6 Ways Airlines and Hotels Can Keep Their Networks Secure
As recent news can attest, travel and hospitality companies are prime targets for cybercriminals. Here are six privacy and security tips that can help lock down privacy and security.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltb43edfdd29b1ec06/64f0d4402a91e02e8f26dd7e/1.jpeg?width=700&auto=webp&quality=80&disable=upscale)
The bad news doesn't stop for travel and hospitality companies.
A long list of breaches have been widely reported in the past year. On the hotel front, there's Marriott/Starwood, Radisson, and the most recent Choice Hotels breach. High-profile hacks on airlines include British Airways, Air Canada, and Cathay Pacific.
David Dufour, vice president of engineering at Webroot, says airlines and hotels are prime targets because they're not typical businesses at which employees are locked into a single corporate location.
"The employees at airlines and hotels handle a lot private information, and there's a lot of turnover in those industries," Dufour says. "People don't spend long careers at the front desk of a hotel."
Airlines and hotels also have branch offices in hundreds of cities around the world, so the sheer volume of their operations creates a high degree of exposure, Dufour adds.
"As a frequent traveler, when I go into an airport lounge, I want them to have all my information on hand, but from a security perspective these situations are ripe with opportunity," Dufour says. "As a customer, I expect the service, but the reality is that potentially every open area is a vulnerability."
The struggle to achieve that balance between customer convenience and security continues for travel and hospitality companies. Here are six tips they can follow to help lock down privacy and security.
According to Webroot's Dufour, travel and hospitality companies need to ask their third-party vendors how they intend to protect their sensitive data. And if they don't have a plan for how they will do that, they need to demonstrate that can come up with one.
Instead of just focusing on the third party, companies need to identify the data flowing between the collaborating organizations, adds Sumit Sehgal, chief technical strategist at McAfee. Then, comingled with risk analysis from certifying agencies for the third party, the main company can draw a more accurate picture.
Companies need to take responsibility for their data, says Bob Diachenko, the security researcher who discovered the recent hack on Choice Hotels and heads up cyberthreat intelligence at Security Discovery. "Even if a company uses a third party, it's responsible," he says. Companies should use analytics to verify what's happening on their networks so they can make critical decisions, Diachenko adds.
Companies also need to be clear on what data they're sharing, whether with third parties, customers, or social media, Webroot's Dufour adds. They need to be clear on how long they're sharing data, where it'll be stored, and for how long. In addition, companies should share only the most necessary data. For example, it may not be necessary to share a person's name when a ZIP code will do the trick.
Security pros at airlines and hotels need to fully understand how their databases work, Security Discovery's Diachenko says. This includes using the latest versions, enabling all security options, and ensuring no misconfigurations have happened.
Only authorized administrative personnel should have access to the company's databases, Webroot's Dufour points out. In addition, all software on PCs and mobile phones must be patched to reduce exposure to exploits. "An exploit is merely a way to get into a piece of software," he explains. "Because of an exploit, a hacker can do malicious damage."
While patching is basic blocking-and-tackling in security, it's too often overlooked, Dufour adds.
The Choice Hotels breach was discovered when Security Discovery's Diachenko was combing through the search engine BinaryEdge, which he likes to call the "new Google." BinaryEdge scans the Internet and collects data that can be transformed into threat intelligence feeds or security reports. There are also other sites, such as Shodan, which indexes all the IP addresses for IoT devices across the Internet; Censys, which scans the Internet so the scientific community can more accurately study it; and IVRE, an open source framework for network reconnaissance.
Webroot's Dufour agrees that these sites are valuable, pointing out that these tools identify whether a company is communicating with malicious IP addresses.
Webroot's Dufour advises airlines and hotels to deploy a gap between public Wi-Fi and the corporate network. Public Wi-Fi is much too vulnerable, so it makes sense to have employees access the Internet via a separate Internet connection.
Airlines and hotels also need to communicate some basic security advice to consumers. For example, they can dissuade consumers from doing any financial transactions on public Wi-Fi, which is better suited for looking up a movie time or the location of a restaurant. For business purposes, consumers should be advised to use the mobile hotspot on their smartphones.
According to McAfee's Sehgal, almost every company now has a training program that's compliance-driven. Effective training programs use that basic foundation and build on it using just-in-time training based on user actions in the environment.
High turnover at airlines and hotels means these companies really have to spend a lot of their time training people on how to handle sensitive information, Webroot's Dufour adds. He calls it Job No. 1.
It's also important for companies to set clear processes and make sure the staff follows through, says Dufour, citing a personal example of recently losing a receipt and asking his assistant to contact the hotel so they could send over a copy. But the hotel refused, saying they had to talk to Dufour directly. It was clear the hotel had a policy in place not to share credit card or other personal information unless they were sure they were talking to the person who made the charge, he says.
"While such policies are inconvenient, it's good for me from the perspective of being a consumer that the hotel has those policies, processes, and procedures in place," Dufour says.
According to McAfee's Sehgal, almost every company now has a training program that's compliance-driven. Effective training programs use that basic foundation and build on it using just-in-time training based on user actions in the environment.
High turnover at airlines and hotels means these companies really have to spend a lot of their time training people on how to handle sensitive information, Webroot's Dufour adds. He calls it Job No. 1.
It's also important for companies to set clear processes and make sure the staff follows through, says Dufour, citing a personal example of recently losing a receipt and asking his assistant to contact the hotel so they could send over a copy. But the hotel refused, saying they had to talk to Dufour directly. It was clear the hotel had a policy in place not to share credit card or other personal information unless they were sure they were talking to the person who made the charge, he says.
"While such policies are inconvenient, it's good for me from the perspective of being a consumer that the hotel has those policies, processes, and procedures in place," Dufour says.
The bad news doesn't stop for travel and hospitality companies.
A long list of breaches have been widely reported in the past year. On the hotel front, there's Marriott/Starwood, Radisson, and the most recent Choice Hotels breach. High-profile hacks on airlines include British Airways, Air Canada, and Cathay Pacific.
David Dufour, vice president of engineering at Webroot, says airlines and hotels are prime targets because they're not typical businesses at which employees are locked into a single corporate location.
"The employees at airlines and hotels handle a lot private information, and there's a lot of turnover in those industries," Dufour says. "People don't spend long careers at the front desk of a hotel."
Airlines and hotels also have branch offices in hundreds of cities around the world, so the sheer volume of their operations creates a high degree of exposure, Dufour adds.
"As a frequent traveler, when I go into an airport lounge, I want them to have all my information on hand, but from a security perspective these situations are ripe with opportunity," Dufour says. "As a customer, I expect the service, but the reality is that potentially every open area is a vulnerability."
The struggle to achieve that balance between customer convenience and security continues for travel and hospitality companies. Here are six tips they can follow to help lock down privacy and security.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024