Hoteliers, let me ask you a question. What does it mean to run a secure hotel? The answer may vary, depending on who you ask. Why? Because security, across any industry, is a multifaceted discipline and an essential consideration for brands that interact with customer data and information. Cybersecurity attacks are commonplace in today’s world, and hotels are increasingly attractive targets due to their association with a variety of sensitive data. In fact, two of the top five biggest data breaches made public in 2020 were at hotel chains. Globally, cybercrime damages are expected to reach US $6 trillion by 2021.
As our industry continues to embrace technological innovation across common touchpoints in the name of enhanced convenience and personalization, we realized the subsequent need for enhanced security protocols. With great power comes great responsibility, and the handling of personal data is no exception. The possibility for personalization is seemingly endless, but so are the associated security risks if hotels don’t take the necessary precautions to fortify their operations. Ironically though, hospitality’s ongoing focus on compliance often obscures the macro-level view of hotel security. All too often, we make the mistake of associating compliance with security when, in fact, they are not synonymous. Adherence to regulatory standards is important, but these standards often fail to account for the increasingly nuanced and ever-changing requirements of cybersecurity initiatives across hospitality.
With ten years of former military experience under my belt, I’ve entered IT and cybersecurity with a unique perspective. My former career instilled in me the importance of a detail-centric approach, which I now apply to the world of hospitality regulations and procedures. I understand, intimately, that compliance is the first step – but it isn’t the entire picture. This realization holds even more weight in the pandemic era, a time when hotels are increasingly vulnerable to cybersecurity breaches and risks.
A Demand for Security Innovation
Historically, the hospitality industry has been slow to embrace technological change. Under the guise of tradition, many hospitality leaders have fallen victim to antiquated ideologies over the years — better known as the “we’ve always done it this way” mindset. Despite this, innovation is, ultimately, undeniable across a landscape that is primarily dictated by guest demands and preferences. However, the rate of change across our industry is often slow, and there is perhaps no better example of this stalemate than hotel tech security.
While many aspects of our industry have seemingly ‘caught up’ to other sectors in regards to forward-facing innovation, IT and security have, for the most part, been left in the proverbial dark ages. We see hotels offering their guests an ultramodern experience, rife with next-gen upgrades and platforms including self-service kiosks, smart hotel rooms, AI-powered concierge robots, and keyless room entry. These are incredible advancements. When we pull back the curtain to view the policies and procedures at work behind the scenes, we realize a stark contrast. A robot concierge at a given hotel might know your name and seamlessly address your requests once you arrive on the property. However, that same hotel will probably still require you to manually fax or email a credit card authorization form. As an industry, we are making strides forward, but we have – for the most part – left core security considerations behind.
To this effect, many of the hotel security breaches that dominated headlines involved hotels that were, in fact, compliant in terms of regulatory standards. These breaches often compromised point of sales systems that, despite complying with current industry standards, exposed guest credit card information in a way that put guests and hotel reputations at risk.
Hotel Security for a Post-Pandemic World
When considering the scope of hotel cybersecurity, it’s important to recognize that credit card theft is only one of many risks. Our industry relies on the exchange of large amounts of sensitive personal information, and the post-pandemic innovation and automation poised to spearhead hospitality’s recovery will, ultimately, thrive on guest data. As we look to a future of keyless room entry, AI-powered touchpoints, and high-tech self-service, we must consider the enhanced security required by increasingly interconnected hotel systems. Reports indicate that the more devices connecting to a network, the more vulnerable it is to cyberattacks.
513,936,296 hospitality data records were stolen or lost in 2018. In early 2020, 5.2 million guest records were compromised in one hotel chain breach
423 million travelers have been victims of a cyberattack through their business with hotels
70% of guests believe hotels don’t invest enough in cybersecurity protection
Moreover, we must acknowledge the current state of the hospitality workforce. As our industry prepares for recovery after a period of severe downturn, we will welcome many newcomers to our industry in addition to restricted staffing due to limited post-pandemic budgets and cost-saving initiatives. New talent is welcome, but hotels should be increasingly cognizant of IT and cybersecurity training and awareness for all new and returning staff. After all, 95% of all data breaches can be traced to human causes. With this in mind, comprehensive cybersecurity training should be prioritized at every level of any organization.
In fact, hotels should take this time to audit and, potentially, reinvent their cybersecurity best practices. Not only should risk assessments be performed every year, but they should also be performed every time a hotel implements a new solution. This may seem tedious initially, but dealing with the costs and reputational repercussions of a large-scale cybersecurity breach is far more taxing.
Now, more than ever before, hoteliers must look beyond compliance to consider big picture hotel cybersecurity. Identifying any and all opportunities for risk is the only way to defend against it, and data security should be embedded into the very culture of a hotel. The more you educate your employees, the less likely they are to become the victim of a breach or attack..
In the post-pandemic world, creating a truly secure environment demands a diverse and increasingly detail-oriented approach to managing and protecting sensitive information.