Cybercrime is on the rise, and the hospitality sector is a prime target. With recent high-profile attacks affecting US chain Marriott and China’s Huazhu Hotels Group, it’s an issue that hotel executives can no longer ignore. Marriott were said to be fined nearly £100m over their security breach, so it’s vital customer data is protected to prevent similar outcomes.
Cyber criminals are constantly finding new and increasingly sophisticated ways of stealing sensitive customer data from hotel websites, systems, servers, mobile platforms and even front desks. It’s imperative hoteliers have the correct means of accepting, storing and protecting themselves from data breaches. With cyber criminals becoming smarter every year, hotels need to be compliant and ahead of the game.
Accepting and storing customer data
First and foremost, hoteliers in the UK should be complying with GDPR legislation, a regulation of the European Union (EU) that came into effect on May 25, 2018. It introduced controls and limitations on how businesses, including hotels, may use, manage and share personal data.
The Information Commissioners office (ICO) can now issue much larger fines for data breaches and non-compliance than with the previous Data Protection Act.
Remaining compliant with personal data
‘Personal data’ refers to data about people in the EU, including employees as well as guests. This data is anything that can uniquely identify a person, for instance their name, phone number, IP address etc.
To remain compliant with GDPR and keep personal data secure, hotels should take into consideration:
GDPR affects the software hoteliers use. The software itself must follow the same obligations with data that the hotelier has. If a vendor receives personal data from a hotel, they should share a Data Processing Agreement with them to confirm the vendor is GDPR compliant.
“…the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk “
Below, we outline an example of some appropriate measures to ensure security:
Protecting data and avoiding breaches
Encryption is one of many options available to protect data, though not specifically required by GDPR. If you encrypt your hotel’s databases, your guests’ identities and their personal information is obscured.
Frequent auditing and testing
Frequent security audits and penetration tests should be performed to ensure internal procedures are keeping up with industry developments. If it’s found that they aren’t, frequent evolution needs to be taking place.
Audits can help hoteliers identify what’s working well, and more importantly, what’s not – where the vulnerabilities lie. This includes backups, virus and malicious activity protection, hardware, firewall protection, passwords, admin rights and business continuity.
IT security is 50% infrastructure, and 50% user training. Training and proper procedures for staff are critical when it comes to storing and protecting data. In fact, one of the biggest vulnerabilities to hotels is their employees’ lack of awareness.
Having solid procedures in place is just as important as making use of the right, secure technology. A cybersecurity risk assessment will be able to highlight any weak spots, allowing you to take action against the results and better implement internal policies.
Backups are essential to protect critical data; however, it is recommended you have a backup in more than one place. For instance, via cloud technology and via a physical solution. If a virus breaks out, to prevent it spreading, you don’t want to rely on a physical device attached to your network.
At the end of the day, a multi-layered approach to cybersecurity is necessary to ensure complete security and peace of mind for hoteliers. With systems under attack on a daily basis, can your hotel afford not to?
The article was produced by ramsac, an IT support and managed services provider, offering a proactive 24-hour service which cuts the stress out of managing technology.