Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: The Holiday Season is Putting Hotels at Risk
Quick Take
The CU Guys dive into the heightened risks hotels face during the holiday season. They discuss the importance of maintaining cybersecurity vigilance amidst increased traffic and seasonal hiring.
The conversation covers best practices for background checks, training, and physical security, emphasizing the need for diligence to prevent data breaches.
Tune in to learn how to protect your organization during the busiest time of the year.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process.
Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of compliance unfiltered I’m Todd Coshow alongside the Christmas inflatable to your compliance front yard, Mr. Adam Goslin. How the heck are you, sir?
I’m doing good, Todd. How about you?
I can’t complain, man. I can’t complain.
Now, you know, one thing I wanted to talk about is our listeners, and we’d love to hear from them. And what I mean by that is we’d love to know, if you’re listening to this, we’d love to know your feedback and input on topics that you’d like to hear about or folks that you’d think we’d enjoy having on the show, and we’d love it if you would send those inquiries to complianceunfiltered@total compliancetracking.com.
Yeah, I mean, honestly, even if they’ve got, hey, I heard this like really, really, really funky story or whatever, you know, and anything, anything, anything that folks want to hear about, they’d be, it’d be great to kind of hear what their interests are and, and we’ll be happy to, we’ll be happy to oblige.
No doubt. Now, speaking of the holiday season, Adam, we’re going to jump right in because the holiday season is putting hotels at risk.
Tell us more, Adam. Why does this time of year heighten the risk for hotels?
I mean, we’re right in the, you know, in the thick of the holiday season, you know, between Thanksgiving and Christmas and New Year and all that fun stuff. So, you know, we’ve got, it’s an interesting time when, you know, there’s a lot of hotels that are, you know, that have a lot more traffic than they would normally. And, you know, staff are, you know, running all over the place trying to make sure they’re taking care of guest needs, you know, etc.
But, you know, keep in mind that that means it’s also peak season for, you know, cyber attackers and bad actors to be able to take advantage, you know, of it. I mean, they, you know, they know that now is the best time to, you know, gain access to the sensitive data because everybody’s, you know, run around, distracted and all that fun stuff. So, you know, it’s not if you’re going to suffer an attack. It’s really about more about when and how. So, you know, you don’t want, as an operator of one of these types of establishments, you definitely don’t want to fall victim to it and find out in the wrong way that you were subject to some type of an attack. So, it’s better to be safe than sorry.
that’s a good shout. Now, as you’re dealing with kind of an influx of new folks in an organization, right? So like seasonal hiring, how does seasonal hiring impact background checks?
Well, I mean, the biggest thing is, is that, um, is for the organizations don’t, don’t cut corners, you know, if you’ve got to bring in some additional staff or, you know, for seasonal hiring, et cetera, that there’s, there’s certainly the possibility. Um, although I, um, you know, we’ll call you, it’d be pretty ballsy to pretty ballsy to go give this one a whirl, but, you know, if you’re not going to have any idea, if you don’t run your background checks, so, um, could be bad actors come, you know, that are, that are coming through, uh, you know, with the seasonal hiring push, um, you know, it, uh, it may very well be, it’s someone that just has a, uh, a pass that doesn’t line up with the rules, regulation guidelines for your organization, but you’re not going to have any idea if you’re not running the, running the background checks.
Um, even though you have to fill up staffing needs quickly, you know, et cetera, you know, it’s not, you don’t want to do it at the cost of possibly running into an issue, you know, make sure that you’re maintaining your due diligence, forming thorough background checks on everybody that, you know, is going to, uh, is going to run into the hiring line. Um, you know, there’s for some folks, they can perceive it as slowing down the, you know, the hiring process, but you know, a lot of cases you can, you can run these background checks, um, you know, online within hours, you know, et cetera. So, you know, don’t, don’t follow some misconception that, oh, it’s just going to, you know, slow everything down and, and go ahead and put the, you know, put the organization at risk. That’s just, it’s just, that’s just not worth it.
Yeah. I can definitely see that. Now, what about training? And for that matter, like retraining, how does that play into things?
