By Margaret Ady
These days, we tend talk about cybersecurity far less than we talk about melting icebergs or political problems or plastic straws. And, of course. Those are things we can do a little something about; we can make our own tiny dent in the environmental crisis or get out the vote, but cybersecurity is one of those problems that feel far out of most our hands. Yet, we all have important, essential, identifying information flying around the web, apps, stores, airlines, and—hotels. Consumers are relying on businesses to be transparent and secure, and hotels are one of the most targeted industries (just behind retailers) by cyber attackers.
A study by IntSights on cyber threats in the hospitality industry found 13 “notable data breaches” in the past three years (PhocusWire). The study also dove into chatter in the dark web and found that Hilton had a 31% share of mentions followed by Marriott at 28%. We can’t all go independent, and even that doesn’t prevent data threats, so what do hotels do to not only protect their guests’ data but also to demonstrate to guests that security is, well, secure? Because they don’t think it is. Nearly 70% of travelers don’t believe hotels are investing enough in cybersecurity and nearly half note their trust in a hotel’s cyber defenses influences if they book a stay with them (HotelTechnologyNews).
For hotels, the issue of cybersecurity is—or should be—among the most critical factors in partnering with any third-party. If your tech partners have security gaps, they become your problem. Hotels have financial liability for security breaches even if the breach occurs via a third-party vendor, not to mention the damage to the brand.
With so many interconnected technologies the risk is greater and greater that you’ll run onto a technology that isn’t wholly secure. For instance, some brands adopt technologies that share customer data between one hotel and another, which, if not handled properly, can easily lead to a privacy breach. The first step is to treat security as more than a checkbox on an RFP for a vendor. Ask in-depth questions about how security is handled, how data is protected, what privacy standards the vendor keeps, all security-related certifications they maintain, and any measures hotels must take on their end to ensure security.
At a minimum, the following standards must be upheld in order to consider a technology partner:
- GDPR Regulations – GDPR stands for General Data Protection Regulation. It is an EU regulation came into effect on May 25, 2018. It was created to build transparency as to how companies collect, store and share their customers’ and their employees’ personal data. It impacts any company that does business in the EU (domestic businesses as well as those that target goods and services to EU citizens). Because it’s a complicated regulation that affects hotels worldwide and executes hefty fines for noncompliance, look for a tech provider that has a point person specifically responsible for ensuring products and marketing are in compliance.
- PCI Compliance – PCI DSS is short for the Payment Card Industry Data Security Standard. As opposed to GDPR, the PCI DSS is not a law, but a standard defined and maintained by an independent entity created by major payment card brands. Whenever you want to accept credit cards from brands like VISA and MasterCard, you are required to be compliant with this security standard. The PCI DSS can be seen as a collection of best practices or rules on how to treat the sensible payment card data entrusted to you by your guests in order to prevent data breach and fraud.
If payment card data you handle is leaked and misused the payment brands will penalize the acquiring bank. Those fines might be passed to you as a merchant if you are found to be non-compliant. They can be somewhere between 5,000 EUR and 100,000 EUR for every month you are non-compliant. Hotels should look for PCI DSS Certified vendors to ensure compliance.
- Cloud-based – The idea of the cloud seems loosey goosey but that’s mostly just the name; it conjures images of a bunch of data floating around out there pell mell in the ether. But nothing could be further from the truth. Legacy systems are far more problematic when it comes to security due to the on-site location of the system and the greater difficulty in implementing updates and security patches. Cloud-based technology offers a whole range of security measures that most companies aren’t able to provide for themselves like multi-factor authentication, enterprise-level security and firewalls, intrusion detection, and industry-standard SSL encryption. However, because cloud-based computing uses the internet to transfer information, all vendors must be on their A-game when it comes to ensuring constant security maintenance.
Once the specific aspects of security have been considered across all hotel vendors, in order to shift guest perceptions of cybersecurity, hotels are challenged with branding themselves as secure in the eyes of the guest. As breaches become even more commonplace, hotels will be required to prove their security measures ahead of the booking. Those who begin now will have a greater edge in the future, especially considering Millennials (24-35-year-olds) believe they are most vulnerable to a cybersecurity breach when staying at a traditional hotel rather than an Airbnb (HotelTechnologyNews). As travelers become skeptical of the hotel industry’s ability to keep up with security measures and begin looking more closely before they book, properties will be challenged not only with ensuring security but also with conveying that to the traveler.