What to expect?
Episode chapters
Transcript
[00:00:00] Fleur van Leusden: Hotels, they have a lot of gold to be mined, so to speak. So hotels have a lot of interesting data for criminals to take advantage of. They have payment data, they have personal information, email addresses, physical addresses, and they have lots of it. And that makes them a really interesting target for criminals to try and attack.
[00:00:33] Matt Welle: Hi, everyone. Welcome back to another Matt Talks Hospitality, and this week's episode is a different one. It's all about security. Hotels have always been in the business of trust. Guests hand over their passports the moment they arrive at a hotel. They give that credit card away, and they assume that that personal data is safe. However, cybercriminals have identified hospitality as one of those industries that they want to target. So today, I wanna talk about some of the most common threats to data security in hotels. What are they? And what can you do to protect against it? I've brought two of the best people for this conversation. Fleur van Leusden works as a CISO, like a chief information security officer, in the public sector with a background that includes some of the earliest Internet investigations that took place at the Dutch National Police. She also hosts her own podcast, CISO Praat, which translates as CISO talks, where she shares her industry expertise. And then joining Fleur is Terry Brown. Terry works at Mews. He's a senior director of engineering at Mews, who builds and maintains the systems that thousands of hotels rely on daily to protect themselves from the threats on the outside. We're gonna talk about hospitality today. Why is this industry so hot for these criminals out on the Internet? Who wants to kick-start with that one?
[00:01:49] Fleur van Leusden: I think one of the reasons is that hotels have a lot of gold to be mined, so to speak. So, hotels have a lot of interesting data for criminals to take advantage of. They have payment data, they have personal information, email addresses, physical addresses, and they have lots of it. And that makes them a really interesting target for criminals to try and attack.
[00:02:15] Matt Welle: Yeah. I don't think anyone would disagree with that. Probably, Terry, anything to add?
[00:02:20] Terry Brown: Yeah. I think also, the hospitality industry has typically been relatively slow on the adoption of technology in general. And I think up until even relatively recently, a lot of hotels didn't prioritize IT security as part of the day-to-day operations. I think hospitality has been quite lucky that it's flown under the radar for quite some time. There have been much, much bigger targets, fintech, pharma, you know, banking in general, things like that. I think what attackers are starting to realize is that there is a market here that potentially has been underinvested for a while, and that is making it kind of ripe pickings for the sort of low-hanging fruit as well. So, I think we are running in hospitality to catch up a little with some of the other industries. But yeah, we're running fast.
[00:03:18] Matt Welle: Because Fleur, you're the outside in view from the wider perspective. What industries are seeing the biggest threats right now?
[00:03:26] Fleur van Leusden: I think it's not specifically industry-related. It's like Terry said. They're looking for the low-hanging fruit. So, whatever they can find that is vulnerable, they will attack. And, generally, it's not necessarily in a specific industry, but it's a specific vulnerability in software, or it's a database that has been leaked, which can be abused to do phishing attacks and then gain a foothold into a network and progress through there. Like Terry said, if you, as an industry, underinvest or have had other priorities than security, you will automatically be more vulnerable to attack. Not because of the work you do specifically, per se, but it's a combination of the two. There's gold to be mined, and there's a very high chance of success.
[00:04:21] Matt Welle: Because I remember the press releases. I think Marriott had a massive leak. Hyatt had a massive leak. But they felt different. Like, this was, like, you know, 10, 15 years ago, where they just stole a giant, humongous database of unencrypted credit card data. That doesn't seem to be the thing that's happening today. What has actually shifted in, like, the last decades, to what's the latest and greatest techniques that these criminals are using to get access to the same data that they're trying to get access to, but what has shifted?
[00:04:53] Terry Brown: The attackers are certainly realizing, obviously, the significant value in hospitality. I mean, traditionally, we are dealing with people with disposable income and things like that, you know, the guests. And ultimately, that makes that data incredibly lucrative from an attack perspective. You couple that with the commoditization of attack, you know, it used to be incredibly difficult to perform an attack at scale. So, you could do a small scale attack, but nothing significant. You know, there are now, um, phish kits like dedicated software out there that can mimic a lot of providers across all industries, really, and provide a really simple pathway for that low-hanging fruit that we've just talked about, where attackers are routinely now, it's not organized groups, It's kids, running bits of software with, you know, dedicated purpose to attack certain products.
