Four Ways to Address Cyber and Data Security in Hotels

In a previous blog post, we discussed the top risks facing the hospitality industry. One of the most critical risks that has been very active over the past year is cyber and data security risk. In our increasingly digital ecosystems, technology deployment in hotels are increasing, especially beyond reservations and room key systems. In-room systems are being deployed to provide guests with hotel information and in some cases, apps that allow them to request amenities or order room service.

The increase in technology deployment, also results in additional access points to secure from hackers and rogue staff. The impact of a security incident, even localized to one property, can be severe. There are real financial impacts, like lowered revenue due to reputational damage and increased cost of marketing and operations to recover from security incidents. Guests are increasingly aware that hotel WIFI systems can be a security risk and personal and payment information can be compromised in the hotel ecosystem.

So what should hotel owners and operators focus on to reduce the risk of cyber and data security incidents? Here are a four areas that operators can take action on now to reduce the potential risk and make it easier to recover when incidents do happen.

1.  Security Awareness
Physical security has long been a concern for hotels, but data and cyber security are now just as big of a risk for guests, even before they show up. In order to address the challenge, all staff need to be aware of potential threats, how to identify them, who to report them to, and what to do to provide security while threats are being addressed.

Hotels often conduct security training upon hiring new staff and review security measures annually, but keeping security awareness levels high throughout the year is imperative. Data breaches and hacks happen at any time from across the globe. Hotels need a vision for their security posture and plans to ensure that everyone on the frontline is aware of and supports that vision through their daily actions. 

2. Insider Threats
One of the often overlooked sources of data security breaches are insiders. No matter how well you screen employees, situations arise that can cause good people to make poor choices. While staff can purposefully leak personal data (from guests and staff alike) and payment information, insiders are also often the target of socially engineered attacks.

Phishing scams, malware and other methods are often successful when associates are not aware of what is happening until it is too late. This can cause staff to inadvertently put the hotel and their guests at risk. Hotels need to constantly remind their staff to be vigilant and look for suspicious emails and activity. A guest leaving a USB drive may not be as innocent as one might assume. Keep the associates engaged with the latest cyber threats to keep awareness high.

3. Reservations, Payments and A/C?
As we’ve seen in data breaches at Target and The Home Depot, cyber thieves often gain access not through primary system access points, but rather through vendor systems. Whether it’s your HVAC vendor’s temperature control system or scheduling software system, hackers can gain access to your primary systems through partner systems that might seem innocuous. 

The legal and reputational risks are high, even when a partner system gets hacked. At the end of the day, guests associate your brand and hotel property with the incident and the financial impact will be direct. Make sure associates are aware of all the potential access points and how vendors are sources of unintended cyber risk.

4. Responsive Posture
As cyber and data security events become more prevalent, it’s important to be ready with a response plan. This starts with the presumption that an event WILL happen. When it does, what does your investigative process look like? How do you keep staff informed of operational changes? And most importantly, how should front line associates respond to guest concerns? 

It’s important to provide relevant information as the investigation proceeds, to both the market and insiders. Associates may not be able to answer all the questions, but providing some frequently asked questions and guidelines for responses is critical to maintaining a positive, helpful posture to help the organization recover from a security incident.

The digital age has brought a shift in how hotels operate and serve guests and have opened up additional points of risk. Awareness levels of cyber and data security risks are rising with hotels being in the spotlight this past year due to data breach events. And while these events may have been limited to specific hotel properties, it puts the entire brand at risk and reduces guest confidence. All this means that hotel operators have to involve all their staff to ensure physical and data and cyber safety and security. 

How Hospitality Staff Can Address Four Top Risks

According to Deloitte’s Hospitality Outlook 2017 report, challenges to the hospitality industry will continue to create opportunities for growth, but not without execution risk. Changing consumer behaviors and expectations are putting additional pressure on hotel owners and operators to adapt their services. And cybersecurity continues to put hotels at risk with examples of recent breaches in data security that leak personal and payment information. 

