Data security is a pivotal aspect for businesses in different industries and hospitality industry is not an exception in this case. In fact, data breaches within the hospitality industry, particularly in hotels have become a common concern due to the nature of the data collected by companies. Hotels, motels, resorts, and rented apartment complexes all gather, process and electronically store sensitive personal customer data, such as names, phone numbers, addresses, credit card details as well as passport and driver license information. As a result, the hospitality sector becomes an ideal target for cybercriminals looking to carry out credit card fraud and identity theft crimes. Any specific breach of data may result in huge public scrutiny, damage to reputation and financial liability, and create panic across the entire customer bases. As database is the backbone of any organization, it is extremely important for companies to understand the relevance of customer data security and take adequate steps to ensure the safety of the data they handle. Outsourcing data entry tasks to reputable business process outsourcing companies can help maintain confidentiality of data and minimize cyber security risks.

In recent years, cybercriminals, hackers or scammers tend to target the hospitality industry more frequently than others. The heavy reliance of the industry on cards as the major form of payment has been one of the top factors exploited by cybercriminals in the past. From the perspective of cybercriminals, hospitality is an ideal target vector for conducting crimes like identity theft and credit card fraud due to the existence of multiple databases and devices containing both Payment Card Information (PCI) and Personally Identifiable Information (PII). The COVID-19 pandemic’s effect on all areas of business has resulted in a rise in this type of criminal activity. With millions out of work, new culprits with different skill sets are undertaking cyber-crime as a means of survival. And, despite a huge drop in business during this time, security systems in the hospitality industry are mostly at risk.

Data Security in the Hospitality Sector – A Matter of Key Concern

Here discussed are the top data security concerns in the hospitality industry –

Data Sovereignty – Data sovereignty addresses the rights to storage of company and customer data based on geography. Several laws associated with it are in place to secure data and guarantee privacy for populations from foreign threats.

The data sovereignty aspect gives any company the right to release or withhold any information held secure within their cyber security system.

Complex Ownership Structures – Businesses within the hospitality industry usually have complex ownership structures in which there is a franchisor, an individual owner or group of owners, and a management company that acts as the operator. They function as a separate team, take on individual responsibilities and use different computer systems to store data or information, and the information can also frequently move across those systems which increases the possibility of data breach.

Heavy Reliance on Electronic Payment Methods – The hospitality industry is heavily reliant on credit cards and other paperless electronic payment methods. Restaurants and hotels alike often require credit card details for reservations, and the final payment is also frequently made by the same card, that is already on file. Cybercriminals tend to use this reliance on electronic cards to infect point-of-sale (POS) systems with malware that steals credit and debit card information by scraping the data. In fact, reports suggest that in 2017, out of 21 of the most high-profile hotel company data breaches that occurred, 20 were a result of malware affecting POS systems. As malware can often proliferate between POS systems run by the same operator, multiple individuals and groups of hotels can be afflicted by these types of attacks which can get unnoticed for even months.

Data Disposal Processes – It is estimated that about 20 percent of hospitality companies don’t have any policy in place for storage or disposing of confidential paper documents, and nearly a third of them do not have a regulated protocol in place for storage and disposal of their customers’ electronic information. This in turn increases the risks of data breaches.

Rapid Staff Turnover Rates – Training staff with proper protocols for gathering and storing personal data safely is a paramount concern for hospitality businesses. Proper or advanced training makes the staff to become familiar with the company’s compliance guidelines and helps them identify social engineering attempts. The high level of turnover and high degree of staff movement between different locations make it a real challenge to maintain teams of well-trained staff. Lack of familiarity of data security protocols by even a single staff can prove beneficial for cybercriminals waiting to hack into a company’s system and access sensitive information.

Human Manipulation – Hotel staff can be one of the biggest security threats as they are most vulnerable to attacks from hackers. Data intruders exploit normal human behavior to steal credentials and infiltrate networks and extort information.

Compliance – The hospitality industry and political regulators are becoming stricter in their approach towards governing how organizations store and process personal data. The GDPR regulation – a landmark legislation- introduced by the EU in May 2018 aims to return control over personal information to individuals while simultaneously enforcing stricter rules for protecting such information. PCI DSS is another important global regulation that protects credit card data, and fines for non-compliance begin at $500,000 per incident.

Insider Threats – Although less common, the threat of company employees selling data to third parties without the knowledge of their employer is a real concern for hospitality businesses. Insider threats occur typically in areas like data on customer preferences and behavior – which get collected at multiple touch points – right from interactions with their website, to form data on booking systems, to review data. This data could be potentially lucrative when it ends up in the hands of those who know how to use it to gain a competitive advantage.

