The hospitality sector is especially vulnerable to cyber threats. Hotels store a wealth of sensitive information, including guests’ credit card data and contact details, and in some cases passports and drivers licenses. Hotels also are increasingly reliant on technology for check-ins, content streaming, payments, property management systems, digital kiosks, security and access systems, IoT devices and more.
“This expansion of connectivity could open the door for more vulnerabilities,” said Chris Spencer, chief information security officer at Nomadix. “A cyber attack on a hotel's PMS, for example, can have serious consequences, ranging from the loss of guest data to the complete shutdown of hotel operations.”
But hotels have tools and training available to them that can create a tough nut for hackers to crack. Spencer offered these mitigation strategies for hotels to protect sensitive data and unauthorized access:
- Network segmentation: Separate IoT devices from core networks and customer data. “By isolating them, a breach in one area does not give attackers carte blanche to move laterally and access sensitive data,” Spencer said.
- Robust device management: Deploy a centralized IoT management platform to monitor devices, track firmware updates and maintain secure configurations.
- Vendor vetting: Partner with reputable and responsible vendors who proactively manage and secure their supply chain. “As part of the procurement process, request detailed insights into their security measures, patch management and compliance with industry best practices,” Spencer advised.
- Secure configuration and updates: To reduce the attack surface, implement strong passwords, patch IoT devices regularly and disable unnecessary ports or functionalities.
Be Proactive And Vigilant
Ryan Tomlinson, VP of product and engineering, Mews, offered these tips to help hoteliers reduce the risk of a cyber attack:
- Use secure logins. Also, never use search engines to find login pages, Tomlinson advised. Instead, bookmark official URLs to prevent falling for fake websites.
- Strengthen passwords. Use complex, unique passwords and store them securely with a password manager.
- Enable two-factor authentication (2FA) and single-sign-on (SSO). These extra security layers can help prevent unauthorized access.
- Train your team. Educate your staff on recognizing phishing attempts and suspicious emails.
- Monitor and respond. Set up alerts for new logins and establish a clear reporting process for cyber threats.
“Being proactive and vigilant is the all-important first step,” Tomlinson said. “By following these tips, hoteliers can safeguard both their business and guests from cyber attacks.”
Consider Cloud-Based Solutions
According to Laura Calin, senior vice president, Oracle Hospitality, hoteliers can enhance cybersecurity by adopting cloud-based solutions
“Solutions such as the Oracle OPERA Cloud hospitality platform and Simphony Cloud point-of-sale offer robust security features such as encryption and multi-factor authentication, making it tougher for cybercriminals to access sensitive data.” Calin said. “This is a critical step in helping prevent breaches and protecting guest information.”
She added that employees are the first line of defense, so they should be trained to recognize potential threats. Suspicious emails, unusual network activity, or unauthorized data access attempts should be reported promptly. Regular cybersecurity training can empower staff to respond effectively.
In the event of a suspected scam or unusual activity, employees must follow established reporting procedures. Quick reporting to IT or security teams can help contain the threat and minimize damage.
“Combining cloud security with employee vigilance and training can help create a strong defense against cyber risks,” Calin concluded. “This approach enables hoteliers to safeguard guest data and maintain trust, a competitive advantage in the digital age. By staying proactive, hotels can protect their reputation and provide guests with peace of mind.”
Safeguard The Human Element
Hoteliers are at risk from various forms of cyber attacks—two of the current favorites of hackers are ransomware and phishing—but new risks are always on the horizon, warned David Christiansen, chief information officer of VENZA. That’s why VENZA provides training in security awareness, data protection and regulatory compliance: The best defense against many types of cyber attacks is a well-trained staff.
“You can never take the human element out of the equation, so we provide a holistic approach with the primary focus on what we call the human firewall,” Christiansen told Hotel Management. “You can spend as much money as you want on a tech stack and have all the applications and all the hardware in the world, but all the hackers have to do is convince one employee to give them access to the kingdom and they can walk right through the front door.”
Training and ongoing awareness are key to preventing an attack, and Christiansen is a proponent of hoteliers providing their teams with policies and standard operating procedures (SOPs) to follow when they encounter any suspicious activities. He recommended having a “verifying vendor phone call” SOP for both daytime and after-hour use, when hackers may try to take advantage of reduced staffing or tired employees. For example, you might have a caller claiming to be the hotel’s tech vendor requesting access to the hotel’s network to perform an upgrade, and an after-hours protocol may be as simple as taking the caller’s number and telling them their call will be returned in the morning.
“For hoteliers, it's all about the layers of controls and security,” Christiansen said. “The hackers are always looking for a way through at any given time, so you've got to have everything covered: people, processes and technology. And even when you’ve done that there's always likely to be a weak link somewhere. So awareness and prevention are important, but equally important is how fast can you detect and react when something happens.”
This article was originally published in the May edition of Hotel Management magazine. Subscribe here.