Secret Escapes is one of the UK’s biggest members-only websites that runs best-in-market sales of four- and five-star hotels and holidays, offering members luxury travel deals at low prices. It operates in 21 countries and boasts more than 20 million members.
In need of a stronger security team and platform
When Chief Technology Officer, Eirik Pettersen, joined Secret Escapes in 2017, there were no other dedicated security professionals on staff. Pettersen wanted to improve Secret Escapes’ security posture, so he quickly hired an information security manager who emphasised the importance of developing the organisation’s human firewall. Together, the leaders decided to prioritise this as their first project.
At the time, Secret Escapes had previously worked with a security awareness training provider for about a year. But the team realised it wasn’t giving them what they needed and were determined to find something that would deliver more functionality, more content and better results.
Around the same period, the organisation noticed more CEO fraud attempts, wherein a criminal sends an email that looks as if it came from the CEO, asking for an invoice to be paid, funds to be transferred, or access to sensitive financial information.
The rise in fraud, coupled with the lack of results from the prior security training platform, made Pettersen especially keen to improve the organisation’s security profile, adopt a better system and expand it to the rest of the organisation’s locations around the world.
KnowBe4’s content and training platform
Pettersen launched a rigorous search for the right platform, conducting an RFI and RFP that called for rich content and cost-effective pricing. After reviewing all potential vendors, Secret Escapes chose KnowBe4, primarily for the breadth and quality of its content. Pettersen and his team also felt good about the platform’s price point, which was important given their constrained budget at the time.
Additionally, Secret Escapes’ security team had strict requirements for how the new platform would integrate with the organisation’s existing technology stack. They needed the administrative aspects of the programme to be intuitive, and wanted to have excellent visibility so managers could check in on how their employees’ security awareness skills were progressing, while also ensuring compliance with the organisation’s internal awareness training policy.
“It was really valuable that KnowBe4 gave us a dedicated point person and followed a structured way of bringing us on board,” Pettersen said. “It made the implementation process easy, and condensed the time it took for us to start seeing results.”
Finding unknown value in policy management
Even though Pettersen began using KnowBe4 for its training and ability to test team members’ knowledge and security awareness, he realised the platform could also be used as a policy manager. He and his team began adding their own content to KnowBe4, using it to track the dissemination and acknowledgement of policies.
The Secret Escapes security department was eager to run phishing campaigns, especially since they hadn’t had a way to test their users in the past. They also found the KnowBe4 Automated Security Awareness Program (ASAP) programme to be very useful in terms of intuitive onboarding and efficacy. ASAP makes it easy to get started with a security awareness training programme by recommending content based on Pettersen’s answers to specific questions and providing a calendar to get started.
Every new employee goes through the KnowBe4 Security Awareness Training, and all employees are given quick, monthly courses to reinforce their skills and knowledge.
“We love the short, sharp content that KnowBe4 provides,” Pettersen said. “It allows us to give our team members reminders of what they’ve already learned and keep it top of mind, while not asking for more than 10 minutes of their time. Then, we launch quarterly phishing campaigns, which ensure everyone is on their toes and maintains a heightened level of security awareness. That’s really important for a strong human firewall.”
Awareness turns into a culture of security
Since working with KnowBe4, Pettersen and his team now deploy employee training and testing at least 12 times a year. His initial goal – to deal with more frequent CEO fraud phishing attempts – has long been satisfied thanks to Sweet Escapes’ work with KnowBe4.
Pettersen and his team have seen a reduction in employee Phish-prone Percentage, the likelihood that a user will click on a phishing email, from 17.9% to a mere 4.4% since engaging with KnowBe4. With phishing education and testing under control, Pettersen and his team can focus on a longer-term initiative: to build a culture of security that continues to grow.
“We’ve found that our employees are becoming more aware through their monthly trainings and are all individually contributing to a much more secure environment, organisation-wide,” Pettersen added. “KnowBe4 has been instrumental in helping us to foster a culture of security within our organisation, and our Customer Success Manager has provided so much value to us. Our leadership is incredibly pleased with our progress, and we’re very proud of all the strides we’ve taken.”
We get further insight from Eirik Pettersen, CTO at Secret Escapes, into the partnership between the luxury travel arrangements company and KnowBe4.
What primary challenges did Secret Escapes face in strengthening its security posture when you first joined the company?
