No customer-facing industry is immune to the threat of cybercrime these days. But hospitality, and in particular the hotel sector, seems to draw more than its fair share of attention from cybercriminals.
The high-profile hacks and data breaches that have hurt the likes of Hilton, Marriott, Radisson Group and more provide plenty of evidence of that.
Several factors make hotels prime targets for cyberattacks. Complex ownership structures across large, international organisations make digital estates particularly challenging to protect. A big workforce with high churn rates and high proportion of seasonal or temporary workers puts major barriers in the way of training people in digital security best practices.
And then there is the fact that hotels, and indeed any kind of hospitality business that takes bookings and reservations, hold onto huge volumes of customer data. We’re not just talking payment details, often seen as digital gold for hackers. Booking system databases routinely hold customer records that include names, addresses, dates of birth, even passport numbers and other identification data.
Given that identity fraud is estimated to have a value of $5 trillion globally, this is the real jackpot cybercriminals are going for.
Hospitality businesses have had to get to grips with the rapidly evolving cybersecurity threat. Here are some of the best practice examples used to secure digital estates from rogue threats.
Protect network connections for POS
Hotels often run multiple POS systems for multiple facets of their operations. Reception, restaurants, bars, gym/leisure amenities, retail concessions – all of these require POS infrastructure of one sort or another. In the modern way of things, most are likely to rely on WiFi connections to integrate with one another and access the cloud.
This kind of joined-up, cloud-based approach to POS is great for business agility and maintaining 360-degree visibility of what is happening across the business. But all it takes is one poorly secured WiFi router, and a skilled hacker could potentially gain full access to all of your digital systems.
Sensible precautions like separating the public WiFi you provide for guest use from the network you run your business operations on can make a big difference. Business network security can be increased through the use of SD-WANs, private clouds or VPNs. And encryption can be used to ensure data is protected both when it is in transit through the network, and ‘at rest’ in databases.
Keep up with the latest antivirus and software updates
Antivirus software should be installed on all digital devices used anywhere across your estate. While encryption and secure network technology help to keep sensitive data safe behind a protective digital wall, hackers are skilled at smashing holes in those walls using various types of malware. Antivirus software is your front-line defense against those threats.
It’s essential that, once antivirus programs are installed, you stay right up to date with updates and patches, because hackers are constantly evolving their malicious code and developing new types of threats. Similarly, it’s important to keep on top of updates for all the software platforms and applications you run. Cybercriminals also probe things like operating systems and booking or payment apps to find new vulnerabilities, and you will only get ongoing protection once developers have spotted and fixed these with updates.
Limit access to sensitive information
Researchers at Stanford University have claimed that 88% of all data breaches can be traced back to human error at some point. Again, with reliance on lots of temporary workers and a large turnover in personnel, the hospitality industry is particularly vulnerable, because it’s very hard to train every worker in cybersecurity best practice.
What you can do is limit the damage that can be done when mistakes happen. Say someone leaves a terminal unattended logged into their account, or shares their login credentials via a phishing scam. How far could anyone with these details get in your system? Restrict access to the most sensitive, core systems using robust authentication measures, and you will limit the fallout from genuine mistakes.