Hoteliers: Why Compliance Doesn't Equate to Data Security
By David Christiansen, M.S., CISM, CISSP, PCI-QSA, CIO at VENZA
Hoteliers, let me ask you a question. What does it mean to run a secure hotel? The answer may vary, depending on who you ask. Why? Because security, across any industry, is a multifaceted discipline and an essential consideration for brands that interact with customer data and information. Cybersecurity attacks are commonplace in today's world, and hotels are increasingly attractive targets due to their association with a variety of sensitive data. In fact, two of the top five biggest data breaches made public in 2020 were at hotel chains. Globally, cybercrime damages are expected to reach $6 trillion by 2021.
With ten years of former military experience under my belt, I've entered IT and cybersecurity with a unique perspective. My former career instilled in me the importance of a detail-centric approach, which I now apply to the world of hospitality regulations and procedures. I understand, intimately, that compliance is the first step – but it isn't the entire picture. This realization holds even more weight in the pandemic era, a time when hotels are increasingly vulnerable to cybersecurity breaches and risks.
A Demand for Security Innovation
Historically, the hospitality industry has been slow to embrace technological change. Under the guise of tradition, many hospitality leaders have fallen victim to antiquated ideologies over the years – better known as the "we've always done it this way" mindset. Despite this, innovation is, ultimately, undeniable across a landscape that is primarily dictated by guest demands and preferences. However, the rate of change across our industry is often slow, and there is perhaps no better example of this stalemate than hotel tech security.
While many aspects of our industry have seemingly 'caught up' to other sectors in regards to forward-facing innovation, IT and security have, for the most part, been left in the proverbial dark ages. We see hotels offering their guests an ultramodern experience, rife with next-gen upgrades and platforms including self-service kiosks, smart hotel rooms, AI-powered concierge robots, and keyless room entry. These are incredible advancements. When we pull back the curtain to view the policies and procedures at work behind the scenes, we realize a stark contrast. A robot concierge at a given hotel might know your name and seamlessly address your requests once you arrive on the property. However, that same hotel will probably still require you to manually fax or email a credit card authorization form. As an industry, we are making strides forward, but we have – for the most part – left core security considerations behind.
To this effect, many of the hotel security breaches that dominated headlines involved hotels that were, in fact, compliant in terms of regulatory standards. These breaches often compromised point of sales systems that, despite complying with current industry standards, exposed guest credit card information in a way that put guests and hotel reputations at risk.
Hotel Security for a Post-Pandemic World
When considering the scope of hotel cybersecurity, it's important to recognize that credit card theft is only one of many risks. Our industry relies on the exchange of large amounts of sensitive personal information, and the post-pandemic innovation and automation poised to spearhead hospitality's recovery will, ultimately, thrive on guest data. As we look to a future of keyless room entry, AI-powered touch-points, and high-tech self-service, we must consider the enhanced security required by increasingly interconnected hotel systems. Reports indicate that the more devices connecting to a network, the more vulnerable it is to cyberattacks.
- 513,936,296 hospitality data records were stolen or lost in 2018. In early 2020, 5.2 million guest records were compromised in one hotel chain breach
- 423 million travelers have been victims of a cyberattack through their business with hotels
- 70% of guests believe hotels don't invest enough in cybersecurity protection
Moreover, we must acknowledge the current state of the hospitality workforce. As our industry prepares for recovery after a period of severe downturn, we will welcome many newcomers to our industry in addition to restricted staffing due to limited post-pandemic budgets and cost-saving initiatives. New talent is welcome, but hotels should be increasingly cognizant of IT and cybersecurity training and awareness for all new and returning staff. After all, 95% of all data breaches can be traced to human causes. With this in mind, comprehensive cybersecurity training should be prioritized at every level of any organization.
In fact, hotels should take this time to audit and, potentially, reinvent their cybersecurity best practices. Not only should risk assessments be performed every year, but they should also be performed every time a hotel implements a new solution. This may seem tedious initially, but dealing with the costs and reputational repercussions of a large-scale cybersecurity breach is far more taxing.
Now, more than ever before, hoteliers must look beyond compliance to consider big picture hotel cybersecurity. Identifying any and all opportunities for risk is the only way to defend against it, and data security should be embedded into the very culture of a hotel. The more you educate your employees, the less likely they are to become the victim of a breach or attack..
In the post-pandemic world, creating a truly secure environment demands a diverse and increasingly detail-oriented approach to managing and protecting sensitive information.
Kay Bailey Hutchison Convention Center Dallas — Dallas, TX United States
David ChristiansenMore from David Christiansen
Drawing on decades of experience, VENZA is a data protection company that can help organizations mitigate their vulnerabilities and ensure compliance, keeping guests and their data safe from breaches. By delivering a security solution for readiness, reassurance and response, VENZA offers 360-degree visibility for proactive management of risks — so users can focus on guest service and building trust in their brand. Better visibility means better defense. Know the risks, protect the enterprise with VENZA.
More than 225,000 users in 100+ countries look to VENZA for tools, technology, and strategic security support. Founded in 2008 with a decade of service to the hospitality industry, VENZA is a privately held company with regional offices in Atlanta, GA, Pensacola, FL, New Albany, IN and The Hague, Netherlands. For more information visit VENZAgroup.com