Hidden Cyber Risks: Mitigating Malware in Your Hotel Curtains

With business travel continuing to increase as companies look to foster global relationships and facilitate growth, travel security has been pushed to the top of agendas.

The rising popularity of business travel now means there is a correlating increase in the threat posed to business travelers. Most commonly this is by hackers looking to gain access to corporate networks as well as being targeted for professional and personal data. 

Not all countries have robust security and police services in place, so hackers are increasingly looking to target people while they are travelling, much like they would target a weak link in a supply chain. However, as long as companies continue to raise awareness of the potential cybersecurity risks amongst employees, business travelers will be able to mitigate the risks with appropriate security measures.

Targeting the hospitality industry 
While traditionally attackers have focused on financial institutions where the money is, hotels and hospitality institutions are now being targeted for the valuable data that passes through them. With the hotel industry utilizing more technology than ever, hackers have multiple access points to obtain valuable information, such as through niche smart devices like remote-controlled curtains.

Hotels can further unknowingly provide access points for attackers through the hotel website, internal Wi-Fi or outdated point-of-sale systems. 

Before you travel 
Companies must do more to educate employees on how to protect themselves from cyber threats whilst on business trips. The more savvy and secure an employee is when it comes to travel, the less risk the company may face from external threats.

Different countries offer varied levels of risk, and companies should make ensuring they have appropriate risk appetite for regions a top priority. In some instances, high risk countries wouldn’t warrant taking corporate phones or devices, and instead employees should be offered clean devices for travel.

Most business employees have hard disk encryption on their devices which can provide a key security layer; however, in certain countries, border control may well ask travelers to provide the key to unencrypt a device and take an image of it. Data is now worth more than gold, and not every country or company plays by the rules.

While in transit 
It’s important to remember that you do not know who is sitting next to you when you’re travelling using public transport; be that on a plane, train or in a business lounge. Many people still don’t use privacy screens and unfortunately, many companies still do not provide them to employees despite them costing as little as £10.

All too often, someone sitting next to a person reviewing items on their device can easily see commercial and confidential information such as budgets, bid proposals, and legal documents. This information can easily be photographed and the data sold for a high price. 

In hire cars, hackers could easily discover the location of where the last person who used the vehicle has travelled to, or even their entire contact list as people are happy to connect their phone to the vehicle and allow data sharing but this provides hackers with the device’s location data. This data holds incredible value and can be used to find out information such as suppliers and partners visited.

In the case of employees working in mergers and acquisitions, hackers can see who the company may be buying and use this information to help competitors get an advantage.

During your visit 
Hotels are commonly used to target executives and business travelers from companies using the shared Wi-Fi networks present all around the hotel. Attackers can easily pull up the history on business lounge devices to obtain valuable information on a person; anything from what people are interested in, to the common passwords they use for personal emails. 

All of this data can then be used as part of a larger phishing campaign to attack individuals and gain access on both a personal and professional level. The hackers may choose to target the individual’s banking and credit information, or to access the corporate network and steal valuable business information from their company. Using a virtual private network (VPN) should be common practice for all business travelers when connecting to the internet. 

In addition to using the Wi-Fi networks, attackers can use malware attacks to log credit card swipes or access hotel rooms by hacking the electronic door systems. Whilst travelers should be responsible for ensuring they are using appropriate security measures as an individual, they must also ensure they trust the cybersecurity of the accommodation where they are staying. 

Industry-wide security 
Some hotels may be struggling to keep up to date with their cybersecurity strategies, but they are still building huge databases of personal information. With hotels holding this valuable information and years’ worth of card transactions and personal data, it’s more important than ever that regular penetration testing is implemented across industries besides financial services and the public sector.

This must happen in tandem with awareness and education of business travelers and how to mitigate potential cybersecurity risks whilst on a trip. 

What’s Hot on Infosecurity Magazine?