Bad actors looking to take advantage of cybersecurity vulnerabilities for hotels — and many other business verticals — are growing ever more sophisticated, according to Ted Harrington, a security consultant and self-described "ethical hacker."

Speaking during the recent American Hotel & Lodging Association Safety Summit, Harrington, who is executive partner with Independent Security Evaluators, said that those who deal in ransomware in particular have grown to the point where they operate as established, somewhat complicated businesses themselves. He said the biggest difference between these hacker groups and traditional businesses are their "ability to be flexible with their ethics."

"Fundamentally, they're trying to do the same thing" as businesses, he said. "They're trying to solve problems in the most efficient way. There are whole economies built around it where elite people can do certain things and there are other people who are innovators who create things for lesser-skilled people. There's a whole business around it."

Harrington said many hoteliers don't understand exactly what ransomware is, despite its growing prevalence. As its name strongly hints, it is malware designed to extort a ransom from a business or individual.

Ransom and malicious code have both existed for a long time, and Harrington said ransomware's origin was simply "someone along the way saying 'What if I combine those two?'"

"It hit the scene a couple years ago, and it's new in that it's a new technique," he said. "But where it's not new is what we're really talking about is malware. It's just malware that does something different. Instead of stealing data or taking over a function, it now says, 'You now don't have access to this and you have to pay the ransom.'"

For that reason, the typical approaches for dealing with all malware are helpful in coping with ransomware attacks, but he also said some additional steps like creating more backups of data are also helpful.

Here are some of Harrington's other security suggestions for hoteliers.

Harrington said it's important that people use "unique, long" passwords, with the unique part meaning they differ from site to site and service to service. While many sites require complex password requirements, he said complexity is significantly less important to overall security than length.

He said a long phrase that is easily remembered is likely a more effective password for a user than a string of various characters that is shorter in overall length.

"For the computation power required to break a password, the longer it is, the more difficult it is to break it," Harrington said.

He said the thing people most often skip with passwords is the unique portion because they want one password they can remember anywhere, and that can get even worse in communal work environments like hotels.

"I've seen in many hospitality environments the password may be written on a sticky note on the computer behind the desk because different staff is at the front desk at different times," he said.

But password manager software is a more secure and convenient way to keep log-in credentials easily accessible, he said, because they can provide unique, long and complex passwords to various sites while requiring users to only remember a single master password.

"Many people are resistant to them because they think 'Oh, it's another thing I've got to do,'" Harrington said. "It takes a little bit of behavior change to get used to it, but once you go through that little, itty, bitty bit of pain, your life will change."

He said all of this is important to hoteliers because if they aren't using varied passwords, any of their systems could be compromised by data breaches that don't have anything to do with their own security if users are reusing passwords in different places.

"You want unique [passwords] because if it gets popped on one service, every other service that uses that same password is now compromised," he said.

Harrington said perhaps the biggest challenge for security at hotels is having people shift from being as empathetic and caring toward others as possible to also being wary of how people might be trying to attack or breach their systems.

"You're wired to help others and say yes and make the guest experience great, ... and the security advice is to think, 'Well, how can someone take advantage of me?'" he said. "That's really hard for people to conceptualize sometimes. I don't know if people really should think like I think every day."

HTNG CEO Michael Blake, who moderated the session, said being nice is one of the biggest security vulnerabilities in the hotel industry.

"You want to be hospitable," he said. "That's kind of what we're all wired to do."

He said when working with hotel companies, he sometimes does spot security checks at front desks that would include straightforwardly asking associates to give him their usernames and passwords.

"So many people would just write it down and be like 'Here you go,'" Blake said. "Don't do that."

Harrington said the solution to these two competing impulses is instead of blankly saying "yes" to requests, pivot to saying "yes, and" with the "and" implying taking a step to verify you're not doing something bad before blindly handing information over to strangers.

Harrington said all security measures are more effective in businesses if the various stakeholders are on the same page in terms of what they're trying to protect and what steps they need to take to accomplish that.

"Unless you're having these conversations about what are we trying to protect and why does that matter, the organization is never going to be pointed in the right direction," he said.

Leaders at all levels should coordinate more closely.

"Whether you're a general manager at a property level, you're working at the corporate level, you're in IT, whatever your role is think about how you can galvanize your own organization and talk about what you're trying to protect and why does that matter," Harrington said. "And although those sound like really simple questions to ask, it will be really revealing once you have those conversations."