SecurityMetrics Podcast
SecurityMetrics Podcast
Luxury Getaways, Looming Threats: Cybersecurity in the Caribbean Hospitality Industry | SecurityMetrics Podcast Ep 100
Worried about hotel hacking? This episode unveils the cybersecurity protocols of resorts like Atlantis. ️
Dive deep into the unique challenges of cybersecurity in hospitality, from balancing guest convenience with ironclad defenses to training a diverse workforce.
Tsega Thompson, Executive Director of Cybersecurity and Data Privacy at Atlantis Resorts, shares her insights on:
- Getting into Cybersecurity
- Special Challenges of Cyber in the Hotel Industry
- Training your workforce effectively
This is your essential guide to cybersecurity in the hospitality industry, packed with valuable tips for travelers and hospitality professionals alike.
Hosted by Jen Stone, Principal Security Analyst (MCIS, CISSP, CISA, QSA).
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Request a Quote for a PCI Audit ► https://www.securitymetrics.com/pci-audit
Request a Quote for a Penetration Test ► https://www.securitymetrics.com/penetration-testing
Get the Guide to PCI DSS compliance ► https://www.securitymetrics.com/lp/pci/pci-guide
Get FREE security and compliance training ► https://academy.securitymetrics.com/
Get in touch with SecurityMetrics' Sales Team ► https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place
Hello and welcome back to the Security Metrics podcast. My name is Jen Stone. I'm one of the principal security analysts here at Security Metrics. Very excited about the topic today because I have someone from the hotel industry, which is something that is kind of on everybody's mind lately, especially with some of the recent breaches that we've seen.
But it's also a really big part of what we all as individuals interact with. So delighted to welcome to the show,
Tsega Thompson. Thank you so much for being here. Would you please tell people about yourself?
Well, thanks so much for having me today, Jen. So my name is Tsega Thompson. I am currently the executive director of cybersecurity and data privacy at the Atlantis Resorts here in the Bahamas.
Nice Atlantis resorts in the Bahamas. That sounds okay. First of all, that sounds really fun and I would love to meet you in person one day.
Hey, what is it?
Because it's on property. Would you like to meet me
Yeah. I mean also I would like to yes. That was sounded kind of rude, but yes, I would like to see on property, but,
So a little about me, I have, I've been working in cyber for at least 15 years. Data privacy is kind of new to my portfolio, so it's more like in the last three years.
I have a vast portfolio here, ranging from asset management, operational resilience, which includes, of course, stuff like change management, business continuity, disaster recovery, incident management and response. then I have all the regular stuff like, like, user lifecycle management, privilege access, account security monitoring and engineering data privacy, of course. GRC so we have a full house, like most security teams, small
small resources.
Yeah. We make the best of it. No, that is a huge set of responsibilities that you have on your plate. And I want to dig into that.
And then how it's related to the industry specific. But also how did you get to this position? So many people are excited about the type, that type of thing you're doing, basically, what is the dream job for a lot of people.
And and so they say, well, how do I
get started?
So this is my third industry job. I love what I do from a cybersecurity perspective, but I love looking at it through different lenses. So I started my IT career in telecommunications at a local company, and then I jumped into financial services for a bit, and then I landed myself in hospitality. Now, the best part of the story is how I got into security.
I was finishing my bachelor's degree. I wasn't even in the IT department yet.
Oh, it was working.
It was more a customer service department. I was pure back office.
Dealing with you as a customer, accounts and stuff like that. I had made some friends in IT, and I was just telling them I'm like, oh, I'm about to graduate in a few months. And I'm like, I'm trying to figure out what to do. And I said, it is so vast. Like, how do you determine where to go?
Yes.
And he said to me, he said, well, we have a new-ish security department. It hasn't been around too long. There's only two people in it. And I know your personality. Tsega, I think you would be.
Perfect for it.
So what do I do? I call the manager and I said, hi. I don't know you, and I know you don't know me, but I'm coming to work for you, okay?
Oh my goodness.
yeah.
I think that was the most interesting elevator spiel because my department wasn't willing to let me go.
so.
It took nine months before I actually was able to move into cyber, but I think that initial call interested him enough that he started to ask about me, and he found out, hey, she has some good work ethics. And it was the way it paved the path. Then I got into cyber there, which is really not so much cyber, but, you know, considered IT security.
You know, I was kind of loose on what you do. A lot of more user provisioning and compliance type stuff there is pretty much just that. And there was a tad bit of incident management because, you know, there's always incidents. Everybody's always trying.