Secret Escapes had been growing rapidly and was transitioning from a startup to a scale-up. The focus had been on finding product/market fit and once found scaling that up as rapidly as possible. As a result, some of the dots and crosses were left off the i’s and t’s so to speak.
While our production systems were (and had always been) very secure due to a talented platform team for which information security was a passion, the end-user computing space had not been so well looked after. There was little governance and oversight on endpoint security as all EUC tasks were outsourced to an MSP and managed internally by non-technical staff.
How did the increase in CEO fraud attempts influence your decision to prioritise security awareness training?
One of the first actions we took when we embarked on our Information Security Training was to introduce security awareness training. As we all are aware, the human firewall is a key part of the defences and it provides great bang-for-buck in terms of improving your security posture. From time to time, we experience CEO and other spear phishing type attacks and we use these as opportunities to reignite awareness by adjusting our monthly, bite-sized training campaigns to include relevant modules.
How has KnowBe4 improved Secret Escapes’ ability to track policy dissemination and employee acknowledgement, and how crucial is this to your security strategy?
We have taken advantage of the features provided in Secret Escapes to distribute our key policy documents regarding our Security Awareness Training (SAT) programme, our data protection obligations as well as anti-bribery training. Being able to be confident that documents have been read and acknowledged, as well as being able to present evidence to any external auditor, has been a real efficiency gain for us and forms the basis for all our policy adoption initiatives.
How has the introduction of monthly training sessions and quarterly phishing campaigns impacted the overall security culture within Secret Escapes?
Since introducing the KnowBe4 and conducting their initial Security Awareness Proficiency Assessment (SAPA) we have seen the PhishProne score drop dramatically and it has remained low ever since. And I regularly get the training quoted back at me by staff in various situations, so I know it is sticking. The modules we have selected tend to be short-form and strike a balance between serious and humorous which keeps it interesting and easy to consume for our staff.
How do you balance the need for strong security measures with the imperative to provide a seamless and enjoyable customer experience in the hospitality sector?
Clearly, it’s paramount to maintain strong security around people’s personal information and travel bookings, so we take the security of our production systems very seriously. However, we don’t see that affecting our user experience. To gain access to the website to see our exclusive discounted deals, we require you to sign up with your email address. To ease that experience, we have created a ‘semi-logged in’ state where you can see all our prices, but you don’t need to supply a password. If you want to view your account details or to book you then of course we need to authenticate the member and we require their password.
What unique security challenges does the hospitality industry face?
Many security challenges the hospitality industry face is shared with other industries, but the diverse array of IT systems and high staff turnover can create many vulnerable points for cyberattack. On top of this, the very nature of hospitality presents a high number of physical security risks – large throughput of unfamiliar individuals in a limited shared space presents many opportunities. A multi-layered security approach, encompassing technical safeguards and staff training, is essential to safeguard both guests and their data.
Given the global nature of hospitality businesses, what are the key challenges in maintaining consistent security standards across different regions and countries?
Varying regulations and local threats contribute to the challenge of managing a global business, and it’s no less the case for hospitality. Combined with the challenges of working with disparate IT systems and geographically dispersed vendors it can be a minefield. Establishing a strong framework with clear policies and a central governance process can help manage the risk, but it’s important that it is adaptable to local exceptions and that you can leverage local partnerships.
What are the most common cybersecurity threats currently facing the hospitality industry, and how can organisations proactively defend against them?
The cybersecurity threats the hospitality industry is most likely to face are data breaches, phishing, ransomware, POS attacks, DDoS attacks and IoT vulnerabilities. To defend, companies need to take proactive measures such as staff training, strong authentication, anti-malware, encryption, backups, network segmentation and hardening of devices. Continuous vigilance and a holistic approach are both key to protecting both data and reputation.
Looking ahead, what are your long-term goals for Secret Escapes’ security culture, and how do you envision KnowBe4 supporting these objectives in the future?
In a world of ever-growing Software-as-a-Service offerings, it’s important to strike a balance between empowering your business functions to seek out technology solutions that improve their effectiveness while mitigating the risks of shadow IT. This holds even truer as more and more of these solutions come with generative AI features built in. By developing clear policies around how software should be selected, implemented and operated and how to adopt GenAI features, we hope to rise to that challenge, and we see KnowBe4’s capability to provide training and distribute policy as a key part of that.
Click below to share this article
