New Omni Hotels & Resorts CIO Ken Barnes is mulling how to shore up corporate defense in the wake of a cybersecurity attack that impacted 48 of its 60 hotels in North America. Barnes, who started in May, of course says he plans to improve the protection for Omni's payment processing systems. New defenses could include analytics that detect anomalous behavior suggesting that a hacker has entered or is trying to enter Omni's computer network.
"I want to make sure that we have our perimeter set up and that we have people watching that perimeter to protect us,” Barnes told CIO.com last Thursday, a day before the Dallas hotelier announced the breach. Hackers installed malware on point-of-sale systems to steal payment information from December 23, 2015 until June 14, 2016, Omni posted on its website on July 8. Omni discovered the intrusion on May 30.
Hackers love hotels
It's open season on U.S. hotel chains. In the past 12 months, Starwood Hotels & Resorts Worldwide, Hilton Worldwide Holdings, Hyatt Hotels and Trump Hotel Collection have all announced data breaches targeting consumers' debit and credit card information. As in most of those incidents, the Omni perpetrator collected the information from purchases guests made with their physical credit and debit cards in the chain's hotels and bars, Andrei Barysevich, director of cybercrime research at Flashpoint, told the Wall Street Journal.
Barnes says hotel chains are an attractive target for hackers because they support hundreds of thousands of guests at locations all over the world. Moreover, the hospitality and retail industries are far more decentralized than other industries, with business segmentation making it more challenging for experts to protect and easier for perpetrators to gain entry.
Omni doesn’t operate under a franchise model but Barnes is weighing whether to hire additional technical cybersecurity staff or procure a managed security service provider to bolster its posture, including applications that provide better warnings when something is awry. Such software might, for example, detect when someone using credentials from an employee in HR logs into the system from the Ukraine and tries to access financial files that he or she would have no reason to view.
"[The idea] is to absolutely put applications in place that do more alerting and alarming above and beyond the table stakes [apps], such as those that lock out a user when their password fails three times," Barnes says. “It’s about really looking deeper and aggregating data within logs to show you the bad stuff.” Barnes declined to reveal more about his cybersecurity plans, citing sensitivity around discussing the company’s data protection profile.
Over the next six months Barnes says he plans to complete projects initiated before his arrival. These include front-of-the-house technology for soon-to-open locations in Frisco, Texas; Louisville, Kentucky; and Atlanta, that "need a little extra push over the goal line.” He also plans to purchase and implement a CRM system and will improve the company’s existing reservation call center, business intelligence and financial reporting capabilities.
“The CRM piece could give us a large advantage of having a 360-degree view of our guests, to be able to tailor their experience and to be able to market to them properly,” Barnes says. “We don’t want to send someone who has never golfed before a golf package for [Omni’s resort in] Barton Creek, Texas.”
He says his greatest challenge will be getting acclimated to the organization and making sure that Omni’s operations team is on board with his proposed changes.
Being both a business and IT leader
Barnes is taking caution to strike the right balance between IT leader and business leader, ensuring that enterprise technology initiatives are aligned with the business. He says that while maintain an insatiable appetite for technology -- Starwood and others are allowing guests to check in and enter rooms with their smartphones -- Omni still needs to provide good service in a clean, friendly environment. Guest satisfaction, above all else, is the No. 1 priority at Omni and he says that attitude permeates the corporate culture.
"I want to make sure IT is an enabler of the business, but not leading with technology as the answer to everything," Barnes says.
Barnes joins Omni from GuestTek Interactive, where he served as the senior vice president of global services. Prior to that, Barnes spent 22 years at White Lodging Services, most recently serving as vice president of information technology. The hotelier had 17 locations when he started but had grown to include more than 170 by the time he left in 2015.
This story, "Omni Hotels' new CIO shores up cybersecurity amid data breach" was originally published by CIO.