[00:05:52] Matt Welle: And, Fleur, is that the same you're seeing in other industries, or is this very specific to hospitality?
[00:05:56] Fleur van Leusden: No. I think. Like I said, it's criminals. They are opportunists. So, generally, they are looking for systems that are easy to get into, that are easy to stay undetected for a long period of time and have a high chance of success. And, yes, sometimes they are kids, but there are also organized groups like the bigger ransomware groups that are, like, professional criminals. And, also, there are, of course, state-sponsored attackers. But I think for state-sponsored attackers, hospitality is less interesting. I'm not saying it's not interesting at all because you have high-end customers, of course, and their data is very valuable. Yeah. It's a range of an attack landscape that's out there. What I also think has changed is that we look at these incidents differently. So, 10 years ago, if you were a company that got hacked, we would say, oh, that's so sad for this and that company that got hacked. So, we're feeling for them that they were victimized by these vicious criminals. Whereas today, if you get hacked, we are more like, well, did you have all your security in place? We are more critical of the victim, so to speak, than we were 10 years ago. I think that also plays a part.
[00:07:27] Matt Welle: Why do you think that is?
[00:07:28] Fleur van Leusden: I think that 10 years ago, it was maybe less common. And now, because we kind of assume everyone knows this threat is out there. It's like hanging the Mona Lisa in your house and then just having your front door locked by a normal lock, and that's it. Like, if you have valuable data, we expect you to protect it accordingly. And time and time again, we find these companies, they do not protect our data as we think they should have or could have. We hold that against them.
[00:08:05] Matt Welle: And we feel this, right, as a company. So, we're under constant attack. Like, for years now, every day, we're getting attacked by these hackers from the East. And we've been building and building and building security tools, and we've been servicing these to our customers who've refused to just set them up, or just you know, they're busy, and they just don't prioritize it until it's too late. And then they get really angry at the software provider. How do we narrate this to customers? Because, yes, we are running businesses, but how do we make it a priority for them before it's too late? And this is one of the big struggles that I have, and trying to give this a voice in some way because we're really busy not setting up the security settings. And then, when it's too late, it will drain all of your resources as a business.
[00:08:54] Fleur van Leusden: But why are they settings? So, why are they not default? Why is it possible to have I'm not saying it, I don't know Mews very well, but why do we still expect it to be possible to have a login portal without MFA? Why do we still build these portals? Because they are insecure by design. So, and we know this. And what I'm trying to do more and more is find ways to make security effortless. So, what I love is the example of your smartphone. I think Apple started this, but Android and other phones have it as well. It's the way to unlock your screen with your finger. That's a very secure way to unlock your phone, and it's also very effortless. So, people will like doing this. They will prefer unlocking their phone this way over having to do a swipe code or a PIN code because it's easy. So, we in security and IT, I think we should put more effort into making more of these kinds of solutions for entry into networks or software or where the user-friendly way is also the most secure way.
[00:10:08] Matt Welle: Like to opt out of security settings. If you really didn't want the energy, you have to say, I'd switch off my two-factor authentication. I'm happy to take the risk.
[00:10:16] Fleur van Leusden: Well, sometimes there's something to be said because you wanna do a test or you have a script that has to run, and it cannot handle MFA, and it's just a test environment. So, it's not that important. So, I'm not saying it should not at all be possible to have a MFA less login. I'm just saying, like you mentioned, that's what I would suggest: make the most secure way, the default way, and you have to really, really want to do this insecure thing that has to be the hardest thing to do. And the easiest should be this most secure way.
[00:10:53] Terry Brown: Yeah. I think that's been one of the core challenges throughout the, you know, the phishing campaign we've seen maybe for, goodness, 18 months because we enforced two-factor authentication for our users. What we found and indeed why Mews continues to be a target for attackers is that if you are willing to give your password over, you are also willing to give over your TOTP, the six digit code. And routinely, that is now the attack vector. Your point is a great one, Fleur, but how do you then either enforce or encourage better? Passkeys are definitely something that we offer. We've recently rolled out a single sign on for free for our customers. It costs us obviously to implement that, but it was just a sensible security thing to do. The challenge is still adoption hugely because, you know, within a hotel, you're trying to get a job done. You're trying to clean a room. You're trying to check a guest in or something like that. Routinely, those people will either not be using the same devices or passkeys are hard, or they will have overly provisioned access because somebody hasn't set up the role-based access effectively. So, there's lots of different challenges there. And having that investment always seems to be a minimal approach. Love to get your thoughts on that as well.
