How Hersha Hospitality Closed its Email Security Gap
Cybercriminals target the hospitality industry because it handles sensitive data such as personally identifiable information (PII). Many hotel brands have reported large-scale data breaches through a variety of threat vectors such as point-of-sale (POS) exploits, targeted spear phishing, and malware-based attacks.
Hersha Hospitality Management (HHM) is part of the Hersha Group, a 5,000-person industry-leading hotel management firm that provides turnkey management from accounting services and revenue management to IT services and support for more than 125 hotels and resort complexes across the United States. Since credit cards are the primary payment method in the hospitality industry, the team is particularly proactive about ensuring compliance with payment card industry data security standards (PCI DSS).
The team conducted an initiative to identify the greatest threat vectors to PCI compliance in the hospitality industry, and found email to be one of the least secure. Jason Shane, vice president of IT, for HHM and Yoel Alvarez, IT security engineer, knew they needed to implement a modern cybersecurity strategy that could protect HHM from advanced email threats.
AT A GLANCE
CHALLENGE
Protect employees from targeted phishing and other types of malware-based attacks with the least business impact causing email delays or downtime.
ENVIRONMENT
- Fast-paced business, reliant on email performance
- High exposure to PII in general and credit card data in particular
- Distributed workforce across multiple locations
- Cloud-first IT strategy
- Email platform: Google G Suite
WHY GREATHORN?
- Simple and fast cloud-based set up and management
- No interruption to mail delivery
- Ability to more accurately identify and prevent payload-free phishing attacks
- Quick and easy remediation for zero-day attacks
SECURITY AWARENESS TRAINING IS NOT ENOUGH
With the company’s geographically dispersed operations, email remains a critical communication platform for distribution of new HR policies and procedures, guidance from the executive team to regional managers, business changes and more. Customers often use email to communicate with hotel staff and provide sensitive credit card information via email. Overall, HHM processes about half a million incoming and intra-organizational emails each week.
HHM uses Google’s G Suite for business productivity and communications. However, while G Suite provides many advantages, its email security capabilities cannot adequately protect against the sophistication of today’s targeted phishing attacks.
“Email is one of the biggest targets for hackers,” Alvarez acknowledges. “If just one of these attacks successfully made it through to our finance system, for example, the damage would be huge. We can’t afford a single breach.”
To minimize that possibility, HHM invested heavily in cybersecurity awareness training to educate employees on what phishing attacks were, how they worked, and how to flag them for remediation. However, across the hospitality industry, employee bases fluctuate significantly.
“We were constantly training, but we knew that not all our employees were giving this the attention it deserved,” Alvarez notes. “We needed a tool that could provide an upper layer of defense so that we could protect those users in a different way.”
HHM’s cloud-first strategy immediately disqualified email security solutions that interrupted mail flow by changing mail routing and MX records. They also wanted to avoid the mail disruption caused by relying on a single point of failure such as a secure email gateway – a point driven home during a proof of concept with a secure email gateway vendor when the system went down and lost email for 45 minutes.
While searching for alternatives, Alvarez found GreatHorn. Architected and built for the cloud, GreatHorn’s solution combines advanced threat intelligence and deep relationship analytics to identify both widespread known attacks as well as highly targeted or zero-day attacks.
Because the product sees all email within the organization, it has an evolving understanding of HHM’s unique communication patterns, making it much easier to see phishing attacks that have no obvious known malicious threat.
In addition to identifying threats other products cannot, GreatHorn also provides HHM’s end users with context around emails that are suspicious, but don’t quite meet the threshold of an obvious threat. For example, if an email references a W2, it might add a banner to the email to remind the user that HHM’s business processes do not allow for W2s to be sent via email. That additional warning effectively serves as in-context security awareness training and often provides the necessary context the user needs to reconsider responding with sensitive information.
Alvarez appreciates that GreatHorn looks at security as a continuous improvement cycle rather than a binary good/bad determination. One feature in particular that Alvarez feels make GreatHorn so effective is the ability to tune the system based on HHM’s business processes and risk tolerance. Then GreatHorn automatically optimizes HHM’s protection based on its own patterns of communication.
The platform uses native cloud email APIs to integrate at the mailbox level (without requiring MX changes), so security teams can quickly and easily remove suspicious emails post-delivery if necessary.
“We needed a robust solution that could protect us from zero-day attacks as well as phishing campaigns that were growing in frequency and sophistication,” Alvarez says. “GreatHorn not only identifies threats, it also provides easy remediation capabilities in the rare event that it misses something. We can conduct a quick search within the console to figure out if an attack is limited or widespread and then remove all at once from users’ inboxes even after they’ve been delivered.”
Employees no longer feel pressure to act as a “human firewall,” allowing them to communicate with colleagues and clients confidently. Now the security team is able to devote more time to critical security areas because it is spending less time on email threat management.
“GreatHorn provides a multi-layered approach to email security,” Shane says. “Not just prevention of known threats and targeted phishing attacks, but also in-the-moment user awareness training and incredibly effective remediation tools.”
