The hospitality industry is becoming increasingly prone to cyber-attacks because it holds a host of personal and financial information on its guests, as well as other sensitive data, such as payment card information, experts in the industry said.

Generally, there are two types of organisations - ones that are aware that they have been hacked and the second, those who have been hacked already but are not aware of it.

In today’s world, there is nothing called absolute security against cybercrimes. Internal audits have an important role to play by critically evaluating the cyber footprint of their organisations and providing assurance on the cyber resilience program, according to Hospitality sub-group performing under the UAE Internal Auditors Association.

The sub-group organised a seminar by experts for the UAE IAA members from the private sector and non-profit and government sectors that specialise in hospitality to benefit from knowledge sharing and networking.

The seminar focused on cyber resilience against cyber-attacks, informing attendees that cyber-attacks are the new norm with the attacks getting more sophisticated and worse by the impact. Based on statistics, a cyber-attack happens every 39 seconds, 291 data records are stolen every second, there was 133 per cent increase in data records exposed in 2018, $148 is the average cost of each stolen data record and $3.86 million is the average cost of a cyber-attack.

UAE IAA Hospitality sub-group chairman Aldrin Sequeira, who is also chief internal audit officer - Jumeirah Group, said the seminar is about getting all hospitality professionals from the internal audit sector together to provide them with valuable information about the cyber threat in the hospitality industry and how they can provide assurance on cybersecurity and cyber resilience.

“It is all about protection and the DNA of every organisation should include looking for potential threats, whether it is phishing, hacking, or any kind of vulnerability to make sure they are adequately protected,” he said.

"Internal auditors need to inform the Board, Audit and Risk Committees and Management on the potential risk and actually devise recommendations on how they can mitigate those cyber security-related risks. In case of cyber exploitation, it could result in reputational damage and have significant financial consequences,” Sequeira added.

It is the responsibility of the Internal Auditor to provide assurance and ensure there are adequate controls to mitigate key risks. Cyber-attack is a risk and it is one of the many risks that internal auditors need to be aware of so that they can also help in protecting the organisation.

Amit Tenglikar, senior manager, Technology Advisory Services, BDO Chartered Accountants and Advisors, in his presentation said that hotels are prone to cyber data breaches as they collect highly sensitive, valuable and varied personal data on their customers. Since hotels strive to give their guests personalised experience, they tend to collect and store this customer data. Hotels manage a large number of financial transactions, which often involve executives and wealthy individuals. They use loyalty programmes to encourage repeat visits and additional stays. Loyalty related scams are much harder to detect as users don’t typically watch their loyalty point balances the way they watch their credit card statements.

He cited the case of personal data of 500 million international hotel chain guests exposed in a massive breach in 2018. “500 million customers’ details, including credit card and passport information were leaked and hackers had access from probably September 2014,” he said during his presentation.

In another case involving a different international hotel group, the rewards members details were leaked. Around 10 per cent of customer details, including names, addresses, email IDs, company names, phone numbers, member numbers and frequent flyer members, were compromised resulting in reputational loss.

He cited another case of a Dubai-based firm which lost $53,000 in a single cyber-attack.
The key message on cybersecurity is to make sure that internal auditors have the essential cyber hygiene first before investing in the more advanced detection tools. "Once you have the basic cyber hygiene, you could deter the majority of the cyber threats. This will allow you to deal better with the more granular problems relating to cyber exposure," Tenglikar said.

Internal auditors have a key role in this where they can identify the gaps, highlight the right issues and also guide companies through the recommendations on how to fix it.

Ramakrishna S Nivarthy, director, Quality and Risk Management, BDO Chartered Accountants & Advisors, said that like risk professionals, internal auditors raise the red flag that there is a problem and then they can work with the team to come up with solutions to address those problems. Those are the key skill sets the internal auditor has and they can use that skill set to assist others who probably have a blind spot.

The hospitality sub-group under the UAE Internal Auditors Association has a vision to be recognised regionally as the hospitality industry leadership group adding value to internal auditors and business advisory practitioners in the sector. - TradeArabia News Service