[00:12:18] Fleur van Leusden: No. I think you're absolutely right. And I think the added challenge to that is that hotels generally use all sorts of different systems. So, you have compatibility to think about as well. Because as you were speaking, I was thinking, in hospitality, could we not use just like we do in hospitals or medical facilities? We have, like, a physical card, the swipe card that you can put on a reader. And that's easy so you don't have to type in your password every five seconds. But if you leave the desk, then automatically your screen will lock and all those kinds of fancy things. That's great if you work in a hospital because hospitals generally have kind of, like, the same. They use the card for all sorts of access stuff. I'm not sure. I think hotels and hospitality have a whole rainbow of different access ways. Some will use swipe cards. Others will have apps. Others will still have keys, just physical keys. So, that's a bigger challenge.
[00:13:16] Matt Welle: Yeah. The hardest thing we find is the hardware in hotels is generally very old. Like, if there's hotels still running Windows 97 or whatever that version was, which is scary because then you're not protected with the latest software. And they're sharing computers as well, the reception desk. If you think about a reception desk, very often you just jump from desk to the desk, and then they log in and out or they use each other's, like, login credentials. Or there's a sticky note on the computer with the login credentials. And this is where, when we enforced two-factor authentication two years ago, we got so much pushback from ourselves. We're like, I don't wanna every time I log in, whip out my personal phone to find that TOTP token, which now is actually no longer secure because they've actually found a way around that. So, now we're pushing them to passkeys, but then they're like, yeah, but our infrastructure doesn't actually allow for passkeys because it's blocking it somehow, or we, you know, we're sharing computers, so I can't set up my passkey on this on a shared computer. And we're just constantly running through these circles of fire, it feels like almost to get anything deployed.
[00:14:21] Fleur van Leusden: And do you because I think Mews, it's like a cloud, a SaaS type of service. So, what I could imagine is that you have very strict monitoring on your software. Even then, it's difficult to spot because how do you know if someone logged in legally or is actually an attacker? That can sometimes be hard to spot. But maybe you can, Terry, you can elaborate on your monitoring.
[00:14:49] Terry Brown: Absolutely. It's a great point. Even as early as last year, goodness, early last year, we recognized some of the challenges we had dedicated security teams, but we didn't have security operations, which focused on that sort of last mile, the monitoring and the protection. So, we've stood up a dedicated team on that, and they are running a security incident event monitoring system, which is well known in the industry. And they're doing a lot of anomaly detection. So, as soon as we see new patterns, we are changing the rules and making sure that the detection is as rapid as possible. It's not preventative, but it's ultimately still way better. We can respond far faster. But it doesn't close the door on the castle. It only allows us to detect.
[00:15:41] Matt Welle: So, what we see as the main attack factor against our industry, and it's not just against Mews, it's against most cloud systems is that they will spin up a fake landing page for the login page. They advertise it on Google, and they can 100% mimic what it looks like of Mews also in the ad. Users just look for, you know, PMS login page, and then they get to the ad. They get to the page. They log in. Then they go to the two factor authentication. They copy that token from the Google app into the page, which the hacker simultaneously copies live as well. And then when the hacker gains access, we then send emails to the user saying, are you dialing in from Russia, or are you dialing in from, and sometimes the user is like, yeah, that's me. Because they think the user is logging in, and they don't read the email, and they click the button. And we put so many fail safes in. And the moment the hacker is in the system, they download the data files within minutes because these hackers have been trained on these solutions. They know exactly where to go, what the data files are, and now we are even blocking when you download a file, you must have logged in with a passkey or with a single sign-on. That's the only way to get access to that data. And it's like, the funnel we're trying to limit, but it's been years now of fighting this thing. And every time you build something, they find a way around it in some way, which is very painful.
