The summer holiday season brings extra risk for restaurants and hotel chains
US retailers have been having a tough time of late.
Shifting consumer tastes and the rise of online shopping have forced a number of stores to cease trading. Already, 50,000 retail jobs have been lost in 2017 alone.
While brick-and-mortar clothing, grocery and electronic stores may not be hiring for the summer like they used to, there’s still plenty of seasonal work to be found. Hotels and restaurants have no shortage of summer jobs to offer.
In common with conventional retailers, Point-of-Sale (PoS) systems in restaurants and hotels are already popular targets for cybercrime. On top of this, the busy summer season brings an influx of newbies to join the workforce, adding an extra risk dimension for employers to deal with.
From remote PoS connectivity, to summer season workers using their mobile phones to look up or share company information, hospitality chains need a comprehensive Virtual Private Network (VPN) strategy so they can be assured sensitive data will always remain private and secure.
Hospitality Sector Under Fire
Hotels and restaurant chains are particularly vulnerable to data security breaches.
In April 2017, Chipotle Mexican Grill suffered a payment card systems breach following a PoS malware attack.
They are far from alone in attracting unwelcome headlines.
At about the same time as Chipotle, the InterContinental Hotel Group, which owns the Holiday Inn and the Crown Plaza, revealed that malware had been found on their front desk systems and that guests at more than a thousand of their hotels had their credit card details stolen.
Other hotel brands to have suffered card breaches over the last year include Kimpton Hotels, Trump Hotels, Hilton, Mandarin Oriental and White Lodging. Card breaches also have hit hospitality chains Starwood Hotels and Hyatt.
Hackers target restaurants and hotels because their reputation for keeping poorly protected systems is well known.
The vast majority of breaches at restaurant and hospitality chains are linked to attackers managing to remotely hack PoS devices and infecting them with card-stealing malware.
PoS systems simply process transactions. If successfully infected with malware, payment data can be extracted stealthily regardless of the presence of traditional firewalls. The slow exfiltration of data is indistinguishable from normal traffic, meaning weeks or sometimes months can go by without anyone noticing.
In other cases, the hospitality company is hit with ransomware which encrypts critical system files, effectively blocking them from use until a ransom is paid in exchange for the keys.
Breaches like Chipotle’s are a reminder that multi-location restaurant security needs a new approach – one that goes beyond simply maintaining PCI compliance and implementing a managed firewall.
There is another risk that is especially challenging to control. It’s the risk that comes from inside.
Usually, there is nothing to stop employees, seasonal or full-time, from remotely accessing company confidential information.
Newbie workers joining for the summer season may think nothing of sharing this information with friends and associates outside the organization.
Mobile access to company information can be a great productivity tool but not at the expense of new security gaps.
To reduce the possibility of lost data, IT departments must get the balance right between greater efficiency and retaining control over mobile data security.
Securing Remote Connectivity
Hospitality businesses seeking a more effective approach to security need to take a number of measures.
Regular patch updates for systems and better protection against malware threats is a start. On the staffing side, there needs to be formal training on routine security checks, as well as how to identify and respond to threats.
Above all, more attention should be paid to securing remote connectivity.
Remote hacking of PoS systems is a fundamental cause of hospitality data breaches, while allowing employees remote access to company information via mobile devices also puts sensitive company data at risk.
The latter could be stopped if mobile devices were encrypted at all times.
In a recent study by Egress Software 77% of CIOs said they were frustrated that current simple encryption solutions are not being used effectively.
Comprehensive VPN Strategy
The hospitality sector clearly has more work to do to in respect of remote connectivity protection.
The twin challenges of external remote attacks on PoS systems and insider mobile connectivity misuse require hotel groups and restaurant chains to move to a more comprehensive VPN strategy.
Centrally managed VPNs would restrict public Internet remote access to corporate systems to authorized users.
At the same time, client-side VPNs could ensure employees’ mobile data remains private and secure regardless of whether they connect from within the office, from home or via a public Wi-Fi hot spot.
In summary, the combination of repeated remote attacks against PoS systems and reliance on seasonal workers adds up to double jeopardy for the hospitality sector during the summer months.
A comprehensive VPN strategy manages secure remote connectivity between networks and remote PoS systems to protect customer card information.
It also guards against data breaches resulting from human error when inexperienced workers attempt to connect to and share company data from their mobile devices.