I recently had the opportunity to interview the Vice President of IT Jason Shane and Sr. Security Engineer Yoel Alvarez of Hersha Hospitality Management. We discussed some of their biggest challenges when it comes to information security, email security, and the natural fluctuations in a hospitality company’s workforce. Here’s what Jason and Yoel had to say.
What are some of the challenges that the hospitality industry faces when it comes to security and technology?
Yoel: Hersha Hospitality Management manages about 120 hotels across the country. You can think of each hotel as an individual company. Our team is focused on keeping all the hotels’ systems online and available without impeding the integrity of the sensitive data we process and store.
Jason: The hospitality industry has some unique challenges when it comes to information security. One issue that we and many other hospitality companies have to address is a volatile workforce. We have over 5,000 employees and 120 locations spread coast to coast. As we’ve grown over the years, new employees start working at the hotels at an incredibly high rate. In addition, the nature of the industry means that we also see a lot of fluctuation in our existing staff as well. So, some of the IT and security processes that we thought we had nailed down as a young business, we now have to modify in order to gain more visibility and control.
How do you maintain information security standards?
Jason: Much of our workforce (about 80%) are hourly employees, not highly skilled in the field of information security. These same people process credit cards, other PII, and have access to the email system. But because of timing and the instability of employee tenure, it’s difficult for our team to successfully implement a traditional security awareness training program.
Yoel: Yes, one of the biggest challenges we face is getting the hotel staff to embrace both the IT and security policies. Training and the addition of new policies and additional layers of security all have an impact on hotel operations. Smoothly implementing these programs and procedures in a way that doesn’t impact operations is always a challenge.
Jason: We focus our efforts and resources around getting employees up-to-speed on the importance of PII and how to properly handle this type of sensitive information. We also use GreatHorn’s in-context phishing awareness training to properly address potential phishing scenarios.
Yoel: Security awareness training can be tricky to do. Given our IT environment with different hotel brands and teams with new employees coming in and out, we’d rather focus on and train the most targeted individuals (C-level) and teams (Finance, HR). Those employees who handle the most critical information. GreatHorn notifies these employees of emails that are not necessarily malicious but the nature of the email just isn’t clear. Using a warning banner that GreatHorn enables for us brings a lot of visibility, and we see this as training. Now when members of the hotel staff reads their email, they see a red banner that educates them of a phishing attempt. This awareness and education spreads throughout the hotel and culture.
Let’s dive further into email security, what are some of the concerns and challenges you’re both trying to solve?
Jason: A few years ago, we examined our risk profile specific to email communications. We used to see suspicious email messages with such a high velocity requesting W2s, or the “can you wire X amount of funds to X third-party requests. We had a large influx of phishing and impersonation scams. We saw real, targeted attempts and candidly some near misses that made us aware that email is an easy target. We wanted an email security solution that would be easy to use, non-disruptive to email flow, and one that wouldn’t disrupt the hotel experience.
Yoel: We receive about 120,000 emails a day. Managing that volume takes more than a staff, you must have tools in place to analyze, at least, to get visibility into what’s happening. We decided that we needed to partner with a vendor that approached securing email a bit differently. Hersha had a unique IT environment at that time. We just finished up transitioning to a cloud-native email provider. We were challenged with how to protect this new environment. There’s a common misconception that because you move your email to the cloud it’s secure, but it’s actually the opposite. You just open a new window for threat actors. It was challenging when we started looking for a vendor that could provide a cloud-native email security solution. GreatHorn works in a unique way. It is not a gateway. I figured that even if the solution breaks, our email will still flow, which was on our must-have list!
What do you think are some of the biggest benefits that GreatHorn provides?
Jason: GreatHorn has been a great partner for Hersha. We have a tightly integrated relationship with GreatHorn’s platform. We’ve been able to educate and inform our email users in real-time with the GreatHorn banners. We used to treat email as completely untrusted. Today, we look at email as a vehicle for business communication. With some of our controls and visibility into the type of data going through, we feel more comfortable leaning business processes on email. Counter to that, we’ve taken things like wire transfers and W-2 delivery that GreatHorn has identified, and educated our employees enough to watch out for and notice if they’re getting a request. That’s not a methodology we typically use for those types of documents.
GreatHorn’s benefit to Hersha is probably the single pane of glass concept. We have a small security team. My team can now look at one interface and watch our entire email platform from end-to-end. We can quickly tune and adjust our roles, banners, and notifications and watch the results in real time.
Yoel: My favorite thing about GreatHorn is their customer support. There is no way to always know the right answer for everything, so having a vendor-customer relationship like that provides a lot of value.
Jason: I’d absolutely recommend GreatHorn. Honestly, a part of my job is to keep Hersha out of the news. I used to worry about email as a threat vector, but it’s been about three or four years since we started working with GreatHorn. Frankly, with GreatHorn, email security doesn’t keep me up at night.