[00:17:03] Terry Brown: That's a really interesting point as well. These attack vectors, like a fish kit to stand up, you know, a fake Mews log-in site on app.meows.com, for example. That's relatively easy to do and sit as a man in the middle and sort of gather that data. What's not easy to do is operate that at scale. And we're finding that, certainly, you know, search engine ads are being manipulated here. So, they're ultimately setting up something that points at the real Mews site, validating it, and then changing it to the malicious payload. Ultimately, you're giving your credentials over to that fake site. And like a man in the middle attack, there that is then logging in to the main Mews site in the background. But Matt's point's really, really interesting. Even recently, we've had a customer in Europe who got an email to say, oh, you're logging in from the U.S. You haven't logged in here from here before, is that okay? And they clicked yes, you know, when you have that level, I think, of security awareness, when somebody's just trying to do their job, it's really hard to enforce for sure.
[00:18:12] Fleur van Leusden: There's only so much you can do as a provider. At some point, you have to also take responsibility yourself as a company, yeah, to work with the software you've bought as securely as possible. And if you've put all these safeguards in place, people will ignore them or say, yes, I am in the U.S, whilst they're not, there's only so much you can do.
[00:18:40] Matt Welle: Have you seen companies that handle the education in a different way? Or because how do we make the owners of the businesses aware that this is happening, or actually pay attention because we're shouting in the…
[00:18:54] Fleur van Leusden: In the voice?
[00:18:56] Matt Welle: Basically. Yeah. And no one's listening. How do we get people to listen to us?
[00:19:00] Fleur van Leusden: I think it's important. And I think you're being helped with legislation now with the NIST 2, where the board is actually obligated to have a certain degree of training in cybersecurity by law, it's not for hospitality, by the way, unfortunately, I think. But for many industries, it's now mandatory for boards to have a certain level of cybersecurity awareness, and understanding and training. And that should help, but also in your contracts and in your negotiations, I would say always underline and specify that that's a shared responsibility, security. It's not all you, and it's not all of them. It's shared. And there's this beautiful graphic where, when you're SaaS or EaaS or PaaS, it will show you the level of responsibility and where the balance tips. And for SaaS, it's mostly at your end as a provider, but there is still a certain level of security that has to be handled by the customer themselves. And I'm not a big fan of phishing awareness training personally, because I think if you, first of all, if one click on one link can destroy your entire network, then maybe the click on the link is not really the problem. As you've just mentioned, you've put all these stuffs in place, where one compromised account should not destroy your entire platform, which I think is very sensible to do. So, there there's all sorts of things you can do, but you'll have to assume if you work in an industry or in a company or wherever, where there's thousands of people working there, and the turnover rate when people leave and new people get hired is very high, it's impossible to train people like computers to always do everything, never click links, do forensics on every single email they get to make sure the header is correct and everything. It's not reasonable to expect people to do that. Just so, that's why I'm not a big fan of awareness training or phishing training, because I think you should just assume any link that enters a mailbox will be clicked and go from there. That's what I would say. And also, I just demand so much time from people, and people feel made fun of when they get confronted with these phishing awareness simulations. They might be a good sport about it and laugh, but no one likes to be on the mandatory training because you failed the test, you know.
[00:21:49] Terry Brown: Yeah. No. Absolutely. And I think that I would wholly agree. I think training, you know, is a 1% help as opposed to a 50% help. And what we're trying to do, certainly at Mews, is we have a kind of security center built into the product that gives you at least a real-time indicator of how you're doing from a security perspective. So, if you only had MFA, for example, you know, notifying the person who's logged in, the chances are you're not as secure as you feel you are. And we have an overall security score for the hotel based on, you know, prevalence of things like MFA and stuff like that. It's still, if I'm honest, not necessarily changing behavior yet.
[00:22:34] Matt Welle: I had an email conversation with a hotelier this week, and I said, hey, I see that your security settings are low, and there's three more categories higher that you can get to that you should get to. And the response was, yes, I'm aware of it, but I'm very busy right now. So, I'll get to it when I get to it. And I was like, okay. That's, yeah, I get that. Like, that's hard. And really, it's difficult because I wanna protect you. And the other day, I was with a hotelier, and I said, before we start the meeting, I want you to open the dashboard, and I want you to just, let's go talk through these settings, and I can do that with one hotelier in person, but I can't do this at scale with 15,000. I think that's the biggest challenge that we have. We build the tools, but how do we get them to actually adopt some of the things we're recommending? I guess what I’m trying to say.