Well, you know, if your organization is bringing in seasonal employees to help with the holiday rush, then, you know, you want to make sure that they’re well trained and, you know, ready to roll, especially when it comes to cybersecurity awareness, best practices, watching out for suspicious things, et cetera. But, you know, if they’re only going to be around for a couple of weeks and you’re trying to, you know, try to run through that process quickly, it could be tempting to, you know, kind of, we’ll skim through the security-related training type of a thing. Again, you’re back to that whole, we don’t want to be slowing everything down. You know, that would be a big mistake.
The bad actors are, they’re counting on staff being overwhelmed and lax with best practices and under-trained or non-trained seasonal employees is a perfect ticket for being able to take greater advantage of, you know, of things, if you will. You know, the other side of it is that, you know, as you have this influx of people, your more experienced employees are spending less of their time on the vigilance and more of their time on shepherding, managing, and, you know, and otherwise steering the, you know, kind of seasonal talent that’s been brought in. So, you know, the bottom line is that it’s a good time of year to make sure you’re staying vigilant about your training, whether it’s brand new people or people that have been there for, you know, been there for their 20th year type of a thing.
So, you know, one of the things as a suggestion, you know, if your security training is, you know, some regurgitation of what you did last year and the year before and the year before, people will tend to, you know, kind of tune it out. So, you know, while it’s true that, you know, the same old holiday scams are going to come up, come into play in 2025 again, you know, the reality is, is that try to try to keep the training interesting, try to keep it fresh, you know, try to engage with the staff and make it something that it’s not just something they have to go through to check the box, but instead is something that they actually take to heart.
Yeah, well, I mean, how should the focus on physical security be improved at this time as well? Because there’s bad actors, man, and they’re doing bad things.
Yeah. Well, I mean, you can’t have too much in terms of, you know, training and whatnot around physical security. You know, you’ve got more guests, you know, more guests involved. You’ve got a property that has more people. It’s, you know, there’s a buzz in the lobby and, you know, and whatnot. It’s a lot easier time to kind of let your guard down surrounding physical security and the requirements associated with it. So, you know, the holiday season’s an important time to get, you know, really diligent about following proper procedures.
So, you know, monitoring, you know, physical security throughout the day, make sure that your staff is staying accountable. So, you know, some different examples of, you know, security best practices, physical security best practices that the hotel staff can be following would be things like, you know, checking the surveillance system, make sure all the cameras are working properly, that they’re positioned correctly, you know, that they’re actually recording. You know, it would be another good one to throw into the mix, you know, making sure that you’ve got doors locked at the right time. So, oftentimes for different facilities, that’s different for every property. You know, these doors we’re going to leave open, you know, for these hours. But once we hit these hours, then these various doors are going to lock. Make sure that’s actually working. Make sure that you don’t have any doors that ought to be locked that got propped open. Sometimes, you know, sometimes the guests are the ones that will, you know, go in and prop a door open and then just leave it that way. So, you know, doing things like periodic, you know, periodic checks, periodic walkthroughs and whatnot, making sure that, you know, the lobby security and safety procedures are followed properly at all times. Making sure that you’re staying diligent with your, you know, POS, PLI device inspections that you need for, you know, for the PCI DSS. Making sure that your point of sale systems and computer terminals stay inaccessible to guests. Making sure that they can’t reach, you know, things like USB ports on the equipment. Shutting off USB ports that they don’t need to use. You know, and specifically, make sure that we’re training staff not to hold open, you know, locked doors for other people out of politeness. Even fellow employees, if we’re supposed to badge through the doors, then let that process happen naturally. So, you know, it’s human nature to try to be helpful. But, you know, I’ve had some experiences in the past where quite literally the staff at an organization were the one holding the door open for, you know, for the bad guys that are busily walking out with pieces of equipment, you know, type of a deal. So, you know, it’s important. And, you know, the physical security extends over to guest policies as well, you know. Make sure that you’re validating guest identities properly before distributing, you know, distributing room keys and things along those lines.
So, you know, the busier the lobby, the more likely you’re going to get, you know, some brazen individual that can, you know, attempt to gain guest information, you know, doing all sorts of things, you know, taking over credit. Just hiding.
in plain sight, men.
Yeah, exactly, and taking over credit card accounts, gaining inappropriate access to the room, loyalty account violations, things along those lines. So there’s a lot of elements that you want to kind of maintain that vigilance over as you’re going through your physical security reconditioning, if you will.