Data Protection in the Hospitality Industry – Top Strategies

As mentioned above, hospitality organizations often become an attractive target for cybercriminals due to their extensive databases and low levels of security. In fact, in 2018, some of the biggest names in the hospitality industry have been targeted and breached. The likes of the Marriott hotel chain, Best Western’s Auto clerk reservations management system, and the Choice Hotel franchise all suffered major data breaches.

In the age of GDPR, when countries across the world are increasingly adopting new legislation that aims to protect individuals’ sensitive information and make companies liable in case of data breaches, hospitality companies need to put cyber security as a key point of focus for managing risk, potential financial losses, fines and disastrous consequences for their reputation.

But, what can the hospitality industry do to protect its sensitive data from breaches? Here discussed are some important strategies that organizations in the hospitality sector can implement to protect customer data –

Implement a Training Program in Cyber Security – Instituting more comprehensive employee training for all staff is crucial to ensuring data security.

Clear and strict policies regarding the disposal of sensitive physical documents and wiping clean electronic records are critical for all hospitality companies. This will help ensure that every employee is trained and proficient in handling sensitive data securely. In addition, educating staff on the basic methods of how hackers obtain information will potentially increase the security of the company as a whole.

Encrypt Payment Card Information – Regarded as one of the fundamental steps, encryption of payment card information is crucial to secure all electronic devices like laptops, desktop computers, and flash drives. Encrypting sensitive payment data ensures that only properly trained and trusted employees will be able to access and view customer payment information via their passwords or access certifications.

Keep Devices Up-to-date and Back up Data – Whether it is the systems in the back office or your property’s digital locks, older hardware running outdated software become easy targets of data breach. Keeping the devices and systems without updates and software patches is one of the biggest risks of security. It is extremely important to set your devices to automatically accept and install periodical updates issued by the software providers to protect sensitive data. Backing up your data is a generally easy and cost-effective task for ensuring data security. In order to reduce the risk of losing data or having it irretrievably damaged, it is essential to make a habit of backing it up. This will include financial records, business plans, customer data, personal information etc. It’s important to install antivirus and anti-spyware and always update when prompted. In addition, keep track of all the equipment used by your business and who uses it.

Prioritize Password Security – Choosing your data passwords wisely and strategically is another simple yet powerful strategy. The password security standards set forth by the National Institute of Standard and Technology (NIST) keeps on changing. In recent years, NIST suggests using longer, more complex passwords, but not requiring passwords to change as often (or even at all).

Therefore, choosing a password that is hard for an unauthorized party to guess and easy for you to remember is crucial to prevent unauthorized access. Another strategy is to use unique passwords for each login. If the same password is used for an email account as done for other systems (such as Property Management System), an attacker could phish/steal your email username and password, and then try the same credentials on your PMS. Make sure to invest in a digital password manager so that staff members can securely store passwords in an encrypted digital vault instead of writing them down on paper. Securing passwords via master password and Multi-Factor Authentication is another important aspect. MFA, also known as

Two-Factor Authentication (2FA), is an added layer of security that only grants a user access to a system after successfully presenting another authentication mechanism along with a password, such as PIN number, SB security key, push notification to phone/device, code generated via Authenticator app, biometrics such as fingerprint, Face ID etc. Even if a username and password becomes compromised (by way of phishing, brute force, credential stuffing, etc.), MFA protects against unauthorized access to that account by requiring another piece of information, action, data, etc. in order to proceed with the login.

Isolate Sensitive Information – As per Verizon’s 2019 Data Breach Investigation report, about 100 percent of data breaches in the accommodation industry were financially motivated. Hotels and hospitality management companies need to secure all computer systems and applications used for accessing financial information. For example, in sensitive systems that contains financial information or guest data, try to use multi-factor authentication wherever possible. In addition, protect sensitive data by keeping the computer system, laptop or tablet away from public eyes. Also, consider installing a computer privacy screen to help prevent others accessing sensitive guest data/information.

Secure On-property Networks – One of the frequent areas of data vulnerabilities for hotels is within the public Wi-Fi network. Newer Wi-Fi technologies have in-built tools called Intrusion Prevention Systems (IPS) which help identify potentially malicious activities and automatically block them, all without any human intervention. Also, make sure to separate wireless networks used by guests from those for internal use, such as by staff and/or property computer systems. This can be done either physically (by having two completely separate sets of hardware) or through the use of virtual networks (VLANs).

In today’s digital economy, companies in all industries or sectors will face some sort of security breach. In fact, ensuring privacy and security of sensitive data becomes more challenging when it comes to the hospitality industry. As companies in this sector continue to expand the ways they collect data from their customers, it is more important than ever that they commit to securely managing such collected data. By having a proper understanding about the importance of data security, companies in the hospitality sector are in a better position to implement effective strategies to ensure the safety of customer data. Utilizing outsourced data entry services can ensure data security and confidentiality, thereby reducing cyber security risks.