Business Bureau, Gulf Today

The hospitality industry is increasingly prone to cyber-attacks and breach of customers’ personal data. Generally there are two types of organisations. Ones that are aware that they have been hacked and the second have been hacked already but are not aware of it. In today’s world, there is nothing called absolute security against cyber security. Internal Audit have an important role to play by critically evaluating the cyber foot print of their organizations and provide assurance on the cyber resilience programme, according to Hospitality sub-group performing under the UAE Internal Auditors Association (UAE IAA).

The Sub-group organised a seminar by experts for the UAE IAA members from the private sector and non-profit and government sectors that specialize in the hospitality to benefit from knowledge sharing and networking.

The seminar focused on cyber resilience against cyber-attacks, the attendees were told that cyber-attacks are the new norm with the attacks getting more sophisticated & worse by impact. Based on statistics, a cyber-attack happens every 39 seconds, 291 data records are stolen every second and there is 133 per cent increase in data records exposed in 2018, $148 is the average cost of each stolen data record and $3.86 million is the average cost of a cyber-attack.

UAE IAA Hospitality sub group Chairman Aldrin Sequeira, who is also Chief Internal Audit Officer - Jumeirah Group, said the seminar is about getting all hospitality professionals from the internal audit sector together to provide them with valuable information about the cyber threat in the hospitality industry and how they can provide assurance on cyber security and cyber resilience.

“It is all about protection and the DNA of every organisation, should include looking for potential threats, whether it is phishing, hacking, or any kind of vulnerability to make sure they are adequately protected,” he said.

Internal auditors need to inform the Board, Audit and Risk Committees and Management on the potential risk and actually devise recommendations on how they can mitigate those cyber security related risks. In case of cyber exploitation, it could result in reputational damage and have significant financial consequences,” he said.

It is the responsibility of the Internal Auditor to provide assurance and ensure there are adequate controls to mitigate key risks. Cyber-attack is a risk and it is one of the many risks that internal auditors need to be aware of so that they can also help in protecting the organisation.

Amit Tenglikar, Senior Manager, Technology Advisory Services, BDO Chartered Accountants and Advisors, in his presentation said that hotels are prone to cyber data breaches as they collect highly sensitive, valuable and varied personal data on their customers. Since hotels strive to give their guests personalised experience, they tend to collect and store this customer data. Hotels manage a large number of financial transactions, which often involve executives and wealthy individuals. They use loyalty programs to encourage repeat visits and additional stays. Loyalty related scams are much harder to detect as users don’t typically watch their loyalty point balances the way they watch their credit card statements.

He cited the case of personal data of 500 million International Hotel Chain guests exposed in a massive breach in 2018. “500 million customers’ details, including credit card and passport information were leaked and hackers had access from probably September 2014,” he said during his presentation. In another case involving a different International Hotel Group, the rewards members details were leaked. Around 10 per cent of customer details, including names, addresses, email IDs, company names, phone numbers, member numbers and frequent flyer members, were compromised resulting in reputational loss.  He cited another case of a Dubai based firm which lost $53,000 in a single cyber-attack.

The key message on cyber security is to make sure that you have the essential cyber hygiene first before investing in the more advanced detection tools. Once you have the basic cyber hygiene, you could deter majority of the cyber threats. This will allow you to deal better with the more granular problems relating to cyber exposure.

Internal auditors have a key role on this where they can identify the gaps, highlight the right issues and also guide you through the recommendations on how to fix it.

Ramakrishna S Nivarthy, Director, Quality and Risk Management, BDO Chartered Accountants & Advisors, said that like risk professionals, Internal auditors raise the red flag that there is a problem and then they can work with the team to come with solutions to address those problems. Those are the key skill sets the internal auditor has and they can use that skill set to assist others who probably have a blind spot.