Cyber Liability Risks for Hospitality

In their Workforce Bulletin of March 2013, US corporate lawyers Epstein Becker Green identified hospitality as one of the top 3 targets of cyber-crime, after retail and finance, and it’s still one of the top targets. There was a sharp increase in ransomware, phishing and hacking attacks in the year to March 2020, according to the Cyber Intelligence Centre run by accountants Deloitte, and they predicted a further increase due to Covid. How ironic that a real virus is helping to spread IT viruses.

The hospitality industry is targeted because it has vast amounts of data, and recent experience tends to suggest that it remains lax in implementing measures against cyber-crime. The Institute of Chartered Accountants in England & Wales (ICAEW) say there were 304 million ransomware attacks reported around the world in the last year (not all targeted at hospitality). Who knows how many went unreported? The industry ranges from one-man sandwich shops to global hotel chains, so there is no single problem and no single solution. However, a common feature appears to be high staff turnover, lending itself to low levels of training in IT security.

Ransomware attacks tend to be well-researched rather than opportunistic. They tend to be aimed at organisations that are able to pay, but don’t be lulled into complacency – hackers have to start somewhere. The criminals encrypt a company’s files so that they can’t be accessed. On payment of the ransom, a decryption key will be provided, but these are criminals and their word isn’t necessarily their bond. Quality, recent backups are essential, but they need to be accessible. This means storage in separate locations and ideally offline. It’s also worth having a trial run of the restoration process, to ensure the backups actually work, and to show how long the process takes. Typically, it takes longer than expected, and additional work will almost certainly be needed to re-build the most recent data not yet backed up.

In a perfect world, no one would pay ransoms, but sometimes the data at stake is simply worth too much, or its sale or disclosure can’t be risked. A decent cyber insurance policy will include cover for ransoms. In addition, insurers have access to expertise in tracing how access was achieved and how it can be prevented in future. They can help with the issue of statutory reporting of breaches and PR handling of the incident. The Information Commissioner’s Office (ICO) can levy fines up to 4% of an organisation’s global turnover for data breaches. Claims for data disclosure are likely to be worth at least £1,000 per affected claimant. Reputational damage can seriously affect a business, even in the short term and is likely to be hard to identify and impossible to quantify. The process of recovery from a cyber incident may take some time, depending on the existence and accessibility of reliable backups and insurance will cover business interruption.

Barely a day passes without news of a new phishing scam. Our ISPs (internet service providers) protect us from many low-level attacks by weeding them out into spam folders but enough get through and are successful. These attacks persuade recipients to click on an attachment or link in an email purporting to be from a trusted source. Attachments may install malicious software – “malware” – that gives the criminals access to the network. Links may lead to convincing-looking but fake sites that gather data from the unwary user. Medium and larger businesses may have IT support that prevents such emails from reaching corporate users, but smaller businesses are at risk.

Spear-phishing is a refinement of phishing, where a credible email is sent to a targeted user or department requesting urgent action, such as money transfer or invoice payment. The message appears to come from a senior staff member and have a convincing reason for bypassing normal channels. Subject lines commonly include the keywords “Urgent Request”, “Important Payment” or “Attention” and often arrive late on Friday afternoon, putting the recipient under time pressure before a weekend closure. A global corporation recently suffered a 6 figure loss in a spear-phishing attack. The money was not recovered.

Users are the weakest link. Not a misquote from Anne Robinson, but a fact of life. User gullibility, thoughtlessness or simple unawareness of the risk presents the biggest threat. Staff training can reduce the risk significantly, but it may be necessary to limit the use of portable devices on a company network. Staff should have access only to the parts of a network relevant to their role.

This brings us back to “the Covid effect”. With so many staff working from home (WFH), personal devices are being used much more widely, with the resultant reduction in network security. Not all staff cyber issues are inadvertent – the “insider threat” is real. Staff may be fleecing the company by paying fake invoices to themselves or associates. Financial systems should be designed to limit such opportunities.

Hospitality is a pyramid with a very broad base – customer-facing, low-level staff make up a huge proportion of the workforce, and many are casual or seasonal. It tends to be a fast-moving sector with a short transactional cycle putting staff under time pressure. The high staff turnover makes training difficult. Leavers’ access to company systems should be quickly revoked and passwords frequently changed.

Data leakage is a risk arising from interception of wi-fi in a building or from something as simple as shoulder-surfing staff access codes on mobile order-taking devices. Food and drink delivery has been the saviour for many local hospitality businesses during the pandemic, enabling them to maintain sales by a different business model. Initially, hospitality outlets signed-up with existing food delivery networks, such as Just Eat and Deliveroo. However, outlets quickly realised the effect of the charges on their profit line, and customers on the cost of their takeaway. This has led to a proliferation of individually branded online apps whose security is largely unknown and untested.

Accountants Price Waterhouse Coopers (PWC) have said “Four of the most significant risks we currently see facing the hotel sector are ‘Big data’, modern slavery, cyber security and data privacy.”

The hospitality industry needs to raise its game. The Big Three issues to guard against cyber-crime are – systems security, staff training and a good cyber insurance policy. Develop an incident response and make contingency plans for post-breach continuity. The first 4 contact numbers should be insurers, lawyers, IT support and PR company. Choose your insurer wisely and you might need only their number.

Click the link and provide your sort code, account number and PIN to leave feedback on this article.