n order to maintain a stern grip on data management hospitality providers are looking for ways to protect both their guests and their establishments from outside data breaches by improving their hotel’s cybersecurity.
Hotel breaches have become increasingly common and have grown larger in scale in recent years as more and more transactions are done online or through OTAs. This has led to a larger risk of a cyber breach of guest data which has put on edge both potential guests and hoteliers alike.
When looking for ways to improve hotel data protection hoteliers must begin by examining the guest’s data path. To see if you have a firm grasp of how your establishment handles guest data see if you can answer the following:
Aside from your guest’s name and possibly email address is there any other personal information that you acquire upon check-in? Some establishments require the guest to submit a valid credit card as a way of ensuring payment, others might ask for personal ID confirmation.
Furthermore, does your establishment create guest profiles as a way of improving the guest experience? If so what kind of information is stored there aside from personal preferences, maybe their address, or an alternative credit card? Hotel management should be fully aware of the type of information that your establishment stores as not only is it vulnerable to cyber attacks, it has also as of recently become subject to regulation.
As the risk to customer data has grown so has the need for proper legislation that would encourage businesses to protect the information they are handling and ensure the safety of their clients.
It is important to note here that while an establishment is only responsible for its own data management, the character of hospitality demands to do business with outside vendors.
It is encouraged that your establishment only forms contractual obligations with vendors that also meet the GDPR as many cyber threats to hospitality stem from compromised vendors rather than an in-house data breach.
Tip: What Hoteliers Need to Know about Data Privacy Protection
Keep in mind that this includes all guest data storage methods, not limited to your PMS. Do you keep paper copies of guest check-in information? Does your property management system use an in-house server or is it cloud-based? If you use hospitality solutions from different companies are you aware of the fact that the information is stored in different clouds? Knowing where to look when auditing data would allow you not to overlook a possible breach in the future.
If the answer is everyone then you may have a problem on your hands. While your staff do need a certain amount of data at their disposal in order to maintain the standards of your establishment, they should not all have access to the more sensitive parts of guest data such as their billing address and credit card information.
This is not limited to your staff only, you must make certain that third-party vendors are also above board in their practices when handling the guest data you provide them with.
Hotel data security training should be mandatory for all staff regardless of their level of contact with the data. Data leaks often stem from unrelated sources, instead of directly focusing on the credit card info a hacker might gain access to a vendor’s email by phishing and then send out emails that can acquire the data they were looking for. Similarly, if your housekeeping staff does not have a basic understanding of the principles of hotel guest information safety then they might mistakenly compromise your data by logging into an unsafe network from a work device.
Once you have a better understanding of the character of your hotel’s data gathering procedures you can look for ways to improve security and minimize the risk of a breach. Some of the more common safety measures include:
Tip: Payment processing in Clock PMS+
The main target of hospitality cyber breaches is always guest credit card information and as such, it should be treated with the utmost sensitivity. In some cases, the abuse of such information could come from malicious staff members who have unsupervised access to guest accounts which is why in order to provide guests with safe transactions your business should comply with the PCI-DSS.
PCI-DSS or as it is also known, the Payment Card Industry Data Security Standard, is a list of procedure regulations which focuses on limiting employee access to the credit card data of customers, as well as setting guidelines on how to properly store said information and of course requesting that each employee has an account responding to their individual digital footprint in the hotel’s property software as a way of limiting the possibility for insider threats.
Your email address is used as a confirmation for a number of accounts so when it comes to creating a secure line of business communication you must make certain that your email account is not hacked. Adding another layer of authentication upon accessing your account creates from a different device would significantly decrease your chances of having your work email hacked.
A virtual local area network or a VLAN is an affordable way to improve the cybersecurity of your servers. You can set up a number of network names with a different level of security so that your staff’s computers are more difficult to access while your guest’s wifi only requires one password.
Instilling a sense of alertness in your personnel will go a long way in building successful hotel cybersecurity. With social engineering being consistently amongst the common hacking threats in the last two decades, it should come to no surprise that the biggest weakness to your hotel's data might stem from its best selling point, the human factor.
Hackers often take advantage of the compliant nature of hotel personnel, after all the customer is always right. This is why it is important to not just brief new recruits on the possible dangers of a network cyber breach but to also host periodic seminars on the importance of your hotel’s cyber data security.
Stress the importance of following established security measure protocols and reporting possible breaches in a timely manner. There should be no second-guessing when it comes to protecting your business from a data breach.
Staff should treat the privacy of a guest’s information the same way they treat their privacy in your establishment. It’s a huge “Do Not Disturb” sign at all times.
Probably the most unconventional of all the cybersecurity solutions is the idea that in order to improve your defences you should consider hiring someone to attack them and find their weak spots. Hotel chains with a larger turnout of guest have much to lose in terms of revenue and reputation if their networks are breached which is why they resort to annually hacking their own systems. Hoteliers hire hackers in order to see exactly how all of their security measures are implemented and where they can be improved. This is by far the most comprehensive form of auditing your hotel’s cybersecurity.