Personal guest information, credit card data, but also confidential financial and HR data: hotels are susceptible to data breach issues, just like other businesses – if not more!
Just this week, a major breach at MGM resorts exposed the data of 10.6 million hotel guests. So what best practices can hotels implement to best protect their confidential data?
Understand the hospitality data security risks
In some ways, the hospitality industry is particularly exposed to this risk. Hotels often have complex ownership structures in which there’s a franchisor, one or more owners, and a management company that acts as the operator. Each of these groups may use different computer systems, with information frequently moving across those systems.
The frequent use of credit cards for reservations and payments present another challenge. In fact, 90% of the major hospitality data breaches in the last 10 years involved credit card data theft. Cyber criminals infect POS or PMS systems with malware that captures personal account data and can further spread across the operator network.
High staff turnover is another difficulty specific to hospitality. Human error is the main weakness of all IT systems, exploited by ill-intentioned individuals. When employees frequently move jobs and locations, it is more difficult to properly train them in secure handling of personal information, compliance with privacy and security policies, and protecting user access credentials.
Carefully select your hospitality system providers
Hotel operators and owners should take extra care in keeping credit card information encrypted at all times. For that, the best is to carefully select the POS system vendors and credit card processors. Agreements with those entities should include protection and data handling standards for the outside vendor. Compliance with the Payment Card Industry Data Security Standard (PCI-DSS) not only helps ensure that data is safer, but also protects against fines and penalties when a breach occurs.
More generally, verify the credibility and technical setup of the vendors you choose. In the case of Cloud providers, you want to ensure that the data will be stored in high-quality servers, and processed following best industry standards. Ask the questions: who is their Cloud data centre provider? In which country will the servers be located and how are they managed? Will my data be stored in dedicated servers? What processes does the provider follow for its own employees? Do they hold external certifications for Information Security?
Finally, make your staff aware of the importance of data security. Put into place simple but robust processes that will minimise the leakage risks, without requiring extensive training. Only certain job functions within a hotel setting require access to sensitive data, so make sure to choose systems that allow granular but easy user access control. Then put into place a process to control and promptly update access by job grade/description, for example using Single Sign On, that can be updated in one place across all systems.
Best practices for hospitality process and data security at DocMX
We have worked with the largest hospitality organisations like Hilton, Marriott or IHG. We have designed secure and simple processes for their Finance, HR, Front Desk and other teams. These processes enable collaboration, make data easily accessible to those who need it in their job – and only them.
At DocMX, we undergo stringent ISO certification processes annually, to safeguard individual information management systems to the highest degree possible. We follow a globally recognised set of policies and best practices aligned to the management and security of information, ISO27001. Such standards contribute to our clients attaining PCI and GDPR data security standards.
We also offer strong identity management and permissions control, including advanced Single Sign On (Open Connect, OAuth2) and integration various enterprise Identity Providers. All data is encrypted at rest and in transit, firewalls and real-time threat detection prevent all unauthorised external access.
We use dedicated hosted environments for each client to bulletproof data privacy conditions. As a matter of fact, we are an official partner of Amazon AWS, one of the highest-grade cloud service providers in the world. Therefore our customers benefit from global data centres, stable network architecture, data security, storage & recovery standards that meet the requirements of the most security-sensitive organisations.