In today’s connected world, data management has become one of the top priorities of hoteliers. Information about guests preferences, interests, social life and much more is available, useable and, most importantly, storable. As soon as customers’ data is stored, security and accessibility to such highly sensitive information is of great importance.
Operational activities such as reservation, check-in and check-out as well as customer log in are nowadays cloud-based and offer many possibilities for a hacker to intrude the property’s system or/and have access to confidential information. The major issue with hotels in particular is their exposure and dependence on third-party software that may be vulnerable. Indeed, numerous companies experienced cyber-attacks through their POS systems. Many Mandarin Oriental’s POS, that still run on Windows XP until the end of 2016, were attacked in late 2014 with possible credit card data stolen from hackers.Omni hotels suffered the same attack days before the summer holidays 2016 and HEI Hotels & Resorts, that manages brands such as Marriott, Hyatt and Sheraton released a list of twenty affected properties between March 2015 and June 2016. Philip Lieberman, president of the eponym software company, stated recently that “the current business model of hotels and their franchisees does not include cyber-security as one of the deliverables provided to their licensees. Along this same lines, the type of equipment and software used by the properties, software patching and monitoring are woefully inadequate for today’s threats.”
Furthermore, an important factor is training. As mentioned in a recent article on EHotelier, 95% of all data breaches can be traced to human causes. Front line staff is often poorly trained against cyber-attacks due to a lack of global risk vision from the management.
Financial implication put aside, both speakers during Hot.E conference and pwc as well as many other security experts worldwide point out the reputational risk that is by far underestimated in the hospitality industry. As stated by one of the speakers, hotel companies are still reflecting on what shall be done if they suffer a cyber-attack and not what should be done when they suffer a cyber-attack. It shows the lack of staff education and response plan. He suggests to create SOPs for hotel chains in order to react to such attacks. They both pointed out the necessity to have decisions taken at the Board level (CEO, CFO, COO) as cybersecurity has now become a Board’s responsibility in the UK. Moreover, including the Public Relation department has become crucial as information communicated during such circumstances is key to the company’s reputation. A parallel can be made with the Deepwater Horizon platform oil spill, for which communication was catastrophic and reflected directly in the traded share price. Similar to that event, a controlled and clear communication in case of cyber-attacks can harm a hotel’s or chain’s reputation less.
The hotel industry faces a generation gap. While many General Managers and Senior Executives are not at ease with computers and digital tools, IT infrastructures become always more complex. The question of responsibility comes up. How can non computer-savvy directors and board members take strategic cyber-security decisions? Who is responsible: the property, the owner, the chain? One thing remains certain : it is time to get serious about security!