[00:23:21] Fleur van Leusden: Yeah. I understand it's a challenge.
[00:23:24] Matt Welle: Yeah. How do you feel, like, in a hotel, we did come in, and we're in the cloud, but there's lots of systems that are installed locally. So, like, you've got your Wi Fi systems. You've got your door lock system that is a local system. And then you've got all the cloud systems that host guest data. Which is the most sensitive? Because, you know, we only think about ourselves as a PMS system, but a hotelier should think holistically about the entire ecosystem. Do you feel that some are more sensitive to getting attacked, like local systems versus cloud systems?
[00:23:53] Terry Brown: I think the challenge in hospitality is not so much individual systems or approaches. It's the prevalence of multiple systems. Each one of them, to Fleur's point earlier on, is a supply chain sort of attack vector. So, if you have one insecure system or you're leveraging 15 different vendors, for example, the chances of attack are far higher just simply because is everyone of those vendors patching all of their systems? Is every one of those vendors on the latest version of the software that they could be providing you? So, I don't think there's any one particular vector that stands out for me. It's more the prevalence of more systems. But thoughts from you, Fleur?
[00:24:37] Fleur van Leusden: No. I agree. I totally agree. I think, but that does not mean that there's nothing you can do as a company or organization to protect those. So, what I like to do is I like to make a map in, it's just simple in PowerPoint, it's two circles that overlap, you know, where I have a line in the middle, and it's above, it's essential, and below, it's non-essential. And I map the vendors, all the vendors that we have a contract with or the free stuff that we use, like Signal, for example. We might not have a contract with them, but there's sensitive information in it. So, I map them in the circles, and the first circle is company, so it's only for us and the second circle is primary processes. So, what we do if this vendor suddenly gets hacked or stops working for whatever reason at the most critical moment for us as an organization? Can we still deliver our primary objective, what we are here on this planet to do? And this, and then I've also added to that the vendors that use a cloud. And also, if it's a U.S cloud or if it's a European cloud, because if Amazon, Microsoft or Google have an outage, then I will automatically know, oh, that means that this vendor is out. We cannot use this software. We cannot use that because there's a big outage and all that. And we can plan our business continuity based on that map because I know exactly which vendors for us are essential, which we can immediately switch to something else with no effort at all, and where are the dependencies on the cloud, and where are those dependencies outside of Europe or inside of Europe? So, that's something you can do. And in general, I think you should have a business continuity plan in place if you have a lot of IT in your company that you depend on for your primary process. What are you going to do if the Internet, for whatever reason, doesn't work for two days? You have a hotel to run. You have everything in the cloud. All your data, your guest information. Now what? So, this is not a very exotic scenario. This could happen for all sorts of reasons. It doesn't even have to be an attack. And then you have to have a plan, well, if it lasts a day, we can switch this. We can still do this or that. And what if it lasts a week? And also think about what if it never comes back. No. I'm not saying Internet per se, but what if your data gets deleted or lost, or there was a migration and it went wrong? And then what? And you should plan for these things in times when there is not much going on, instead of trying to scramble and think about all these things in the middle of a crisis. And as you mentioned, Matt, you spoke to a hotelier who said, “Well, I'll get to it.” Well, I would suggest try to get to it rather quicker than later because one of these days, you might be confronted with this problem, and it will be 10 times harder to figure out than right now when there's not actually a crisis or something.
[00:28:13] Matt Welle: When I started in the hotels, we were still running on DOS, like, and this is not that long ago. This is 2012, when I was on DOS still. But because the system was sold, we had lots of outages, and we were very ready to jump in when the system failed. And I'm always feeling like we have such high reliability systems now that when an outage happens, and you know, we had the CrowdStrike outage, what was it last year? The whole Internet went down, and suddenly, like, customers were just not ready to deal with that situation. So, it's almost like because systems are more reliable, we're less ready for when they're not available. And I don't know if you can ever properly prepare for it, but I agree with you. We should be doing, like, fire training. Like, you do a fire drill, like, you should do it with the systems as well. Like, what happens if we have no systems? And this should almost be part of the manual annually that you do. Instead of a fire drill, you do a system outage training something.
