The Story of One Hotel and Four Ransoms
There is a small 4-star hotel in Austrian Alps called Seehotel Jägerwirt. On the one hand,
there is nothing special about this hotel – it is a small gem located in Lake Turracher close to Klagenfurt and owned by the Brandstatter family. Yet, it is famous for being hacked for ransom by cybercriminals not once, not twice, not three times – it was hacked 4 times! Cybercriminals used vulnerabilities in the hotel’s computer system to lock the hotel guests out of their rooms. The ransom message was hidden in the Telecom Austria letter and Christoph Brandstatter (the owner) paid the ransom in bitcoin. There are several interesting aspects of this story. First of all, it shows us again that no business is “too small” to be the target. Second, this story is often cited as a showcase of business irrationality: indeed, from the outside it seems rather silly to become the target multiple times and pay ransom. But is it really irrational?
Rational or Irrational
The question about whether it is irrational or not depends heavily on several things. First of all, when a business is trying to build a “safe” space, what is the meaning of “safe”? Second, in doing so, what is the ultimate business goal – is it to really be safe or to be compliant with the latest cyber security regulations? Finally, what characteristics of the system are the most important for the business? Is it “robustness”, “resilience”, “agility”, “traceability”, which we have already considered earlier in this book or is it something else? What might seem rather stupid if the ultimate goal is Robust security system, may make perfect sense if the ultimate goals is Resilience. In fact, paying ransoms might not seem such a bad idea if you want to quickly put your business back on track. Fair enough, the Seehotel Jägerwirt’s case is a bit extreme, but imagine yourself in Christoph Brandstatter’s shoes? You are running a hotel and you know a lot about hospitality business (confirmed by 4.5 start rating on TripAdvisor) but not much about computers and computer systems. One day, you find all your guests locked out of their rooms.
Naturally, as any business owner who puts customers first, the main thing you are
thinking about is how to reassure your customers and fix the situation as soon as possible to avoid reputational and financial losses. So, for Christoph Brandstatter it was perfectly rational to put the system back on track as soon as possible even at a cost of paying ransom. It is important to note that despite suffering all these attacks the hotel is doing fine. It has now gone back to physical instead of the digital key system to avoid being compromised for ransom in the future.
Business Goals, Compliance and Cyber Security
The story about Seehotel Jägerwirt is important because it highlights that when
cyber security is concerned business goals are key. Therefore, it is extremely
important to determine at the beginning of your journey as a business what exactly your
security system is trying to achieve. In the overwhelming majority of cases, business
owners face a trade-off between compliance and security. By compliance we mean
adherence to the regulatory norms and laws. So, being compliant implies being careful
with systems and data not to break any regulations or laws. In contrast, being secure
means to minimize the actual risk of cyber security breaches.
You have probably already guessed that compliance is a lot easier to achieve than
security. There are several reasons why this is the case. Compliance is a very certain
phenomenon. There is a set of regulations, laws and regulatory practices which clearly
specify where and how responsibility is assigned to various actions. In other words, the
legal systems tell us precisely that if something is not done to ensure security of the
system, your business will be automatically liable by law. Obviously, the aim of the law
is to make systems more secure, yet, (i) since the law usually offers rather general
guidelines for a broad variety of actors, it is interpretable in various ways and (ii) like any
mechanism rooted in our culture, it triggers a set of predictable responses which are
mostly related to the perception of security rather than to the actual security.
For example, if the law regulates that an organization should protect customer data using all possible means and best practices, the easiest response from any organization holding customer data is to say that they purchased the most sophisticated algorithmic solution from a reputable cyber security provider. Does it comply with the regulation? Yes, it does. Does it mean that this organization really did everything in its power to secure customer data? No, it does not.
Unlike compliance, security is a very uncertain phenomenon. Whether a system is really secure depends on many factors and, most importantly, on organizational ability to anticipate threats, discover vulnerabilities, and approximate risks. We are not trying to suggest that there is something wrong with trying to be compliant rather than trying to be secure. After all, if you believe that “perception is everything”, compliance is exactly what you should be targeting. We are saying, however, that it is important to define what you are really after before investing in any cyber security measures because your goals will, in many ways, define your strategies.