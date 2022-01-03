As hotels find new ways to use technology to attract guests and enhance their properties, they need to remain aware of the security challenges these technologies present.

Bob Braun, senior member of JMBM's Global Hospitality Group® and Co-Chair of the Firm's Cybersecurity & Privacy Group, explains three basic issues for 2022 that all hotel owners need to be aware of to ensure their business and guest information remains secure.

Like virtually all industries, the hotel industry continues to be challenged by cybersecurity concerns. As we approach 2022, hotel owners and operators need to address some basic issues that impact the security of their systems and their guests.

Wi-Fi. Providing wireless internet to guests has become a "must-do" for hotels - it's not too much of an overstatement to say that a potential guest won't stay at a hotel that doesn't provide free Wi-Fi. But hotel Wi-Fi systems, particularly those in public areas, have long been a soft underbelly of cybersecurity. In the past 10 days, TechCrunch+ reported that "an internet gateway used by hundreds of hotels to offer and manage their guest Wi-Fi networks has vulnerabilities that could put the personal information of their guests at risk." The system uses hardcoded passwords that are easy to guess and allow an attacker to gain remote access to the gateway's settings and databases; they can then use that knowledge to access and exfiltrate guest records, or reconfigure the gateway's networking settings to unwittingly redirect guests to malicious webpages.

Providing wireless internet to guests has become a "must-do" for hotels - it's not too much of an overstatement to say that a potential guest won't stay at a hotel that doesn't provide free Wi-Fi. But hotel Wi-Fi systems, particularly those in public areas, have long been a soft underbelly of cybersecurity. In the past 10 days, TechCrunch+ reported that "an internet gateway used by hundreds of hotels to offer and manage their guest Wi-Fi networks has vulnerabilities that could put the personal information of their guests at risk." The system uses hardcoded passwords that are easy to guess and allow an attacker to gain remote access to the gateway's settings and databases; they can then use that knowledge to access and exfiltrate guest records, or reconfigure the gateway's networking settings to unwittingly redirect guests to malicious webpages. Social Media. Hotel brands and operators increasingly use social media to promote their properties and attract guests. But social media depends on the collection and use of personal information, and that information makes hotel companies one of the prime targets of bad actors. Their goal isn't limited to credit card numbers; these threat actors are looking for personal information that allows them to obtain credentials and infiltrate networks. When a threat actor gains access to a network - which could be yours - they can pose an existential threat to a business through ransomware, extortion, denial of service, and other attacks.

Hotel brands and operators increasingly use social media to promote their properties and attract guests. But social media depends on the collection and use of personal information, and that information makes hotel companies one of the prime targets of bad actors. Their goal isn't limited to credit card numbers; these threat actors are looking for personal information that allows them to obtain credentials and infiltrate networks. When a threat actor gains access to a network - which could be yours - they can pose an existential threat to a business through ransomware, extortion, denial of service, and other attacks. Vendors. Hotels depend on a multitude of vendors and third parties to operate. These range from point-of-sale systems to HVAC operators to property management systems. Every vendor that has access to hotel systems - and it's surprising how many do - presents a threat. When they have access to a hotel system, it creates an opening for a bad actor. Even more, each vendor relies on a variety of vendors themselves, which means that every vendor's vendor that has access to the vendor's system may also have access to the hotel's network. And as we've discovered from the breaches caused by the highly publicized Solar Winds software and the more recently discovered log4j API vulnerabilities, even the most reliable of vendors cannot be blindly trusted.

These are not the only security risks that hotel companies face, but they demonstrate the conundrum that hotel owners and their operators face - the very things that create security challenges are also essential for operations. Hotels cannot stop offering Wi-Fi at the risk of alienating guests. Social media is a key part of marketing for hotels, giving hotels the ability to target potential guests at a relatively low cost, which is especially important during the current economic challenges. And vendors cannot be eliminated; there are too many functions that require special skills and experience that hotel companies cannot effectively bring in-house, at least at a reasonable cost.

But this does not mean that hotel companies can simply throw up their hands. If hotel companies create reasonable security efforts, they can control their risks and reduce the likelihood of a breach and the damage that brings. Resources, like the National Institute of Standards and Technology, have created frameworks to help hotel companies evaluate and address their risks.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.