Security Validation, LLC Update for Summer 2020

As the clouds formed by this unprecedented global event begin to lift and the sun starts to shine on hospitality, it's a good time to reflect and evaluate our properties' operational strengths and weaknesses. To assist in this exercise, we've compiled a list of the top three challenges the pandemic brought to light which directly impacted hotels' ability to pivot and remain functional and secure.

The most important lesson we all learned is that disaster recovery isn't the same thing as business continuity. While many of us call this global event a disaster, from an operational perspective it was a test of business continuity and resiliency.

The shift from working on-premise to a work from home environment presented operational challenges and added additional security risks. Few operators were prepared to pivot to a remote workforce and maintain an acceptable level of security oversight. The risk to the security of trusted systems has spiked due to the lack of planning and hurried response to keep employees productive. Solutions were available and security oversight was possible but panic and confusion took center stage. Decisions were made that weren't in the best interest of a secure working environment.

The second most valuable lesson learned is that relying on traditional security training and awareness programs is ineffective and a waste of time and money. Though widely touted as an effective method to protect your network, real-world data shows that in uncertain times everything associates learned in these computer-based programs goes out the window. This is evidenced by the number of “fake” domains that have been registered in the past 90 days, the number of successful phishing attacks (the actual damage to properties will be seen in the coming months), and the number of successful ransomware attacks. Sitting associates in front of long-winded training modules once a year isn't an effective awareness tool. Security education is necessary, but the message must be continually reinforced and augmented with real-world examples, as the security landscape is always evolving.

Lastly, what we learned through this difficult exercise is that while business has slowed malicious activity hasn't, and in fact, it has increased. The loss of property-level staff and a thinning of third-party IT support has left properties more vulnerable than ever.

The call to action is straightforward, relatively simple and economical. It begins and ends with a well thought out, and documented business continuity and resiliency plan. This plan must account for the most benign or catastrophic events and facilitate ongoing property operations while keeping hotel, employee and guest information safe and secure.

‍