A Complete Guide to Cybersecurity in the Hospitality Industry

As technology becomes more advanced so does cybercrime. And that means cybersecurity in the hospitality industry has never been so critical. 

‍

It’s a hard truth that hotels are slow when it comes to technological advancement. This is beginning to change, however, as hoteliers realize the dangers of cybercrime. The impacts of a data breach or payment card fraud, for example, are far-reaching, damaging, and costly. It’s not only your pocket that takes a hit but also your reputation. 

‍

Understanding cybersecurity, the risks associated with cybercrime, and the technology at your fingertips is your best bet to avoid becoming a victim.

What Is Cybersecurity & Why Is It Important to the Hotel Industry?

Hotels sit on a mountain of sensitive guest data. This data could be useful for criminals looking to steal identities, passwords, and ultimately money. 

‍

Unfortunately, most hotels and businesses have multiple weak spots for fraudsters to take advantage of, whether it be your technology, passwords, or employees. Human error is one of your greatest risks. 

‍

The term cybersecurity, then, encompasses all the steps you take to keep your guest and client information secure and encrypted. 

‍

One of the best ways of protecting guest and client data is maintaining Payment Card Industry Data Security Standard (PCI DSS) compliance. This is a requirement for all businesses that handle payment card data and comprises a set of rules and regulations. 

‍

Unfortunately, many hotels are not PCI compliant without knowing it. Perhaps they are still using paper authorization forms, or maybe they have a weak password policy (for example, not using two-factor authentication). 

‍

Protecting your guest and client data is imperative, not only to avoid breaches and penalties but to improve your guest experience. Fifty-six percent of travelers say they are somewhat concerned about the privacy and security of their data provided to hotels. Twenty percent said they were very concerned.

‍

9 Cybersecurity Threats To Watch Out For  

Cybercrime can come from all directions which is why it’s important to familiarize yourself — and your staff — with each type. Knowing the signs could help you stop cybercrime in its tracks and protect your business (and guests).

‍

1. PDF Authorization Forms Emailed Back & Forth 

PDF authorization forms are still used today but they’re not PCI DSS compliant. This means that should a breach occur while you’re using PDF forms, you’ll be liable and could have to pay a hefty penalty. 

PDF forms can pose a serious security risk, especially if they are not properly secured and stored. Say a hotel guest fills out a PDF form containing their payment information and sends it to your hotel over email. That email is then intercepted by a fraudster who steals the credit card information. You’d be in a lot of hot water. 

The best way to avoid instances like this is to employ a digital solution. Canary’s Digital Authorizations, for example, allows your guests to enter their credit card information via a secure PCI Level-1 form. 

‍

‍

Want to reduce fraud & chargebacks with Canary’s Digital Authorizations solution? Book a demo today! 

‍

2. Social Engineering 

Cybercriminals use social engineering to manipulate individuals — like your employees — into giving away sensitive information. For hotels, this could look like someone posing as hotel staff member or tricking guests into revealing their information or clicking malicious links.

‍

Here are a few social engineering examples:

‍

1. Phishing: Phishing is a very common social engineering attack and occurs mainly via email. These are emails that seem to come from a trusted source, like your CEO, to trick you into clicking a link, transferring money, or providing personal information. 
2. Baiting: Baiting is where a cybercriminal offers something of value — like a gift — to lure someone into clicking a malicious link.
3. Watering hole attacks: In a watering hole attack, cybercriminals compromise your hotel website by injecting malware. This means that when guests use the website their devices could be infected too.
4. Pretexting: In this example, a cybercriminal could pose as an IT technician to gain access to a secure network. 
5. Tailgating: A cybercriminal could follow a hotel guest or employee into a secure area of the hotel and gain access to sensitive information or systems. 

3. Insider Threats

Cybercrime can originate from your employees or contractors, believe it or not. Insiders with authorized access can steal sensitive guest information or trade secrets. Here are a few ways cybercrime could occur from the inside:

‍

1. Negligent behavior: An employee could accidentally leave their computer unlocked or fail to follow security procedures, resulting in a security breach.
2. Employee theft: An employee could steal credit card information for personal gain or sell some to a third party.
3. Malicious insiders: An employee with malicious intent could intentionally cause harm to your hotel’s systems by installing malware or deleting important files. 
4. Third-party contractors: Third-party contractors could pose a risk especially if they do not follow security protocols. 

‍

4. Payment Card Fraud

Payment card fraud is where cybercriminals make unauthorized purchases or withdrawals. There are a few ways they can achieve this:

‍

1. Point-of-Sale (POS) malware: Cybercriminals could install a malicious piece of software on your POS system. They can then steal payment information as payments are processed. 
2. Man-in-the-Middle (MITM) attack: This is where a cybercriminal intercepts and alters the communication between your hotel and your payment processor. They can then steal payment information.
3. Phishing: Cybercriminals use phishing to trick employees or guests into handing over their payment card information, or clicking a link to a fake website.
4. Skimming: Skimming is where cybercriminals use a small electronic device to steal payment details. All they need to do is place this device on a card reader to get the data. 