So I was able to get my feet wet. I got a lot of my earliest certifications while I was in a telecom space. So I did a lot of work with SANS SANS and GIAC. It was a beautiful thing. Keeping those certs were hard though, because I did a lot in a two year span and then it wasn't like, nah.
And then you have to have
the CPEs that go on top of it and.
Then I was.
Like, let's.
Go and get
anything.
From forensics to incident handling like, nah I just was like after a while, as you guys are, you got more sessions. Like, I could just let the rest of these go now. Nice. And then of course, I jumped into financial services. I worked at the central bank of the Bahamas.
Okay. Wow.
And it was a different hierarchy. Security sat outside of IT
Oh, interesting.
Yeah, yeah.
so that was my first encounter with that.
No, that makes sense in a financial setting. I think that would make sense based on some of the regulations and the and, the compliance things that they would need to meet. Yeah.
And so then, I started to learn things like SWIFT because at around that time, there was a lot of breaches happening with the central banks around globally, not just in the Caribbean You had, I think Bangladesh or Baghdad, one of those, you had some in Europe. I think there was one in Denmark. So it was quite a few going on.
And when it happens in the industry, you're in, you know, everybody is quite anxious to help make sure you implement all the controls. So I got to be a part of that new SWIFT control methodology.
Now isn't SWIFT, is that how banks communicate with each other?
Yeah.
Okay
Central Bank also is where I got my feet wet at building a vulnerability management program. I was in charge of the SEM and all of that. So I got even more exposure on the incident management front. And then by chance, I landed this job at Atlantis.
That's wonderful. Well, you know, I can see why they would want you. You have a
tons of, hands on experience in addition to the communication skills that I could hear coming out for each of the ways that you advanced through your positions. And that's something I think I hear a very common theme is when people want to come into cybersecurity.
It's not as much about your certifications or your training or any of that. Can you communicate with other people? Because without that communication piece, your knowledge doesn't get you very far in cybersecurity.
I think it's a bit of a balancing act there. There is some of it. I don't think you have to have like, a million certs to get your foot in the door. I think a lot of employers, myself, we want to see that one. You're willing to learn the space. Cyber is about technological advances, which means you have to stay on top of things.
Right. And for someone who thought I was finished with learning, I always asked myself, how did I pick this career that keeps me constantly learning new things?
Yes.
This is not like accounting is where you get the principle like no technology comes and then this new thing, you have to stay on top of it. AI is the buzzword this year, last year with zero trust, you have to figure out what all that means. You have to be able to communicate that back to your staff, stakeholders and be like, and then you have to be able to communicate the risk involved with everything you do.
Yes. Yeah. That, and helping the decision makers, the people who are the budget planners understand what you're saying well enough to make good budgeting decisions so you can address the risks. That's a real challenge.
Yeah. I come in the room and I say, I am a woman. " I like tings ‘kay, not “things”. In Bahamian eh, Caribbean, people like to say we like tings.
You, like tings?
Okay.
You got to emphasize it. Like…
I will try to learn
I want you to know I'm coming with an ask.
And I think it's kind of hard for all cyber professionals because we always have an ask.
yeah.
From a financial standpoint, I don't think the businesses always see us as giving back as much as.
What we asked for.
Think they see the ask more than they see what's being given because of the ask right?
When you tell somebody that, hey, if you get this tool in place and we put this and, and this is almost $100,000 or $300,000, and we say that hypothetically, it will it possibly can protect you from a breach. But then technology changes.
yes.
That also changes. So there's a chance it also protects you. But, you know, zero day vulnerabilities are real thing.
Right.
And then if you, if you do your job right they never see how well you protected them. And if you don't and if you don't then then they get hit by a breach and wonder where all that money went in the first place. And
so that balancing act of helping them understand the risks, being able to address those risks with and receive what you're asking from the financial people, that's a challenge.
Yes it is!
Well, and the other thing that was interesting to me as you, you had a lot of things, a lot of knowledge, very specific industry knowledge in the financial world that you came from to the hotel industry.
Were there things in your current industry that are substantially different from any other place that you've been in terms of, cybersecurity or privacy or compliance, even?
Yes.
Compliance needs are different throughout the industries. There are certain aspects that you look at that you like was never a big deal before. For example, PCI was not an issue when I was in financial services, right? In my current job, I'm currently preparing for PCI version 4.0 next year. And there are things that I have to do for that.
and I find that although a lot of the fundamental things remain the same, like we know that we need access controls, we know that we need to have physical controls. We know stuff like we need audit logging and backup and recovery and all that stuff. But your compliance needs tend to change throughout your industry. For example, if you're in health care, you have to be concerned about HIPAA.
