Data protection and cybercrime: the big risks facing hotels in 2024

According to recent research from RH-ISAC, investment is increasing significantly to address cybersecurity challenges facing the hospitality sector. 

The report reveals a predicted rise in 2023 budgets to cover the implementation of better security systems, expert personnel and staff training. Survey respondents working in hospitality and retail shared a recognition that data protection and digital security are big challenges now facing their sectors and that a knowledge gap needs to be filled – with some speed.  

So how can hoteliers ensure their data security is optimised and sensitive financial and guest data is protected, compliant and not at risk of cyber attacks? What are the key steps all hotels can take to help their teams better understand and manage their information security systems?

With over 20 years working with hotel professionals and systems worldwide, Aaron Belton, our Head of Global Hospitality shares the context and key steps that all hotels should be taking to optimise data security. 

“Now more than ever before, the security of transactional information such as personal and financial data is under scrutiny. Data security is a huge and growing concern amongst our hotel clients and rightly so”

Why now?

Cybercrime is changing. According to Checkpoint Research, cyberattacks are increasing world-wide with 38% more cyber attacks per week on corporate networks in 2022, compared to 2021. 

Not only are incidents of cybercrime continuing to rise — up by 38% in 2022 globally –  the scope of businesses being attacked has also expanded. Both large network enterprises and SMEs have become targets with SMEs accounting for 58% of attacks last year. Perhaps SMEs are recognised as new easy targets. With less investment in security, they become more vulnerable. Whatever the reason, no hotel business, whatever size  can afford to ignore this growing threat.

The risk of shared drives, emails and paper

Whilst digital data records can be compromised by poor security systems, the much bigger security risks in hotels right now is continued use of emails, shared drives and paper records.

It’s hard to secure non-structured data against unauthorised access. Paper documents are easy to lose, mishandle or damage when in use. Emails can be sent via various 3rd party mail servers and unprotected WiFi setups, plus can easily be copied or even stolen. And of course, paper requires printing, presenting a further security risk if sensitive information is inadvertently left behind on shared printers or back office desks.

Since paper documents are physical objects, they cannot easily be tracked or contained like electronic files. There is no audit trail so this type of record keeping can expose a hotel and its customers to risks that have real consequences – made fresh on a daily basis. The only way to eliminate the security risk of paper is to implement a digital transformation tool like DocMX.

Knowledge is power

As research has shared, investment in people or partners with expertise in data security is a key new and developing area for 2023. 

The role of Chief Information Security Officer is expanding and in demand – one of the ways that some global network businesses are addressing cybersecurity concerns. 

As their title suggests, a CISO plays a crucial role in planning and putting into practice information security infrastructure meant to protect an organisation’s data and other assets. A critical set of skills for any CISO includes their ability to identify, analyse, and assess risks and take immediate action to employ an effective security solution.

But CISOs are a costly investment and some of the key areas addressed in their role can be adopted and adapted for all hotel sizes by outsourcing to expert, external partners. 

These might include:

  • Assessing the organisation’s information security infrastructure
  • Analysing risk management to the organisation
  • Keeping pace with cybersecurity trends and new technology innovation 
  • Implementing high level security processes

The creation of a secure data sharing process is critical and the best practice for planning digital transformation is covered in an article I wrote previously A Rulebook for Digital Transformation

Certification and compliance

Finding the right implementation partners is about ensuring their own bespoke systems adhere to the highest world class standards available. There are some key questions any hotelier should ask when choosing a technology provider. 

Where will data be stored? Will it be encrypted? Who will be able to access and handle it? Does the vendor comply with external standards, or is externally accredited (e.g. ISO)? 

Always look for ISO 27001 certification that confirms a supplier’s system has all the requirements for global standardisation and quality assurance. 

ISO (International Organization for Standardization) is an independent, non-governmental, international organisation that develops standards to ensure the quality, safety, and efficiency of products, services, and systems.

ISO certification has many benefits for all business departments but ISO 27001 is specific to information management systems. In essence these standards help organisations manage the security of assets such as intellectual property, financial and employee data. And the certification is reviewed annually, ensuring suppliers use the highest quality tools in data security, storage and recovery. 

DocMX is both ISO certified and recognised as an Advanced Technology partner in hospitality and travel by Amazon Web Services. We leverage Amazon’s in-built network security and tools like WAF, CloudTrail, CloudWatch and S3 Glacier for:

  • Firewalls, real-time threat detection against unauthorised access
  • Data encryption at rest and in transit
  • Unmatched compliance and auditing capabilities
  • Unlimited, secure & durable back-up and archiving

Both Amazon & ISO accreditations comply with the highest security standards in cloud technology and we would encourage all hotels to look for partners with similar accreditation levels. 

People & Process: 

Recognising that high quality data security is a fundamental part of hospitality operations is a critical step forward. However, implementing a new technology system takes preparation, planning, collaboration and team work. 

This approach is not just about secure IT systems. It’s a holistic approach involving people, processes and technology across the whole organisation.

Best Practice Preparation:  So the first tip is a simple one. Don’t make an existing time-consuming, disconnected process a digital one. Start out by putting into place clear data security ‘best practices’ and behaviour within the organisation and choose a technology platform with strong protections against any unauthorised access and data loss. 

These 7 simple steps are a useful way to plan a process of change in your hotel;

  1. Involve all employees in security awareness
  2. Identify the risks
  3. Formalise processes using sensitive data
  4. Define sensitive data and privacy categories
  5. Decide who can access information
  6. Know which sensitive data regulations you are subject to
  7. Conduct regular backups

Local Knowledge: In the case of cloud systems, verify where the data will be stored and under what conditions – especially because many countries and local territories have their own specific storage regulations.

It’s important to research and recognise different local level compliancies across a number of data privacy issues. For example the length of document retention and privacy permissions differs across the world. 

Access levels: Key areas to address in successful transformation include for example identity and permissions management. Who can access what data level and how? What about managing guest and limited user access? 

In today’s world of remote working, emails and video calls, sensitive financial or HR information can be vulnerable to security and processing issues. Handling this information in a secure structured system with a full ISO-accredited audit trail will solve many of these concerns. 

In an increasingly digital world, where the threats from hackers and malware are greater than ever before, choosing the right partner who takes security seriously should be a vital consideration.