network. Each unsecured
device translates to possible breach points. Every
portable speaker, Smartwatch, smart lights, smart locks,
and thermostats, and even minor devices like a fish tank
thermometer can be a network vulnerable breaching
point.
A lack of control and security standards over IoT devices
implies infinite potential network breaches and hacking.
5. Focus on networks first - Network providers will
have to invest in software protections and will need to
collaborate with cybersecurity firms to develop solutions
for encryption and network monitoring to cover the
unique risks of 5G.
6. Manufacturers need to invest in their security
efforts - The high costs of developing and implementing
secure tech don’t motivate low-end product
manufacturers to focus on cybersecurity.
Many IoT devices used by the population have been
bought prioritizing the use above the tech, not
understanding that the potential breach originating from
those unsafe devices could cost them a thousand times
the saving made on the purchase of the device; and if used
in a public place such as a hotel in our case, this could
also affect other guests or the organization’s network as
a whole
7. Consumer education - Product labeling standards
will be a necessity. Because users have no intuitive way
to know how safe IoT devices are, smart tech
manufacturers might start to be held accountable with a
label system.
The FCC grades other forms of radio transmission, so the

growing market of IoT devices may soon be included as
well. Last, users need to be educated and warned about
the importance of securing all internet devices with
software updates.
How You Should Prepare for 5G
It is never too early to prepare by taking the security and
privacy of your system network into your own hands as
much as possible:
- Install antivirus solutions on all your devices.
- Use a VPN
- Practice strong password security
- Use Two-Factor Authentication (2FA)
- Password Management Vaults
- Focus on protecting yourself from breaches
originating from IoT
- Update the default backend passwords on all
your IoT devices.
- Create a separate network on your router for
guests as well as all the facility’s IoT devices
- Keep all your IoT devices updated with security
applications (This includes mobile phones,
computers, all smart devices, and even your car’s
infotainment system. Remember, any device that
connects to the internet, Bluetooth, or other data
radio should have all the latest updates (apps,
firmware, OS, etc.))

An E2E hospitality Cybersecurity solutions - architecture, attacks/threats, and defense development for the upcoming 2021/2022 at all layers, followed by ISO27001, GDPR, and CIS V7.1
Standards Compliances
4.Appendix D: CIS V7.1 compliance Checklist


Deep CyberSecurity Hacking, Analysis and Solution in Hospitality Industry

Uploaded by

Copyright:

Available Formats

You might also like

Deep CyberSecurity Hacking, Analysis and Solution in Hospitality Industry

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Deep CyberSecurity Hacking, Analysis and Solution in Hospitality Industry

Uploaded by

Copyright:

Available Formats

An E2E hospitality Cybersecurity solutions - architecture, attacks/threats, and defense development for the

Deep CyberSecurity Hacking, Analysis

Secure Hospitality Data - https://secure-stay.com/

Research Purpose and Research Questions

Secure Hospitality Data - https://secure-stay.com/

Secure Hospitality Data - https://secure-stay.com/

Secure Hospitality Data - https://secure-stay.com/

Secure Hospitality Data - https://secure-stay.com/

standard’s best-practice approach helps 1. Identify stakeholders and their expectations of

Secure Hospitality Data - https://secure-stay.com/

The CIS Controls™ is a prioritized set of actions

Secure Hospitality Data - https://secure-stay.com/

Secure Hospitality Data - https://secure-stay.com/

3.2.3.3 Addressing vulnerabilities.

Secure Hospitality Data - https://secure-stay.com/

Secure Hospitality Data - https://secure-stay.com/

3.3.7 PCI Compliance and GDPR Data Inspection processes

Secure Hospitality Data - https://secure-stay.com/

Guarantee data transparency and guest control Insider dangers

Secure Hospitality Data - https://secure-stay.com/

attacks. several websites. Also, customers can be

Secure Hospitality Data - https://secure-stay.com/

6. Clark, C.:The Serious Cyber Security Threat That

7. Cobanoglu, C., Demicco, F.J.: To Be Secure or

8. Collins, G.R., Cobanoglu, C., Bilgihan, A.,

9. Eubanks, N.: The True Cost Of Cybercrime For

10. Greenberg, A.: Cybercrime Checks into Hotels.

11. Hahn, D.A., Munir, A., Mohanty, S.P.: Security

Secure Hospitality Data - https://secure-stay.com/

Secure Hospitality Data - https://secure-stay.com/

Secure Hospitality Data - https://secure-stay.com/

Secure Hospitality Data - https://secure-stay.com/

5G should reach a speed of 10 gigabits per second,

LTE.This helps speed and increase the consistency of HD

1. 5G is hard to install and deploy. There is a need for

more transmitters to cover the same area as the current

less stress on the

Secure Hospitality Data - https://secure-stay.com/

The FCC grades other forms of radio transmission, so the

Secure Hospitality Data - https://secure-stay.com/

4.Appendix D: CIS V7.1 compliance Checklist

Secure Hospitality Data - https://secure-stay.com/

You might also like