Even I have to be concerned about HIPAA, but it's not to the same extent that I would have had to if I was working and let's say insurance or in a hospital.
Right.
But
there are things specific to the hotel industry then where, where would you say you emphasize your time or energies in that industry as opposed to others?
Hospitality is not as highly regulated as an industry such as financial services.
Oh I can see that. Okay.
So but what I will tell you is because my portfolio is vast there isn’t one area. I say I would stick my mind on the most, but I will tell you things that are different. For example, in corporate offices.
You have people that now normally work 9 to 5, right? You can set simple access controls even for monitoring to say that, hey, anyone after 6:00, let's set this as an alert, you know you said standard because you went to your hotel. You're 24 by seven, five days a week. Putting those type of permissions on becomes very hard, especially now when you look at, things like remote work, people who
Are now working strictly from the office. This was not so much of a thing pre-COVID, but this is now a business norm at this point.
Right?
So some of those are indicators of compromise that we might have previously or in other industries. They would be easy things to say. Somebody not in the office. And it's two in the morning. Why are they working? And you look at it and say oh, I'm glad that they're doing their job.
You know, now.
That comes in at 2:00 in the morning, you be like, first and foremost, is this person at work? Because based on the department, they are most likely at work trying to do their job.
Oh yeah.
Like you can't just automatically be like nah, we restricted that access. Next thing you know you got a call. Well I've been trying to get some work done and all of that, but I can’t log into the network. So no, it's not as straightforward. And then things like RFID access.
We look at ways to make the guest experience better and easier and more fluid.
Right.
And so now you have to look at all those ways that things could be compromised.
Or in a regular sector when you look at it there are less people trying to gain physical access. So your physical access points into the building are not just there by physical security, but you don't have badge access. You're in a hotel right. You have get doors are open for the most part they are open.
Yeah.
There are certain restricted areas, but a lot of places where you, Seeing a guest in some places and it's not a strange thing.
So, so a lot of the physical access restrictions that would, we would see in other industries simply are not possible
It's not like that tightly as you would have it in other and other industries.
Yeah. So people are wandering around through all sorts of areas.
And
Of these.
Are the ones that the real restricted ones. But let's look at something like front desk.
It's in the.
Lobby.
Yes. You can have people there. What are you going to tell people? They can't get to the lobby?
Right.
And so you have to use all the security controls and stuff. You have to start looking at network access controls and, and control and access supports. To make sure that people can just log into ports. and some industry is having Wi-Fi would be a thing.
And the hotel industry guests expect you to have Wi-Fi. But now you have to understand to delineate between corporate Wi-Fi and guest Wi-Fi.
Which so there is.
scope.
Tends to be bigger in hospitality and, and business like Atlantis, Atlantis is a resort which means we have a casino.
We have a waterpark, we have an aquarium and we have hotels. So and not to mention that we still have retail outlets.
Right.
We have restaurants.
So even the scope of how we do business is completely different. So when you look at financial services you just have to look at one piece of the pie was in hospitality. The pie is so much bigger. There's so much more ingredients going on in this pie like.
and just from the list you told me there are a ton of different data flows that would be involved with each of these areas, you know, personally identifiable information plus, credit card information, potentially health care information. a lot of, a lot of information that flows through your various aspects of your responsibilities, right.
And so knowing who's supposed to have access to that information and who is not, I'm sure makes up a lot of the work that you do.
I think we've been
really good at adhering to the principle of least privilege.
We have our data flows mapped, we have our systems mapped. Especially with privacy regulations, we are required to know where the sensitive data lies, how it's being used, how it's moving across our network. Like I said, within the Pam has done a pretty good job of that.
Because in order to secure the data, we have to know where the data
You're right. Right.
So in the Bahamas, you're a destination, right? For a lot of people from a lot of different parts of the world. Do you have to consider regulatory compliance with a lot of places outside, outside of the Bahamas? Or are you primarily dealing with those, internally
to that, that country or what does that look like?
It looks like internal and external.
So we.
Just on data privacy, we have a host of US privacy laws that we have to adhere to just because of our customer base, same as.
GDPR
Because we run, the financial size and our retail and our call center, we have to be in compliance with PCI.
Right?
So and then of course, because we operate in the Bahamas, we have to be in compliance with all the local rules, which includes not just the data protection laws, but also stuff like the gaming board. Because like I said, we have a casino.
Right. So
with kind of this, this big picture view, what, what would you say are some of your biggest challenges in your job specifically
resources.
We, I'm pretty sure everyone says that, I don't know if you ever heard there was an old rhyme that said something about trying to make a dollar out of $0.50.
yes. Yes,
I think it was an old song.