[00:29:04] Fleur van Leusden: In the Netherlands, we had an expert. His name is Bert Hubert. And he went, he was interviewed for a newspaper, and he said we should have a Cloud Out Wednesday, so just on a Wednesday, switch off all your cloud infrastructure, see what still works and what doesn't.
[00:29:22] Matt Welle: Has he ever done that?
[00:29:23] Fleur van Leusden: I'm not sure if he specifically has done it. He's a very, very, he's a friend of mine, and he's a very pro-sovereignty advocate. But no, I kind of like that idea. And this is also why I said I make sure I know for my organization what dependencies we have because, yeah, it's important.
[00:29:45] Matt Welle: Can we briefly talk about Wi Fi? Because I'm about to leave for the airport again, and I log in to public Wi-Fi, and I don't really think about it. What do you do? Because you're clearly like, you deeply care about security. How do you log in to public Wi Fi?
[00:29:58] Fleur van Leusden: I've done presentations on this subject because public Wi-Fi in security, it's kind of like, I call it a dogma. So, quite a while ago, I think 5 to 10 years ago, it was actually pretty bad. The security of Wi Fi was pretty bad. You could do a man-in-the-middle attack and see passwords, plain text, you could see photos, you could see everything, but that was 10 years ago. In the meantime, we now have things like HSTS, which make sure that when there's this lock on your browser, that cannot simply be removed by a different lock because it checks. Your browser now checks whether you go to mews.com. If it's the actual mews.com, you cannot just get redirected like you could in the past. Also, if the connection is not secure, your browser will refuse the connection. So, you cannot go to any websites that doesn't have a secure connection without having to click through 5 or 10 warnings that say, don't do this, this is not secure. You can still do a man-in-the-middle attack on Wi Fi. It is not impossible. However, the thing is, it's much less useful. You don't see any plain text passwords anymore. You cannot just redirect people from the actual Google.com to your fake website. You can still make people go to your fake website. It's still possible. But if people use MFA or YubiKeys or all that sort of protection, then it's pointless to just get them to put in their passwords because just their passwords is not gonna be enough to attack them anymore. And, also, you have to vector in scale. As Terry mentioned earlier, Wi Fi attacks are typically very low scale because you have to be physically around people to attack them.
[00:32:06] Matt Welle: On the same, like a router or, like, how does this work?
[00:32:09] Fleur van Leusden: You have to have a rogue Wi Fi device that will try to circumvent your people trying to connect to your actual Wi Fi. It will connect them to your rogue Wi Fi, and that's how you attack them. But you have to be physically around them to be able to do this. Now, if what you're after is just general people's credentials, you don't care whose credentials they are; this is a very dumb way to attack because you have to be physically present, which heightens your chances of getting caught. It's a very low skill because it's only whoever you can find that's around. Whilst if you wanna do a phishing attack where you don't care whose credentials you catch, you will send emails. You will go through the Internet. Your chances of getting caught are way, way less because you don't even have to leave your house. So, if the general public's credentials are what you're after, Wi-Fi is a very low, it's not really attractive. Now, if there's a specific person you're after, because they are a government official or they have very high-tech information, then it's a different story, because then it might be interesting to attack them through a rogue Wi Fi point. But for most people like me or whoever, my mom or whatever, who goes to a hotel or an airport and just, you know, works at a bakery or something. It's not an attack you need to really worry about, and it's totally not worth spending money on VPNs or any stuff like that because it, actually, a VPN will not protect you against a phishing attack. A lot of hotel or airport Wi-Fi doesn't actually work if you try to have a VPN in front of it. It's expensive, and it also doesn't necessarily mean extra security because all you're doing is, instead of sending your data through whatever access point you're trying to connect to, you're sending it to your VPN provider, who can also see that data.
[00:34:29] Matt Welle: And Terry, like, you don't work for ITS, but we have VPNs on our computers. Like, do you know why we do it still?
