Cyber resilience is a part of the service

The hotel business in Uzbekistan is growing and digitizing: the hotel management system, ticket offices, online sales channels, mobile keys, smart devices in rooms, active social networks. Along with this, the risks are also growing. We talked to Ilkhom Begmatov, a regional representative of the Softline Group of companies in Uzbekistan, about how to build protection without losing speed and convenience for guestsSoftline.

The tourist flow is growing, along with the digital infrastructure of hotels — How does this change the security agenda?

Previously, security was considered a "brake". Today it is part of the service. The hotel has dozens of digital outlets: a management system, cash registers, integration with booking platforms, guest Wi-Fi, mobile keys, cameras, sensors, media panels, social networks as a sales channel. Any failure is no longer just a technical problem, but a simple settlement, cancellation of armor and a blow to reputation. The owners 'request changes:" Make sure that everything works predictably when the load increases and new services are launched."

What attacks hit hotels in the region most often?

1. The first is employee deception: plausible emails and calls "from the bank or booking platform", because of which the employee unwittingly discloses access.
   

2. The second is ransomware: a couple of "holes" in remote access or forgotten servers are enough, and in an hour you have a critical system encrypted.
   

3. Third, there are weaknesses in integrations and smart devices: channel managers, payment gateways, digital locks, and set-top boxes with standard passwords.
   

4. The fourth is hacking corporate social networks with fake "promotions" and extorting money from subscribers.

It sounds like «all at once» Where should I start to avoid drowning in projects?

With architecture. First — an inventory of systems and a map of integrations. Then — a single "system of feelings": we observe computers, servers and the network in one window, connect events with each other and start an automatic reaction. In parallel, we are switching remote access to the principle of "access not to the entire network, but to specific applications", with the second factor confirming the login and checking the device status. And the third step is to separate traffic into "aquariums": guests, staff, payments, and smart devices — separately, with strict exchange rules. These three steps provide up to 80% of the effect in the first quarter.

What exactly does the unified "system of feelings" provide?

It dramatically reduces the "time to understand". You can see not individual logs, but chains: phishing email - > login from the wrong country - > night data upload. It is important that the response is automated: if the reception workstation starts behaving suspiciously, it is isolated by the system, access keys are reset, and those responsible receive a notification. We are talking about minutes and hours, not days of downtime.

The principle of "zero trust" sounds "corporate". How does it work in a real hotel?

Very down-to-earth. The agency that manages your social networks doesn't need access to your guest database; the lock contractor doesn't need accounting. We do not "let you into the network", we "open the door" exactly to the right application and exactly for the duration of the task. Log in only with additional confirmation, and only from serviceable devices (with up-to-date updates and basic protection). Any attempt to extend rights or "jump" to another segment is blocked. Discipline pays off because a local problem doesn't turn into a network-wide crisis.

Segmentation sounds like a big formation. Can a small hotel do this?

— Yes, if you do it in stages. Minimum: allocate payments to a separate " aquarium "with strict rules, enable" guest-guest "isolation in Wi-Fi, transfer the staff network to the corporate entrance, collect" smart "devices in a separate segment with" white lists " of destinations. These steps greatly increase the cost of the attack for the attacker and reduce the possible damage.

The most" painful "part is" smart " devices and digital keys. How can I do this conveniently and safely?

Centralize management. We need a single platform as the "owner" of the entire fleet: inventory, scheduled updates, banning factory passwords, integrity checks, event logs. Locks don't need an open Internet connection — just a secure channel to the platform. Secrets don't lie "out in the open" in apps. Each door opening is an event with a time and number that is suitable for investigations. At the same time, the amenities-a mobile key, biometrics for the fitness room — remain, but with the guest's consent and correct data storage.

Social networks for hotels are also a sales channel. How can I protect them organizationally?

Just like other systems. Login — via a corporate account with confirmation. There should be no "shared" passwords. The roles are separated: who writes, who publishes, and who approves. For sensitive posts — the "four eyes" rule. Access rights and keys are stored in a secure location, and a change in phone numbers or email addresses is registered as a security incident. Plus redundant communication channels: page-status on the site, mailing lists, instant messengers-so that the brand's voice is not lost.

How to explain to the owner the payback of all these measures?

Through risk and predictability. When there is visibility, segmentation, and point-to-point access "by application", a single incident ceases to be a business crisis. You reduce downtime, avoid "chain" infections, pass checks of partners and payment systems faster, and insure risks more easily. This directly affects repeat bookings and brand credibility: it is important for the guest that "everything just works" and the hotel does not appear in scandals with data.

90-day horizon: what can a chain of one or three hotels really do?

Weeks 1-2. Make a map of systems and integrations: what is there, who is responsible, where are the" golden paths " of data. Identify "blind spots".
Weeks 3-6. Enable the "sense system" on key nodes and collect event logs in one place. Run the first automatic scenarios: isolating the infected computer, forcibly changing access keys, and blocking suspicious requests. Switch remote access to the "only necessary apps" model and enable second-factor login confirmation.
Weeks 7-12. Separate guest Internet, staff, payments and smart devices into "aquariums"; restore order in devices (updates, banning standard passwords, logs). For social networks — corporate login with confirmation, the "four eyes" rule, and backup communication channels.

What role do you assign to artificial intelligence-attackers and defenders?

Huge on both sides. It made it cheaper and faster to send fraudulent emails and search for "holes". The answer should also be smart: we analyze the behavior of systems, link events, prioritize risk, and automate the response. But the key is discipline: without segmentation and roles, no amount of intelligence can save you; with the right architecture, it just speeds up the team's work.

Where to hire people if the market is experiencing a shortage of security specialists?

Combine them. We teach" Hygiene " inside — short modules, frequent re-certification of seasonal staff, materials in two languages. Complex functions — give as a service: event monitoring, response, phishing tests, vulnerability detection. This is cheaper and faster than building everything from scratch for a chain of up to 3-5 hotels. The quality criteria are simple: how quickly the problem was found and localized, and how clear the reporting is.

An example when the architectural approach "pulled out" the situation?

No names. The hotel chain faced massive phishing and several encrypted workplaces. Previously, this would have meant stopping the reception and manually checking in. But they already had automatic scripts and segmentation working. Stations were isolated, keys were reset, there was no unloading from the database, and guest Wi-Fi prevented them from "moving" to the ticket offices. It took less than a working day to recover, reservations were not affected, and there was zero noise in public. This is cyber resilience as part of the service.

What do you recommend to the owner who wants to start "from Monday", but does not like "long projects"?

Three steps.

• Assign owners of digital systems and integrations and build a map in a week: what is available, who is responsible, and where access rights are located.
• Enable login confirmation by the second factor for all remote and privileged users; change the remote control to "by application" access.
• Separate payments, staff, guests, and smart devices by segment, with minimal white rules between them. Even these steps significantly reduce the risk.

If you look at the horizon for two or three years, where will the main growth be?

In managing the result, not "buying boxes". Hotels will buy predictability: how quickly we discover and recover, how reliable the "golden paths" of integrations are, how high-quality audit logs are, and how ready we are for crisis communications. Technologies are already available — it is important to integrate them into the daily operating system and keep discipline.