You become a miracle worker. With the resources you have. You rely on things such as managed service providers that help you get through what your team can’t. And you create a symbiotic relationship.
Right.
That's why security awareness is, will always be my baby.
Right? Right. So,
Working with third parties brings its own set of challenges. Of course. And, and a lot of people are concerned about how do we deal with managers with these third party service providers that potentially could have a supply chain issue that they can cause us? So what are some of the things that you do when working with third parties to make sure they're not going, that they're going to help you and not cause you additional problems.
Keyword due diligence.
Diligence and SLAs: service level agreements.
Yeah.
I will tell you that I have had to change partners before simply because they did not produce what was promised. They did not adhere to those things. Well, at least the SLAs I think that when you have a managed service provider, there should be a level of trust. I trust you to take the reins when I'm not here.
I trust you to call me if there's a problem. There has to be trust. If I cannot trust you then I have a problem right. I want the only thing to keep me up at night is good books and occasionally stuff on Netflix. But most likely it's going to be a good book.
And I wish you many good books and no big problems. So, so looking at maybe,
So you've got the gaming side of things, you've got the hotel side of things, you've got water parks, you have all of these things that you're working with. These, of course, include people. And as we know, cyber security, it really hinges on people knowing what they're supposed to do and, and to keep privacy and security on track for you.
So what kind of security awareness programs do you have in place to help people who may not be? I don't know, you know, you might have turnover. These might be these seem like positions that in a lot of places you wouldn't have long term workers.
What does that look like for you?
So we have, robust security awareness program here. We have one that begins with onboarding. We also do quarterly security awareness training. And we have about monthly phishing simulations, talking to people around. So it's not going to be the same people. So you don't have to be worry about I can't get you to.
Use
I don't want everybody just reporting everything, but.
Right.
It's built on helping you to understand the threats that are out there and that hackers and malicious actors do not sleep. But in the vein of talking about how things differ in the hospitality industry, one of my biggest issues have been finding content that everyone in the business can actually relate to.
So I have we use an industry leading platform, but a lot of it is still geared more towards corporate clients.
Right.
it doesn't look it isn't heavily focused on the housekeeper.
Right. Or
The bellboy or the workers in the restaurant that have to deal with credit cards and have to be considered about skimming devices and understanding the importance of tracking those devices now that you can find it. But it's probably like 1 or 2 based on 20 on a different topic.
Right?
So this year, what we had to do is we had to make the decision to actually create some of our own content.
Oh, interesting. tell me about that
one.
That means we were able to get the business involved, other business units involved, which I thought was great.
but,
of championing our cause, I figure they are part of it. They're most likely to participate and actually store that knowledge in.
right?
Because they become engaged, they start caring about it because they helped create it. That's excellent.
additionally, we we need, security awareness to actually
Be beneficial to the end user. It has to be relatable.
Yes.
Me giving you.
User, user awareness training on phishing scams. And you only deal with POS equipment, right? You just sell equipment that doesn't benefit. So you already start to an email because you'll be like “first and foremost, Miss, I don't deal with emails.”
Right
I’m not clicking on no emails.
I don't even have an email.
to set.
A point of sale has its own security threats. Yeah, so it's things like that.
I love hearing that.
Absolutely. This is something that I am asked about it all the time. And when I give an answer a lot of times they don't like the answer because the question will be what level of training do I need to give my people? And my answer is, have you performed a targeted risk analysis to determine to what degree can this person in their position cause you a security issue, cyber security issue, a privacy issue?
Have you done the work to say what could they do to cause you a problem? When you know that, then you can create training for them?
I think one of the biggest issues I've had was security awareness training and people asking.
Why do we have to do it all the time? It's normally 5 to 30 minutes per quarter, so it's basically two hours a year. And I have to explain to them that there is a lot of topics to cover. I am mandated for both privacy and cyber security to provide training, so I tend to combine those training topics together where possible to ensure that we have gotten the most.
But let's be real. Yes, the topics alone are exhaustive.
You have email security, you have social engineering, you have password, you have acceptable use and the list goes on and on. Then we have AI, QR code, chatbots, I feel like.
wait until they introduce something new next year.
One last kind of focus on your industry where you are specifically. I think we often don't take geography into account when we're doing some sort of analysis of risk. And are there things in the Bahamas that you have to consider that maybe somebody who is in the middle of Oklahoma does not?
