Why cybersecurity matters in hotels


In an era in which personal data is worth more than any bank heist, industries processing massive amounts of personal information are the preferred target for cyberattacks.

Hackers breaching systems in the hospitality and tourism industry are reported regularly, as the amount of information processed through the industry’s systems on a daily basis makes them a major target. 

The data processed by the industry is a gold mine for cybercriminals looking to carry out credit card fraud and identity theft crimes, as the information customers provide to hospitality companies often includes a copy of the client’s passport including its full name, address, date of birth, country of origin as well as its email, and credit card details –  to name only the most frequently gathered and documented details. 

Although the credit card data seems the most coveted, it is actually personally identifiable information (PII) that is considered the most valuable.

Failing to guarantee your guest’s confidentiality, and data safety, would cause major detriment to your organization whether it be to its reputation, legal or financial standing. 

Published research from Cisco determined that 22% of breached companies lost clients following the attack, showing just how seriously customers take the commitment of a company to secure their data. 

It is estimated by The World Tourism Organization ( UNWTO) that by 2030, there will be approximately 1.8 billion international tourists crossing borders; keep in mind that these numbers don’t include local tourism.

With these numbers in mind, the understanding of the need for immediate actions regarding the handling of the gargantuan amount of data that is being collected, processed, and safeguarded becomes clear.

Typically, when you think about cybersecurity, virus attacks through malicious malware come to mind.

Despite these common threats to security, human error still remains the underlying concern for business owners.
In fact, according to Decode the Human Threat only 18% of data breaches are caused by an external threat and up to 82% of all cyber-attack claims are due to human error.

The primary factor of security breaches: human error

The business structure of the hospitality industry is often built out of complex ownership collaborations, consisting of a management company that runs the business, a group of owners, and often a franchisor. 

Each of the entities above is storing crucial data in different computer systems, moving it around frequently, and possibly sharing it with different external third parties.

This complex ownership structure is on its own a very possible source of breaches as proven in the case of the Wyndham Worldwide breaches which occurred back in 2008 and 2010: by gaining access to the entire corporate network of the organization, hackers stole credit card and other details about customers resulting in $10.6 million in fraudulent charges.

As the primary form of payment in the hospitality industry is a credit card, infecting point-of-sale systems with malware is one of the preferred practices of hackers to reach a massive amount of credit card details.

The breach doesn’t need to occur remotely, it can very well be carried by affecting an unattended device and spreading the virus through to the whole computer systems from that one location.

Protecting this sensitive data becomes particularly tricky when considering that when talking about keeping personal data safe, human error is the number one reason for breaches.

It implies that business owners must invest more in employees, both through the provision of education & awareness; a full reeducation needs to be carried amongst all personnel and third-party service providers. Recurrent training programs and new Protocols need to be implemented as well.

Considering that one-third of hospitality business owners admit to not having protocols or even policies in place for the storage and disposal of confidential information stored on devices, enforcing policies for document destruction and their digital storage is the first step in creating a more secure line of protection for customer information. 

These numbers should be a great source of concern for customers who trust these hosting companies with their sensitive information, and this should be a strong incentive for those brands to protect their clients and understand that although 36% of them are believing that data breaches are not a real issue and are blown out of proportion… It actually isn’t so: instead, it is a very real threat that needs to be addressed by intensive training programs and the implementation of strict protocols.

Falling Culprit to fraudulent emails

Another way of taking advantage of the lack of training and supervision of employees is through fraudulent emails, commonly known as phishing. It is one of the most dangerous security threats.

Regardless of how skilled your employees may be and despite what they may think they know about phishing, the skills of cybercriminals invested in creating extremely sophisticated emails replicating trusted business communication can fool an untrained and gullible clerk.
Opening such an email or its attachment would launch a trojan horse or a virus which will extend its ramifications through the whole computer network of the organization, giving attackers a foothold into the business from which they can extract sensitive client data, account passwords, intellectual property and much more. 

McAfee estimates that 97% of people are unable to identify a sophisticated phishing email making phishing the most dangerous and successful of all cyberattacks ( 91% of all cyberattacks start with a phishing email).

How Can Businesses Mitigate Exposure? 

Beyond the imposed requirements, data management is a business reality and it is imperative as a hospitality company to take care of your guests the best you can.

For this reason, securing data must be a strategic process involving everyone within the organization. 

Your company’s first step is to implement a cybersecurity management plan, with actions to prevent data loss and a continuity plan ready to go in the case of a breach. 

Your main defense will be to train staff on the security risks, how to minimize them, and how to detect infiltration. This is an ongoing process that needs continual maintenance: making sure software and systems are up-to-date, as well as firewalls and antivirus programs. 

It’s imperative that business owners put together a form of a training plan for new and old employees alike, to keep them up to date with cybersecurity basics that may prevent the loss of crucial information.

Joining forces with an experimented cyber risk management company that offers business owners and their employees with the training, the knowledge, the tools, and the support to building a healthy and efficient safety policy around their existing IT infrastructure will not only help business owners reduce the likelihood of a cyber-related incident, but it also offers valuable training services to ensure employees are up to date with the latest security policies.

Always remember that being compliant is not the same as being secure!

We’ll teach you how to repel cyberattacks.