The Sub-group organized a seminar by experts for the UAE IAA members from the private sector and non-profit and government sectors that specialize in the hospitality to benefit from knowledge sharing and networking.
The seminar focused on cyber resilience against cyber-attacks, the attendees were told that cyber-attacks are the new norm with the attacks getting more sophisticated & worse by impact. Based on statistics , a cyber-attack happens every 39 seconds, 291 data records are stolen every second and there is 133 percent increase in data records exposed in 2018, $148 is the average cost of each stolen data record and $3.86 million is the average cost of a cyber-attack.
UAE IAA Hospitality sub group Chairman Aldrin Sequeira, who is also Chief Internal Audit Officer – Jumeirah Group, said the seminar is about getting all hospitality professionals from the internal audit sector together to provide them with valuable information about the cyber threat in the hospitality industry and how they can provide assurance on cyber security and cyber resilience.
“It is all about protection and the DNA of every organization, should include looking for potential threats, whether it is phishing, hacking, or any kind of vulnerability to make sure they are adequately protected,” he said.
Internal auditors need to inform the Board, Audit and Risk Committees and Management on the potential risk and actually devise recommendations on how they can mitigate those cyber security related risks. In case of cyber exploitation, it could result in reputational damage and have significant financial consequences,” he said.
It is the responsibility of the Internal Auditor to provide assurance and ensure there are adequate controls to mitigate key risks. Cyber-attack is a risk and it is one of the many risks that internal auditors need to be aware of so that they can also help in protecting the organization.
Amit Tenglikar, Senior Manager, Technology Advisory Services, BDO Chartered Accountants and Advisors, in his presentation said that hotels are prone to cyber data breaches as they collect highly sensitive, valuable and varied personal data on their customers. Since hotels strive to give their guests personalized experience, they tend to collect and store this customer data. Hotels manage a large number of financial transactions, which often involve executives and wealthy individuals. They use loyalty programs to encourage repeat visits and additional stays. Loyalty related scams are much harder to detect as users don’t typically watch their loyalty point balances the way they watch their credit card statements.
He cited the case of personal data of 500 million International Hotel Chain guests exposed in a massive breach in 2018. “500 million customers’ details, including credit card and passport information were leaked and hackers had access from probably September 2014,” he said during his presentation.
In another case involving a different International Hotel Group, the rewards members details were leaked. Around 10 per cent of customer details, including names, addresses, email IDs, company names, phone numbers, member numbers and frequent flyer members, were compromised resulting in reputational loss.
He cited another case of a Dubai based firm which lost $53,000 in a single cyber-attack.
The key message on cyber security is to make sure that you have the essential cyber hygiene first before investing in the more advanced detection tools. Once you have the basic cyber hygiene, you could deter majority of the cyber threats. This will allow you to deal better with the more granular problems relating to cyber exposure.
Internal auditors have a key role on this where they can identify the gaps, highlight the right issues and also guide you through the recommendations on how to fix it.
Ramakrishna S Nivarthy, Director, Quality and Risk Management, BDO Chartered Accountants & Advisors, said that like risk professionals, Internal auditors raise the red flag that there is a problem and then they can work with the team to come with solutions to address those problems. Those are the key skill sets the internal auditor has and they can use that skill set to assist others who probably have a blind spot.
The hospitality sub-group under the UAE Internal Auditors Association, has a vision to be recognized regionally as the hospitality industry leadership group adding value to internal auditors and business advisory practitioners in the sector. The mission is to create and standardize best practices and promote common interests across the hospitality sector under the umbrella of the IAA UAE.