From,
Vulnerability, cyber vulnerability standpoint, I'm going to say it's pretty much straight across the board. What I have found is people assume that because we're from a little small country, we don't see the level of risk or the same type of threats that other people see. When you have threat intelligence and your threat intelligence shows you where these threats pop up on a map, you realize that we play with the same heavy hitters as everybody else in the world.
We have the same forces, you know. Can you, UK, Europe, Germany, all of those things. We have to worry about all of them. And because I think of our proximity to the United States people, I think, try to use us as a training ground to be like, hey.
oh.
Oh, no.
So in addition to that, we also have a lot of US based companies, global companies that reside in the Bahamas, especially if you look at financial services, we also have a European bank account. We have businesses that are a global company
So we have the same threat actors that are popping up around the world.
Yeah.
We have the geofence also against company countries like China and Russia just like everybody else. Yeah.
Yeah. No I would, I would see how that would be true. You remind me of maybe Singapore, only with closer oceans.
But the financial industry is very heavy there. And the same thing in the Bahamas. You have a very strong financial presence, but also the industry that you specifically are in, gathering people from all over the world with a ton of, mineable data. If somebody can get their hands on it, I would think that if anything, you have more challenges because of that.
from, maybe a storm perspective, do you get some of the…
from a physical location?
Yeah.
We are concerned with we are smack dab in a hurricane region. Oh, okay. Six months out of the year. It's hurricane season for us. Which means, we have to employ backup strategies, some of which are completely out of country. Some of our DRC, okay, are out of the country altogether.
Okay.
For that reason, I will say that residing on New Providence, thankfully, we are strategically located throughout the Bahamas so that we don't get the worst of it.
Nice.
And most organization data sets with a new Providence. So.
Okay. All right.
Well, that's, the other thing that I, I think, like you said earlier, when you talk about the new way of work where a lot of people are remote, in the past, we didn't have that immediate. You can work from anywhere securely. We didn't have that is available because it wasn't the reality of work.
But now it seems that anyone who's dealing with some type of a natural, a storm or other type of natural disaster scenario that in the past it would be a cybersecurity threat to a greater degree than it is now, I think. Is that something that you're seeing as well, that the ability to move and work from various places is helpful to you?
Well, what I will say is, and this is simply because I'm not allowed to work remote, I would be on a beach somewhere, but I'm in office to be.
Okay. You all.
Don't get me wrong, after two weeks abroad I started to get homesick. But
Sure.
What I have found with remote work is cloud. With the emergence of cloud, especially in the last decade, it made it makes it easier to work remote because there are more applications now sitting in the cloud than it would have been before, where everything was sitting on prem
so we still see it a lot. And during Covid, we lived it. there was a bit of time when the hotel was closed, but there were still critical operations that had to continue from a survival perspective. We still had to maintain the network. We couldn't afford for the things that we had to be compromised.
Right.
but that allows for, a lot a strong business continuity and disaster recovery focus right there, which allowed me with the zone, you know, it allows me to allow certain sub programs within my overall program, which I think is a fair win for me.
But then again, cloud itself brings its own security concerns.
Sure.
So it's a bit of a give and take. Yeah. it's easier for people to work remote. There's so more security concerns because we don't always have that added layer. But hey we also have MFA. And then, you know, depending on how you configure it because, you know, all MFA authorizations aren't as strong as others.
Yeah.
But then again, if you look at it, VPN hacks are on the rise as well.
So very.
Interesting time in cyber.
As you said earlier, there are always more things to learn and there's always new things to strengthen. It's not something that you just set it and forget it and do it the way you've been doing it. There's every day there's something new that we have to keep tackling.
want, any ideas or comments you want to leave with me that I maybe didn't cover yet in this conversation? It's just been, it's been delightful talking to you and interesting learning about the hotel industry and, and a little bit about the gaming industry.
There is more about US privacy laws on the horizon. I would really like if you guys would just give me one. Yes,
Yeah.
I think we agree with you there. You don't want 50.
gave me just the one if you guys could just give me the one IPA Canada gave me the one. But if someone could just give me the one privacy law for the U.S, I would be so, so happy. Because every time they turn around there's five more states jumping on the bandwagon. Yeah, this whole this, this is like one thing different.
Like let's change the wording. Let's just change the word. It means the same thing. Let's just change the wording.
I wouldn't be surprised if the federal government decided that they were going to put in some sort of overarching, I don't know, maybe I would be surprised. Who knows what the lawyers are going to give us next year? and the lawmakers, it's it's, it's an ever changing target.
Well, once again, thank you so much for your time today. And, I hope to get to talk to you again in the, in the near future.
Thank you so much for having me. It has been a pleasure.
Thanks for watching. To watch more episodes of Security Metrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.