Now, the bad guys must be looking to take advantage of overwhelmed staff. So how should these organizations ramp up ransomware vigilance?
Well, during the holiday season, it’s a prime time for increased ransomware malware attacks. Even what otherwise would be caught in a slower time as a malicious phishing attempt could be successful when employees are overwhelmed or rushed or have more work, more demands for their attention, et cetera. So from the personnel perspective, maintaining their vigilance, but from the systematic perspective, make sure that you’ve got good monitoring in on your devices, your email accounts, text messages that are coming through various channels, et cetera, with everybody maintaining that vigilance for emails, phones, text messages, et cetera, that they’re not recognizing. If you’re receiving some unexpected message, even if it looks like somebody that you would know, treat it with suspicion.
I mean, honestly, even if you’re receiving a message, it looks like it’s coming from a valid person, but it just feels strange or weird, whatever, sanity check it. You know what I mean? That’s a big part of how these guys will get away with these attacks. Social engineering style attacks are going to be on the rise, so making sure you’re training your employees on how to recognize those with attempts to … I talked about it a minute ago, but gaining guest information, credit card data. You know, et cetera, but it can come in from a number of different channels. It could be face-to-face, it could be email, could be text, could be phone calls, voicemails. I mean, there’s a whole bunch of different channels over which this stuff could be coming in, and really for the folks in the hospitality arena, just keeping in mind that there is deepfake technology that’s getting extremely advanced, you know, attackers using AI to replicate people’s voices, and combining that with the fact that you can mask your phone number and I can make it look like I’m calling as you type of a deal. Bad actors can do all sorts of things to kind of play off that they are purporting to be somebody else.
They certainly can. How does internal network protection play into things?
Well, you know, a figure in the hospitality industry, you’ve got firewalls, you’ve got antivirus, internal networks, which are more important than ever during the holiday season to protect, you know, performing, you know, for a lot of organizations, especially in the hospitality arena, a little late now, but, you know, put a game plan in place to, you know, go in and do your deep dive security testing in advance of that busy season, you know, either, you know, make the call. I think it depends on where you’re at in the, you know, kind of in the country, et cetera. You know, some places are more heavily hit in winter, some places are more heavily hit in summer, some are more heavily hit for the holidays. But whatever that busiest season is, doing your security testing in advance of the busy season will make sure that the internal systems are actually ready for attacks they could be getting, you know, and whatnot.
It gives them, you know, near-term visibility for potential issues with time to be able to remediate things that need to get addressed. You know, you want to make sure a lot of these organizations will go into kind of a lockdown period during those busy times where they actually block systematic changes from being made because we don’t, under no circumstances do we want to screw up the systems which are, you know, our bread and butter, you know, during that super busy time. So, you know, just make sure that you’ve got all your remediation cleared out in advance of any, you know, systematic lockdowns, things along those lines, and you’ve closed all the holes that you potentially have. You don’t want to, you know, leave things open as a potential loophole that, you know, could be leveraged during some type of a system lockdown where we’re not able to go in and make changes. You know, kind of the last piece that I’ll hit here is that, you know, a lot of organizations will put this hyper-vigilance on highs and criticals, you know, type of thing. Don’t forget, man, you’ve got mediums, you’ve got lows, you’ve got informational findings. You know, they could go ahead and kind of conjoin, depending on what they are, they could conjoin, you know, one, two, three, four different vulnerabilities to create a larger problem. That’s a big deal.
You want to make sure that you’re maintaining that vigilance, and really, my recommendation, be locked down everything that you possibly can in advance of the lockdown.
Well, yeah, I mean, that makes sense. What, speaking of, like what part does inventory and monitoring play in?
Well, for these organizations, they’ve got a lot of different technology if you think about it, right? I mean, you know, when you first look at it, you’re like, oh, okay, well, it’s the hotel. So yeah, they’ve got a front, you know, they have a guest reservation system and they’ve got a POS system. Well, it’s bigger than that, right? You’ve got, shit, smart thermostats, smart locks on the doors. You’ve got, you know, IP cameras. We’ve got automated door lock systems for the, you know, for the actual physical facility. You’ve got voice assisted help lines and all of these different technologies that they fold in, fold into the property, every single one of them forms a new opportunity for bad actors to, you know, attempt to infiltrate the systems and exfiltrate sensitive data.
