In the race to deliver the best experience in the hospitality industry a key differentiator between hotels in recent years has not been aesthetics or gym facilities but rather their tech: from reliable Wi-Fi networks to smart TVs in rooms, the latest tech has become non-negotiable for many guests. Why? Because digital transformation in other areas of guests’ lives has driven expectations up. People now expect connectivity and technology in hotels to exceed what they experience at home.
But as the hospitality industry rushes to meet guests’ digital demands, it has opened itself up to potentially devastating cybersecurity breaches – the most notable of recent examples being the attack on Marriott International which led to the data of up to half a billion guests being compromised. As the hotel sector continues to modernise and embrace new technologies such as AI, 5G and the Internet of Things (IoT), it is critical that cybersecurity is prioritised or the industry will fall victim to a crisis of confidence.
With Marriott now facing a £99m fine for the data breach, it’s clear that hotels need to take a more proactive approach to cybersecurity. In an age where guest data is so valuable, yet so vulnerable, cybersecurity is fundamental to the customer-centric approach that hotels pride themselves on. After all, what is the use of investing in the latest consumer technology if guests don’t trust you with their data?
Why the hospitality industry is so attractive to hackers
The hospitality industry is perhaps not the most obvious target for hackers because it may not appear to hold as much high value data (e.g. personal financial information) as industries such as finance, but in fact hotels possess large amounts of valuable personal data about their guests. This can range from credit card details and transaction records to car registration numbers, passport numbers, customer names, dates of birth and home addresses.
And there are several vulnerable areas in a hotel’s network that play right into a hacker’s hands. These can range from internet connection ports, which offer unsecure access to a hotel’s internal network, to outdated point of sales systems that are easily susceptible to hacking. Outdated legacy property management systems (PMS), which hotels use to take reservations, issue room keys, and store credit card data, can also be an easy target for hackers in order to gain access to a chain’s corporate system.
The double-edged sword of digital transformation
In the rush to embrace new technologies and meet the demands of digitally dependent guests, cybersecurity is at risk of being neglected. As the Thales Data Threat Report 2019 found, whilst 97% of organisations will use sensitive data on digitally transformative technologies, fewer than 30% are using encryption within this environment. For instance, public hotel Wi-Fi networks compromise data security because they are designed for easy access. But they are often insecure, non-encrypted networks.
It’s understandable why hotels are eager to adopt new technologies. The IoT technology ecosystem in which millions of devices communicate and exchange data to improve user experience enables hotel managers to predict guest behaviour and pre-empt their needs more than ever before. But embracing the IoT has huge implications for cybersecurity.
Without a robust cybersecurity infrastructure in place to support IoT, guest data becomes extremely vulnerable. Take the case of the Las Vegas casino that was hacked through a thermometer in an IoT-enabled fish tank in the reception area, a security breach that led to the hackers stealing 10 gigabytes of data from the casino’s high-roller database.
As hotels shift focus from traditional amenities, benefits and perks to impress their guests, traditional network defences are no longer fit for purpose. For every new technology deployed, hotels should undertake a thorough assessment of how it could attract malicious activity.
Why a security-first culture is the best way to futureproof the industry
The data privacy and security of guests should be taken as seriously as their physical privacy and security and this requires a change in mindset and the introduction of a security-first culture. Humans are the weakest links in any organisation’s defences against cybersecurity attacks because whilst computers will do as we programme them to, humans don’t always do what they are told.
Research shows that human error is the cause of nearly one in five data breaches, and, although nearly three-quarters of attacks are carried out from outside an organisation, more than a quarter involve insiders. Thus, a proactive and vigilant security-first culture that has buy-in from staff throughout the entire organisation – not just CTOs and CIOs – is make or break.
Understanding that cybersecurity is an ongoing process is also crucial to avoid running the risk of being outsmarted by hackers who are continually searching for new ways to overcome security measures.
All of this, combined with secure network connectivity, is the bedrock of an effective cybersecurity strategy. Ultimately, to offer excellent guest experiences hotels must recognise that digital transformation and cybersecurity can work in tandem and neither should compromise the other. Only through balancing innovation with protection can the industry maintain the excellent guest experience that it prides itself on.
By Iain Shearman, managing director at KCOM