Hotels' property management systems are a "very attractive" target for "people who wish to commit fraud, just be annoying and impact [the hotel] industry in a negative way," according to a federal cybersecurity expert.
Speaking during an online session with Hospitality Financial and Technology Professionals, Bill Newhouse, cybersecurity engineer and project lead for the National Institute of Standards and Technology and National Cybersecurity Center of Excellence, said hospitality businesses may be particularly vulnerable to attacks because they're asked to hold on to sensitive data "way longer than other industries."
"I may make a reservation this week for next year's conference in San Francisco," he said. "Holding that information, not losing it and not causing a breach is something the payment card industry requires of this space you're in."
Newhouse's agencies exist as a part of the U.S. Department of Commerce and are tasked with helping various industries and businesses better prepare for and cope with cybersecurity challenges.
He said hotels with poorly secured property management systems put themselves in line to be targets of data breaches or denial of service attacks, which are only gaining great notoriety as time goes on.
"More of us are aware of this than five years ago or 10 years ago," he said.
Within the hotel industry, much of Newhouse and his colleagues' focus has been around property management systems, because they're both central to hospitality businesses and potentially vulnerable in part because they interact with so many other systems on property, like point of sales, system controls and guest services, while housing sensitive information.
These efforts include a guide on how IT departments in hospitality businesses should tackle security with property management systems overall.
He said steps hoteliers should take to help better secure their systems include limiting lateral movement within systems and adding two-factor authentication for staff members.
He said attacks "seem to be happening on a daily basis, because systems are interconnected and available to be explored and poked at by the bad guys."
That is why limiting lateral movement in a hotel's systems is so vital, Newhouse said.
"If somebody gets into your network that shouldn't be there, if they can't authenticate that they are a legitimate user then the system blocks them," he said, of the system architecture his organization proposes. "If they try to do something that's unexpected because they're on a segment of the network that's not supposed to talk to another segment of the network by normal operations, then the system will flag it to keep that from happening."
He said securing these systems have grown to be more of a business imperative in recent history, with data security now more closely tied to instilling "consumer confidence and brand loyalty."
"Would this have been something that was part of your consumer outreach 10 years ago? Probably not." he said. "But more and more savvy customers are probably going to ask questions."
He noted this will be particularly important around guests requests for privacy in data. While most of the U.S. — outside of California — doesn't have similar consumer data provisions to what's in the European Union's General Data Protection Regulation rules, Newhouse said NIST has put together a "privacy framework" for businesses that are looking to put a bigger focus on data privacy.
"NIST came out with this to say, 'If you get asked to do more privacy protection or you already feel the need to do it, here is a framework to help you mitigate privacy risk for individuals' privacy,'" he said.