[00:34:36] Terry Brown: I mean, it can still be useful, but it's useful in a niche set of circumstances. It should never be trusted as a mechanism to protect the user from doing the wrong thing. Because they can, as Fleur has highlighted, the user can still do the wrong thing. But ultimately, you know, for example, we have private internal services that are only accessible if you're on the VPN. That sort of thing is a useful use of a VPN for sure. The challenge here is the one we talked about earlier. It's opportunism. And within a hotel, this is not an attack factor you need to worry about, because routinely, people are not coming into your hotel with a rucksack with an antenna on it. And indeed, I hope nobody will follow you around the airport, Matt. In real terms, it's such a low reward for a high-risk scenario that ultimately, for hotels, the right action is you can ignore something like that and focus entirely on, you know, those other mechanisms that can protect you.
[00:35:44] Matt Welle: So, if we switch back then, like that, I'm very happy to hear because I live in airports and hotels. So, I would just keep connecting to the Wi Fi. If we switch back to logging into a system that sits on a humongous amount of data like Mews, or like any of these CRM systems, what's the most secure multifactor authentication way to log in? Because you get so many options. Like, I heard YubiKeys. We had SMS, TOTP, which is this message, like, code from Google, magic links, facial recognition, or what do you call those? Passkeys. What's the most secure way to log in to systems?
[00:36:17] Terry Brown: I guess I can quickly cover what we do at Mews, and then, Fleur, it'd be great to get your thoughts as well. So, since rolling out single sign-on, that's the thing we always recommend as the primary mechanism because it puts the authentication entirely in the hands of the hotel. So, they can choose whether to enable field point, UBKs, or some equivalent. So, that's always the one that we recommend primarily.
[00:36:44] Matt Welle: We have maybe hoteliers listening who don't know what single sign-on is because in our industry, very few hotels use it or at least what we've seen very few hotels use. Can you explain what that means?
[00:36:53] Terry Brown: It's ultimately placing your staff roster essentially in a centralized place and allowing that to handle authentication and authorization. So, can I do this as authorization? Am I allowed to be here as a kind of authentication? And it just makes it so much easier because then you get complete control as a hotel. There are many hotels who are not using this today, and it's understandable, especially if you're a smaller hotel, which is why we have many other mechanisms. But yeah, single sign-on is typically the best from a tiered perspective. We always recommend passkeys directly after that. Passkeys can either be facial recognition, the fingerprint Fleur mentioned earlier or indeed the hardware key. But ultimately, passkeys.
[00:37:48] Matt Welle: I was like, we don't have passkeys. Like, because I didn't know what it was until you explained it to me. How would you explain what a passkey actually is?
[00:37:57] Fleur van Leusden: It's a certificate, basically. Yeah.
[00:37:59] Terry Brown: It's a certificate. Ultimately, and at a human level, it's probably some combination of who you are, the device, and its location. And it couples all of those together with something, typically a fingerprint or a face or the fact that you're logged in to your computer, those are like a combinatorial thing, so it's very phishing resistant, hugely phishing resistant. Below that, we would use email two FA, which is ultimately emailing a magic link across to a customer, and they click it to come back into the code.
[00:38:37] Matt Welle: Not the email in the code, but a magic link. That makes a difference. Magic link.
[00:38:40] Terry Brown: Magic link. Yes. Yeah. Yeah. 100%. I think what we have learned from the two-factor authentication is that if you are willing to give your password over to an attacker, you are willing to give that six-digit code. So, ultimately, we now say that we don't treat MFA with the TOTP, you know, the single six-digit code. We don't really treat that as something we would consider secure today. And depending on what you're doing within the product, if you're an administrator, you can't use it. In past cases, the minimum. And we always encourage hotels to reduce the amount of privileges to FA users because you can do so much damage.
[00:39:22] Matt Welle: So, do you agree with the ranking? Like, it's a difficult thing to rank, I guess, because different systems have different access maybe, but, like, would you agree?
[00:39:28] Fleur van Leusden: I think I totally agree, and I think it's very wise. And I'm actually impressed with how much thought you have put into this because there's still a lot of SaaS platforms that do a very poor job at this. And I think this is very, very good to have in place and to enforce, like you said, the YubiKey or the keys for administrators at least. I think that's very good.
[00:39:57] Matt Welle: Thank you.
[00:39:58] Terry Brown: We still have work to do for sure. I think that..
[00:39:59] Fleur van Leusden: Of course. No one is perfect. I have to find the first seesaw who says we are 100% secure. And if I find that one, I would say fire it because…
[00:40:09] Matt Welle: We have to prioritize it budgetarily, right?
