Marriott recently confirmed that it discovered in February the breach of a property guest services system at a franchise hotel involving the personal information of as many as 5.2 million guests, after hackers obtained the login details of two employees. While Marriott claims no payment data was stolen, it indicated that the hackers may have accessed individuals’ names, home addresses, email addresses, phone numbers and linked airline loyalty information.
This is the second breach for Marriott in two years: The company revealed in 2018 that its Starwood guest reservation database was hacked, exposing the personal information of 383 million guests which included 5 million unencrypted passport numbers and 8 million credit card records. The United Kingdom fined Marriott $123 million after the breach.
Both incidents speak to the unique state of risk within the hospitality industry, especially for mega-brands like Marriott. The customer experience reigns supreme, with hotel chains gathering as much information as they can about you to create a transcendent stay – your name, home address, credit card numbers, your prior room choices (one king bed or a double?), your minibar purchase history and perhaps even the kind of cookie you prefer to pick up at the front desk when you check in. All of this information, of course, is obtained from a seemingly infinite amount of data accessed via multiple entry points through which adversaries can compromise and/or steal data.
Regardless of how many properties/chains get hacked, the accumulation of data will always remain this way because it must remain this way. Managers and employee/users have to collect, access and make actionable decisions about information at great scale to offer great service. After all, the “host with the most” wins, gaining brand loyalty over a crowded field of competitors. Thus, the hotel industry will always be in the business of “getting to know you,” and analyzing and leveraging every detail it stores in the process.
So, as security leaders and professionals in this sector, how do you accommodate these strategic objectives while safeguarding everything? Here are two best practices which should lead off any comprehensive protection plan:
— Validated Identity and Access Management. Identities and access must be more carefully managed with identity management and access management. Identities must be provisioned and de-provisioned swiftly, and access then controlled using a combination of attributes and factors to authenticate and authorize access. For example, time of day, location, along with more than one method to authenticate the individual getting access to a resource can greatly help manage exposure. Identity and access management must be codified into written policies and required security awareness training. Once these technologies and processes are in play, risk management tools can then be used to continuously validate identity and access management technical controls and policies. The purpose is to set it up properly the first time, and then continuously validate everything.
— Zero Trust. While it may sound like a somewhat disharmonious concept to a hospitality professional, zero trust has emerged as an increasingly vital pillar of a modern cybersecurity strategy. About seven of ten organizations are either currently planning zero trust access projects or already have a model or project in place for this, according to research from Cybersecurity Insiders.
It works the way it sounds: “Never trust, always verify.” All users and devices are subject to granular controls. If you as the gatekeeper authorize the access, then the users must prove to you that “they are who they say they are” and their intended actions support their designated roles. Once they do so, then least privileged policies limit them to solely the access they need to perform their tasks/roles, for only the amount of time needed to do it.
Great hospitality should not arrive at the expense of the proactive and vigilant defense of data and networks. The implementation of validated identity and access management as well as zero trust into every facet of your property or chain’s daily routines will increase your security posture. This will elevate consumer trust in your brand – making it a great business decision, as opposed to strictly a “cybersecurity thing.” At Caveonix, we can help you adopt these and other steps through our services and solutions. If this sounds like something you’d like to learn more about, then please contact us.