‍

5. Insecure Wi-Fi Networks 

Every hotel nowadays offers free Wi-Fi to guests, but these networks may not always be secured properly. An unsecured network can lead to cyberattacks, primarily targeting your guests. There are a few ways insecure Wi-Fi networks could lead to cybercrime:

‍

1. Rogue access points: A cybercriminal could set up what’s called a “rogue access point”. This is what looks like a legitimate hotel Wi-Fi network, except when a guest tries to connect the cybercriminal steals their sensitive data. 
2. Malware infections: Unsecured Wi-Fi networks can also be used as a vector to distribute malware to unsuspecting guests, infecting their devices and potentially stealing their personal information.
3. Man-in-the-Middle (MITM) attack: In this case, a MITM attack could entail a cybercriminal intercepting unencrypted Wi-Fi traffic to steal personal details. 

‍

6. Ransomware 

Ransomware is a type of malware that is designed to encrypt a victim's data and demand payment in exchange for the decryption key. Here are a few examples of ransomware attacks in the hospitality industry: 

‍

1. Rosen Hotels & Resorts: In 2016, Orlando, Florida-based hotel chain, Rosen Hotels & Resorts experienced a ransomware attack. The cybercriminals demanded a ransom of $2,000 but the company refused to pay. The breach resulted in the theft of guest credit card information.
2. Marriott International: In 2020, Marriott International suffered a major data breach which exposed the personal information of over 5 million guests. This was a result of a ransomware attack that targeted their third-party vendor.
3. Romantik Seehotel Jaegerwirt: In 2017, the Austrian hotel, Romantik Seehotel Jaegerwirt was locked out of its computer systems as a result of a ransomware attack. Their keycard system was disabled, preventing guests from accessing their rooms, and their reservation system was taken offline. In this case, the hotel paid the ransom of $1,500 to recover access to their systems. 

‍

7. Employee turnover 

The hospitality industry experiences extremely high turnover rates and this can pose a cybersecurity threat for hotels. 

‍

Employees could take sensitive data with them when they leave, or retain access to hotel systems and data. To avoid data breaches or other security issues, hotels must take steps to mitigate risk when employees leave. This could mean creating a common procedure for disabling access to systems, providing extensive training, or monitoring access to systems and data. 

‍

8. Human Error 

Human error is a widespread issue in the hospitality industry (or any industry for that matter!). Examples could be an employee accidentally misconfiguring a system, falling for a phishing scam, or sharing guest information. 

‍

But what are the most common reasons for human error?

‍

1. Lack of training: Cybersecurity training is essential to avoid breaches but many employees are undertrained in this area.
2. Weak passwords: Employees might use weak or easily guessable passwords. Ensure they understand how to create strong passwords.
3. Misconfigured systems: Hospitality companies may use complex IT systems to manage guest data, reservations, and payments. If these systems are misconfigured or not properly secured, they can be vulnerable to cyber-attacks.

‍

9. DDoS (Distributed Denial of Service)

In a DDoS attack, a large number of internet-connected devices are used to flood a target website or network with traffic, making it inaccessible to legitimate users. This can result in service disruptions and damage to the reputation of the targeted company.

‍

The hospitality industry is particularly vulnerable to DDoS attacks due to its reliance on online reservations, payments, and customer feedback. If these services are unavailable or slow, it can negatively impact the customer experience and damage the reputation of the business.

‍

How To Prevent Data Breaches in the Hospitality Industry

‍

Maintain PCI DSS Compliance 

PCI compliance is critical in the world of cybersecurity. There are many tasks that go into becoming and staying compliant, including:

‍

1. Replace paper/PDF authorization forms with a digital solution
2. Create an internal data security policy 
3. Create a cyber incident response plan
4. Perform risk assessments
5. Implement a security awareness program

‍

Physical Security Measures 

Physical security measures play an important role in preventing data breaches in your hotel. This is so that cybercriminals cannot just walk into secured areas and steal information.

‍

It’s essential to protect all of your devices and systems that store and transmit sensitive information. You can do this by:

‍

1. Limiting physical access to certain areas
2. Securing all devices with cable locks, security plates, or secure cabinets
3. Installing security cameras: Security cameras in the areas where sensitive information is stored or processed (such as your front or back offices) can deter attackers and give you evidence should a breach occur 

‍

Swap Paper/PDF Forms for a Digital Solution 

Paper or PDF authorizations are not secure (as we’ve mentioned). Replace them with a digital solution like Canary Digital Authorizations to protect your guests’ sensitive information.

‍

With this technology, you can also track all authorizations in a dashboard and retrieve vital information in the case of a chargeback. 

‍

Recurring Employee Training 

It's not enough to train employees on cybersecurity once and then be done with it. Employees should receive training at least once per year to ensure information remains fresh in their minds and that they are aware of any new developments in cybercrime or cybersecurity. 

Go a step further and provide your workforce with resources such as ebooks, videos, and a help center so they can learn how to report suspicious behavior or breaches. 

‍

Internal Security Policy 

On top of recurring employee training, it’s important to create an internal security policy. This is where you can provide guidelines and procedures for your employees to follow. 

‍

A good internal security policy helps you define roles and responsibilities for your staff and creates security-first culture at your property.

‍

Final Thoughts

The dangers — and prevalence — of cybercrime mustn't be understated. It’s a serious issue within the hospitality industry and hotels must take the appropriate steps to protect themselves and their clients.

‍

Methods to avoid breaches include maintaining PCI DSS compliance, implementing physical security measures, swapping paper or PDF authorization forms for a digital solution, creating a cybersecurity training program for employees, and implementing an internal security policy.

Next up, find out why digital check-in is so important to hotels and their guests.