Personal information is coin of the realm in the hospitality sector. Organizations capture and store immense amounts of personal data about their guests, including payment details, loyalty program info and sometimes even biometric data. All of this data is vital to their operations. It’s also highly valuable to hackers.
It’s hardly surprising that the hospitality sector is a prime target for cyberattacks. Because they rely heavily on interconnected systems, hospitality organizations are also highly vulnerable to cyber threats. Recent reports show high attack rates with the potential for severe financial and reputational risks.
In September 2023, a major casino brand was hit by a social engineering attack that disrupted check-ins, room keys and slots. The attackers used LinkedIn data to impersonate an employee and get the IT help desk to reset credentials. Once inside, the attackers escalated their privileges, stole approximately 6TB of sensitive data and deployed ransomware on critical systems. The attack caused widespread outages across more than two dozen properties, resulting in millions of dollars in lost revenue and financial penalties.
Building the Human Firewall
That incident drives home the fact that employees are the first line of cyber defense. Organizations can invest in best-in-class security tools but suffer a breach because employees choose weak passwords or write down security challenge questions. Sharing too much information on social media can create security risks, as can failing to be wary of suspicious phone calls, text messages and emails.
Hospitality organizations should provide security awareness training with an emphasis on social engineering attacks. Training should be tailored to specific roles and property types and repeated at least every six months, or as new threats emerge.
However, the hospitality sector often struggles to create a robust security culture due to high staff turnover and under-resourced IT teams. A focus on the guest experience can also overshadow security. Building a true security-first culture requires a top-down commitment and consistent, role-specific training. Security best practices should be embedded into operations and employees encouraged to report issues.
Prioritizing Security When Choosing Technology Solutions
Legacy IT systems also create vulnerabilities in many hospitality organizations. Upgrades are expensive and complex, with the potential for migration problems and downtime. Deeply ingrained culture and fear of disruption also cause resistance to change. However, a security breach due to an outdated tech stack would be far more costly and disruptive.
IT modernization should prioritize data privacy and security. Systems should provide granular access controls and the ability to monitor and log activity. Organizations should enforce multifactor authentication for all accounts and follow least-privilege access principles. Data should be encrypted at rest and in transit. Tokenization can provide another layer of security.
Cloud-based solutions should also have strong security. Data should be protected using multiple layers of security, including encryption and strong authentication. Organizations should also have the ability to mask data dynamically and restrict access based on a wide range of criteria. Vendors should be vetted for their certifications and compliance history.
Complying with Privacy Regulations
Data sovereignty is another critical consideration when choosing cloud-based solutions. Hospitality organizations must comply with diverse privacy laws, particularly if they have a multinational footprint. Storing sensitive data in the wrong geographic region can result in fines and other penalties. Organizations should choose cloud platforms that allow them to control where their data is physically stored, processed and accessed while still allowing seamless data flow across multiple systems, applications and locations.
Hospitality organizations shouldn’t view compliance as a burden or a check box. It should be seen as an opportunity to not only prevent a devastating breach but to strengthen brand trust. The most loyal customers want to know that their personal data is protected.
Some hospitality organizations are hiring Chief Information Security Officers and Chief Privacy Officers to oversee these initiatives. Others, however, may not have the need or budget to create those roles. Technologent’s consultants have experience developing cybersecurity strategies for some of the largest hospitality brands. Let us help you protect your most sensitive information while delivering an unmatched guest experience.
Comments