In a previous blog post, we discussed the top risks facing the hospitality industry. One of the most critical risks that has been very active over the past year is cyber and data security risk. In our increasingly digital ecosystems, technology deployment in hotels are increasing, especially beyond reservations and room key systems. In-room systems are being deployed to provide guests with hotel information and in some cases, apps that allow them to request amenities or order room service.
The increase in technology deployment, also results in additional access points to secure from hackers and rogue staff. The impact of a security incident, even localized to one property, can be severe. There are real financial impacts, like lowered revenue due to reputational damage and increased cost of marketing and operations to recover from security incidents. Guests are increasingly aware that hotel WIFI systems can be a security risk and personal and payment information can be compromised in the hotel ecosystem.
So what should hotel owners and operators focus on to reduce the risk of cyber and data security incidents? Here are a four areas that operators can take action on now to reduce the potential risk and make it easier to recover when incidents do happen.
1. Security Awareness
Physical security has long been a concern for hotels, but data and cyber security are now just as big of a risk for guests, even before they show up. In order to address the challenge, all staff need to be aware of potential threats, how to identify them, who to report them to, and what to do to provide security while threats are being addressed.
Hotels often conduct security training upon hiring new staff and review security measures annually, but keeping security awareness levels high throughout the year is imperative. Data breaches and hacks happen at any time from across the globe. Hotels need a vision for their security posture and plans to ensure that everyone on the frontline is aware of and supports that vision through their daily actions.
2. Insider Threats
One of the often overlooked sources of data security breaches are insiders. No matter how well you screen employees, situations arise that can cause good people to make poor choices. While staff can purposefully leak personal data (from guests and staff alike) and payment information, insiders are also often the target of socially engineered attacks.
Phishing scams, malware and other methods are often successful when associates are not aware of what is happening until it is too late. This can cause staff to inadvertently put the hotel and their guests at risk. Hotels need to constantly remind their staff to be vigilant and look for suspicious emails and activity. A guest leaving a USB drive may not be as innocent as one might assume. Keep the associates engaged with the latest cyber threats to keep awareness high.
3. Reservations, Payments and A/C?
As we’ve seen in data breaches at Target and The Home Depot, cyber thieves often gain access not through primary system access points, but rather through vendor systems. Whether it’s your HVAC vendor’s temperature control system or scheduling software system, hackers can gain access to your primary systems through partner systems that might seem innocuous.
The legal and reputational risks are high, even when a partner system gets hacked. At the end of the day, guests associate your brand and hotel property with the incident and the financial impact will be direct. Make sure associates are aware of all the potential access points and how vendors are sources of unintended cyber risk.
4. Responsive Posture
As cyber and data security events become more prevalent, it’s important to be ready with a response plan. This starts with the presumption that an event WILL happen. When it does, what does your investigative process look like? How do you keep staff informed of operational changes? And most importantly, how should front line associates respond to guest concerns?
It’s important to provide relevant information as the investigation proceeds, to both the market and insiders. Associates may not be able to answer all the questions, but providing some frequently asked questions and guidelines for responses is critical to maintaining a positive, helpful posture to help the organization recover from a security incident.
The digital age has brought a shift in how hotels operate and serve guests and have opened up additional points of risk. Awareness levels of cyber and data security risks are rising with hotels being in the spotlight this past year due to data breach events. And while these events may have been limited to specific hotel properties, it puts the entire brand at risk and reduces guest confidence. All this means that hotel operators have to involve all their staff to ensure physical and data and cyber safety and security.