While the global political landscape can create angst amongst travelers, the improved economy and are encouraging travelers to explore and spend money. For those in hospitality, this is a good sign. But disruptors like private rentals through Airbnb and HomeAway are giving travelers new options outside of traditional hotels. Hotel operators need to continue to innovate while ensuring that they provide exceptional service since their staff can offer something private rentals can’t. And there has to be relentless focus on the key operational risks that can create the difference between a failing hotel and a successful one. Let’s look at four of these top risks and what we can do to address them.

1. Data Privacy
Cybersecurity is still a top risk today, with the vast majority of bookings transactions being handled through credit cards and online payments. Identity theft and payment fraud are big worries for hotel operators. How do you ensure that front desk staff are checking ID’s and following procedure? How should your staff react to concerns of identity theft?

While secure systems and workstations are a must in combating today’s data security risks, the human element can’t be ignored. So much of fraud and data leaks originate from human error or lack of proper procedures. Staff have to be trained to securely handle payment and identity information to protect guests and hotel alike. 

And with the on-going evolution of hackers, hotel staff have to stay on top of the latest procedures in order to secure their data. This means continuous awareness of existing and new information. Hoteliers would be wise to assess front desk staff on a regular basis to avoid unnecessary risks while keeping cybersecurity top-of-mind in addition to quality guest services.

A security breach can have great ramifications on the brand and impact future bookings. If guests are not comfortable with a hotel’s data security posture, bookings can slide, costing significant future revenue.

2. Guest Behavior
While guests are the source of revenue for hospitality, they can also be the biggest risk. Hotels can’t survive without guests, but there are a lot of uncontrollable circumstances when guests are involved. Travelers set up house in many cases and guest behavior can cause both property damage as well as liability for the hotel. Slips and falls can result in lawsuits while unruly behavior after a party can damage the hotel, not to mention the impact on staff morale for cleaning up after the guests.

There have been many examples impacting guest and staff experience. And often times, handling the situation can be delicate in order to refrain from offending guests while holding behavioral guidelines. Staff have to be reminded of expected guest behavior while being comfortable being empowered to handle incidents directly. 

Hotel operators need to have a close eye on the operational risks that can result from poor guest behavior. Keep the staff informed in order to reduce the risk from guest incidents.

3. Brand Resilience
In hospitality, it’s all about the brand. Operators rely on the brand’s stature in the market to lure guests looking for the value they provide. With that, brands focus a lot of effort in making sure that guest experience is consistent across hotel properties, regardless of hotel operator and location. Brands spend a lot of money advertising and creating loyalty programs to keep guests coming back.

With the level of investment in building the brand, risks that can impact brand resilience have to be addressed. Hotel staff are often the key representation of the brand, executing on the commitments and sentiments of the brand in the market. So how do you make sure the brand is well represented? Do the staff know the focus of guest experiences and what services should be delivered, according to the brand?

Operators are constantly at-risk of brand audits and ensuring compliance with brand standards, where non-compliance leads to fines and additional costly audits. Keep the staff informed to help keep the brand resilient.

4. Staff
As we’ve seen through the three previous risk areas, hotel staff play a key role in both delivering value as well as being risk mitigators. Front desk staff are key to defending against credit card fraud and data leaks. Managers and housekeeping staff guide and respond to guest behavior issues. And all staff are part of delivering on the brand promise by ensuring a quality guest experience.

But relying on the staff can be difficult, where on-going high turnover and low wage levels compound the challenge of building a sustainable, engaged employee base. Creative operators are innovative with rewards and recognition programs while ensuring their staff is as knowledgeable as possible. 

To address these risks, operators need to find ways to continuously raise awareness levels in their staff while creating an engaging environment in order to deliver on expected guest experiences. These challenges are not likely to go away and the staff is the best line of defense in these key risk areas.