So, you know, staying on top of your new threats and vulnerabilities that could put your hotel at risk, you know, is seriously important. It’s not, you know, it’s not just the server room. It’s not just the firewall. It’s not just the POS system, but smart TVs, you know, be another good example. So, you know, when you’re, you know, and the challenge for a lot of organizations in the hospitality industry is, you know, they go in, they acquire a new property. You’re inheriting that property’s current existing systems. It’s going to take a minute to be able to standardize those to the, you know, to the, you know, kind of the corporate standard. So, you know, they end up with this mishmash of, you know, different technologies at different properties with different rollout plans, et cetera, et cetera. And so the more diversity that the, you know, the hospitality organization has there, you know, it increases, you know, multiple fold the opportunities for failure. So, you know, you want, you have to have a complete accurate device inventory so that you can work off of that so that as you’re going through and testing your system, making sure that you’re hitting up each of these, you know, individual devices, you know, both at the property and at the corporate level, you know, making sure you’re folding in all your, you know, door systems and smart devices, network printers, you know, smart mirrors. I mean, if it’s basically the best way to look at it is if it’s drawing an IP address on your, you know, on your network, then it could be something that’s being used to gain access to the internal network. And thereby we need to make sure that we’re getting it integrated into the overall inventory so we can use it to guide things like, you know, you know, seeking and seeking out patches for different, you know, different elements of equipment, applying those patches to the right technology, et cetera. So it’s, yeah, it’s a real big deal to keep that inventory up to date.
It certainly is. Now, those are the things that you can do internally. How does regular vendor vetting play into their protection?
Well, I mean, you know, for any organization, vendors can be putting, you know, opening up security risks, and certainly that holds true in a hotel-style organization. So, you know, for them, making sure that all of their third-party vendors are doing their due diligence when it comes to security practices.
I mean, it goes for, you know, the providers for HVAC services, you know, hosting of your system, staffing agencies, janitorial equipment repair, you name it. I mean, you know, you want to ask about the risks of the good old-fashioned HVAC vendor than just go talk to Target about their extravaganza, you know, back, you know, however many freaking years ago that was, right? You know, the reality is that what should be happening is that we should be going through and auditing the vendors based on the timing of their compliance paperwork. So, you know, what I typically will guide organizations toward is getting a good, number one, making sure you have a solid list of who the vendors are, two, as you’re going through and doing the annual vetting and validation, et cetera, noting what is their kind of annual date for their compliance paperwork. So one vendor’s date is going to be in April, one vendor’s date is going to be August, another vendor’s date is going to be December, you know, that type of thing. So have a regular recurring process that pops up where I, in near time, I’m, you know, requesting the updated compliance information from my vendors in a timely fashion. The biggest problem is if you, let’s say you only do it once a year and my once a year check is in, you know, is in July, well, if I have an organization whose paperwork renews in August, but I only check it once a year, theoretically, that vendor could have gone out of compliance, had all sorts of security issues, et cetera, and been sitting that way for 11 months before I’m finding out, you know, because I’m only checking once a year. You know, shift from once a year validation across all vendors to a once a year check per vendor that’s timed based on when they should have their updated security information.
It’s a big deal and will go a long way to being able to really keep the vigilance level at the appropriate level that it should be for these vendors.
Timing is everything. Parting shots and thoughts for the folks this week, Adam.
Well, I mean, there’s nobody in the hospitality industry that wants to find out that their successful holiday season was also when we had some type of a massive sensitive data breach. Your revenue, your goodwill that you gained during that holiday rush is going to evaporate, evaporate in a heartbeat if you discover that you had a problem.
So, making sure that you’re following a lot of these best practices that we’ve gone over, taking your security and your compliance stance seriously, making sure that you’re doing that prep in advance of your busy season, mitigating the attack vectors that are even accessible for bad actors to take advantage of. You definitely want to navigate the holidays having a joyous and successful holiday season without any negative repercussions coming your way, that’s for sure.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow, and I’m Adam Goslin. I hope we helped to get you fired up to make your compliance suck less.
