Protecting your hotel from cyber risk

29 October 2019

Every year, our UK Hotels Forecast offers a fascinating insight into the shape of the hotels sector. This year’s forecast sees an uncertain economic outlook that is encouraging hoteliers to embrace new technologies to attract and retain guests. An increase in technology adoption means an increase in cyber risk, and for that reason I had the pleasure of talking about cyber security at a UK Hotels Forecast workshop earlier this month. I thought it would be good to share a summary of discussion from the event, where industry leaders and I looked at the cyber security risks that can arise in hotels, and how to protect against them.

I introduced the session by explaining how cyber attacks or data breaches can have a particularly damaging impact on hotels, which are run by and dependent on technological systems that handle everything from credit card data to the occupancy of the premises. As such, the hotel and leisure industry has become an increasing area of interest for hackers.

Cyber threats that hotels should be aware of

We then moved on to consider how, once a guest arrives at the hotel, the security risks grow significantly. A large quantity of sensitive and personally identifiable guest data is collected by hotel employees at various points including Point of Sale systems, third party managed systems and hotel applications. If not properly secured, there are multiple areas that can be vulnerable to attack:

  • Infiltrating the WiFi network - Open WiFi exists around hotel facilities and can be used to access data on the hotel’s network if unsecured.
  • Unrestricted access to areas of hotel buildings offices - Combined with a low level of staff awareness, this can provide a simple point of entry for attackers to break into systems and networks.
  • Staff actions - The hotel can be held responsible for staff actions. This can include situations such as a malicious employee attack (like cloning payment details) or one where an employee allows a malicious actor to access the network through a social engineering attack.
  • Internet of Things (IoT) attacks - The majority of modern hotels today use IoT devices which link directly into the corporate internet where there maybe a direct link into confidential data that may transverse the same network. These risks exist and grow with the addition of hotel facilities, including restaurants, bars, gyms and spas.
  • Cyber incident response - In the case of a cyber incident, hotels have to worry about operational interruption during the breach, which in almost all cases results in financial losses. Reputational damage almost always follows after a breach where GDPR laws have increased the size of fines for personal data being exposed.

How can hotels protect from cyber threats?

After establishing risks, our interactive session looked at measures that can be introduced to protect from them. A fundamental issue across the hotel industry is that often a cyber security culture does not exist. Cyber security can often take a backseat to other business issues, even though it is one of the most vulnerable sectors. We discussed how hotels can - and should - prioritise cyber security, by:

  • Detecting and securing weak points in digital architecture
  • Defending digital assets, including your property management systems, from cyber attacks
  • Securing IoT and connected devices
  • Regularly auditing cyber security measures

This conversation neatly brought the session to a close, which had provided some great discussion and insight into how the industry can identify and protect itself from cyber risk.

Get detailed cyber security advice

Download our UK Hotels Forecast 2019-2020 to find out more about protecting your hotel from cyber threats, as well as guidance on how hoteliers can embrace technology to increase efficiency, reduce processes, manage data and enhance the customer journey.

Matthew Wilmot | Cyber Security Senior Manager
Profile | Email | +44 (0)7843 334288