[00:40:12] Fleur van Leusden: Of course. It’s a balance.
[00:40:14] Matt Welle: If you don't get an attack, then the priority goes down. And then suddenly, when you get an attack, that budget is created. How do we make this a constant agenda item?
[00:40:21] Fleur van Leusden: Well, I kind of compare it to a house if you have to secure a house. Like, I'm a normal person. I live in a normal house. I don't have very expensive stuff. I like video games, and I make podcasts. So, I have a little bit of expensive stuff in my house, but it's not very special in any way. So, we have locks on our doors. We have had it checked to make sure it's not too easy to break into. We have an alarm system, you know, but I didn't go as far as digging trenches around my house, having guard dogs, or that kind of stuff. So, it's a balance between what do you have to protect, what is reasonable, what can be expected of you, and also what level of pain are you willing to accept in your processes to keep everything secure? And that's actually the kind of thing I like to go by feel. So, sometimes you can actually feel like this is too heavy. This security is too heavy for the thing we're trying to protect. And sometimes you're like, for example, I have a cloud checklist I like to use internally. So, if anyone, if the business wants something in the cloud, they come to me as their CISO and say, hey, Fleur, I want this cloud SaaS product. I'm very interested. And a lot of CISOs will send you back, and they will go, no, you do not want this specific product. What you want is video calling and I will tell you which video software is suitable for you. And in practice, this works really poorly because they will come back and they will tell you, I need video software. It has to start with Microsoft and end with Teams, and it has to have this purple logo. So, you're gonna end up with whatever they want anyway. So, I try to flip that around and go, okay, so you want this specific SaaS software. Here is a checklist for security. You fill it in for me. So, you are going to check do they have a single sign-on? Do they have a login? Do they have an ISO certificate? Whatever. Then you come back to me, we discuss it for half an hour, I look at your checklist, and I'll ask you a few questions. So, this puts me in the very luxurious position as a CISO to ask you the question, as the business who came to me. Alright. So, you wanna put very, very restricted government data in a Chinese cloud that has no logging, no MFA, and no monitoring. If you see this, how does that make you feel? Does it make you feel uncomfortable? And if they go, yeah, it's kind of uncomfortable. Maybe we shouldn't do this. Versus the old situation where you come to the CISO, and you say, I want this very exotic cloud software, and I go, no, you cannot because it's not secure enough. And it's the CISO who says no, or security says no. And now, it's not security says no, it's security that says you're sure about this if you look at it? Do you think it's a good idea? And also because I report to the director. So, when I get a cloud checklist, and I have some recommendations, he's always in the cc of whatever recommendation I do. So, that also puts a little bit of pressure on whoever asked the question to follow up on my recommendations. So, actually, I rarely say no. I recommend some additional security measures sometimes, but I think that's the way to handle this. It's a balance. It's not, all or nothing
[00:44:01] Matt Welle: If a hotelier is listening to this podcast today and they do one thing differently tomorrow, what's the one thing you would recommend? And let's start with you, Fleur.
[00:44:12] Fleur van Leusden: I would say, look at that dashboard you mentioned with the security posture and see if you can get it to a higher level because that's gonna really, really make a difference because that's where your crown jewels are. And make a map of whoever, what does your IT landscape look like as it comes to vendors and your dependencies and have that business continuity in place. Have a plan for when things fail, and assume they will fail because it's IT. One of these days, it's gonna happen, and better plan for that.
[00:44:51] Matt Welle: Thank you very much. Terry?
[00:44:53] Terry Brown: Yeah. I think and we've talked about it so much throughout this. Invest a little time and effort. Depending on the provider, one hopes that it hasn't got any significant financial cost. With Mews, we try to keep that at zero for security. But yeah, invest some time. Security is always a compromise. It's always a compromise with usability and, you know, all of those things. But without taking some of these simple steps like enabling passkeys or, you know, the alternatives, you're ultimately leaving yourself a far more risk from a, you know, from a GDPR, from a breach perspective. So, a little bit of time, a little bit of effort, thinking about this, I think, is critical.
[00:45:41] Matt Welle: Fleur, Terry, thank you so much for sharing all your insights. That has been wonderful.
[00:45:45] Fleur van Leusden: Thank you for having me.
[00:45:47] Terry Brown: Thank you.
