By Jeff Venza

Steven Chabinsky once said, “Thinking of cybersecurity solely as an IT issue is like believing that an entire company’s workforce, from the CEO down, is just one big HR issue.” As we head into the third quarter of 2021, this sentiment rings more true than ever before. Cyber threats are rampant within this digitally driven era. In the wake of the coronavirus pandemic, experts are calling for enhanced due diligence and, in some cases, organizational reform in the realm of cybersecurity.

In fact, recent reports reveal at least 16 billion records, including credit card numbers, home addresses, phone numbers, and other highly sensitive information, have been exposed through data breaches since 2019. The COVID-19 pandemic was, in many ways, the perfect storm for an influx in cyber exploitation. As fear and economic instability took the reins, cybercrime and security breaches took center stage, pushing through the cracks left exposed by a global crisis. From phishing attacks disguised as pandemic news to identity theft and the continued spread of malware, companies have, perhaps, never been so vulnerable to cyber threats. With this in mind, cybersecurity should be viewed as a company-wide initiative, with considerations made across each level of any tech-driven organization.

 

Sophisticated Attacks Using Sophisticated Technology

Today, technological innovation is happening at a rapid pace. As a result, many of the traditional touchpoints that once defined our personal and professional experiences have become digitized, with convenience and data-driven personalization acting as the heartbeat behind each new platform development. While this marks an exciting time for companies eager to embrace the ongoing digital revolution, we must also recognize that more sophisticated technology creates an environment for increasingly sophisticated cybercrime.

As the platforms companies rely on to remain competitive become more advanced and entrenched in user data, the opportunity for exploitation using many of the same innovations (machine learning and artificial intelligence) grows exponentially. Despite this, research indicates that companies often lack confidence in their internal cybersecurity efforts. For example, studies show that nearly 80% of senior IT and IT security leaders believe their organizations lack sufficient protection against cyberattacks. In comparison, 78% of top-level employees lack confidence in their company’s cybersecurity posture. We also know that, on average, only 5% of companies’ folders are adequately protected. As a company leader, if this doesn’t inspire you to take a closer look at cybersecurity protocol – it should.

To this effect, global cybercrime damages are predicted to cost up to $10.5 trillion annually by 2025. For example, in March of this year, one of the largest insurance companies in the U.S. paid $40 million in ransom to regain control of its network following a ransomware attack. This serves as a cautionary tale for hospitality professionals, specifically, as the industry deals with a wealth of sensitive data and guest information. And for hotels, a security breach resulting in compromised guest data can damage a property’s reputation beyond repair.

 

Proactively Manage Cyber Risks

Gone are the days of relying solely on built-in firewalls, and gone are the days of assuming company-wide adherence to security measures without dedicated management. Instead, companies today should be leveraging a formal cybersecurity program in conjunction with dedicated technology and resources to effectively protect the information housed within their digital infrastructure. Moreover, employees across all levels of the organization should be provided with a comprehensive understanding of their responsibilities relating to guest data and identifying (and warding off) cyber threats.

 

With this in mind, a strong cybersecurity strategy includes consideration of the following:

  • Quarterly assessment of third-party risks and vulnerabilities
  • Implementation of security controls and permission(s) to sensitive data
  • Privacy regulation compliance
  • Layered security for data protection
  • PCI DSS compliance
  • Company-wide cybersecurity education to ensure compliance
  • Established security protocol/training for staff working from home

 

Formalized security processes should include:

  • Risk identification/classification
  • Identity and access management
  • Incident response measures
  • Network and application security
  • Malware scanners and protection, anti-virus upgrades

Multi-Factor Authentication

  • Password vaults
  • Firewall as a service
  • Regular system back-ups

 

Much like cyber risks are ever-evolving, a hotels’ cybersecurity protocol must also evolve and adapt based on frequent reassessments of risks and vulnerabilities. In this regard, a stagnant, one-size-fits-all approach to cybersecurity is an ineffective one.

So, hoteliers, I ask you this. Is cybersecurity an ingrained part of your hotels’ culture? It should be.

In the realm of hospitality, cybersecurity cannot be treated as an afterthought, nor should it be viewed as an optional investment; rather, it’s the cost of doing business in any data and tech-driven landscape. More importantly, the costs and reputation damage associated with security lapses of varying scale are, unequivocally, more costly to a hospitality brand than proactively investing in security solutions and programs before an incident. After all, the average cost of a data breach is $3.86 million as of 2020. In 2021 (and beyond), hotels simply cannot afford to do business this way.