Cybersecurity in the hospitality industry

The world today is more digital than ever, with technology playing a critical role in daily operations and businesses. Over the past two decades, cybersecurity has become a pressing concern as cyberattacks have grown more frequent and sophisticated. The hospitality industry, in particular, faces significant challenges, given the sheer volume of daily payments and data transactions. In this article, we’ll explore the importance of protecting guest data and outline the best practices for enhancing cybersecurity in the hospitality industry.

What is data security?

Data security involves protecting digital information from unauthorised access, corruption, or theft throughout its lifecycle. It covers a broad range of security measures, from safeguarding physical hardware and storage devices to implementing administrative and access controls. It also includes the logical security of software applications and the development of organisational policies and procedures. With such interconnected systems in place, the hospitality industry is a prime target for cybercriminals.

Cybersecurity in the hospitality industry

Delivering top-notch customer service requires hotels to collect and process guest data, which makes them attractive targets for cybercriminals. Sensitive information such as addresses, birth dates, phone numbers, emails, and credit card numbers is routinely handled by hotels. As modern hotel operations rely on an interconnected ecosystem - from bookings and payments to room management - this introduces more potential vulnerabilities.

The primary motive behind most cyberattacks is financial. Credit card information is extremely valuable, but the volume of personal guest data processed by hotels is an almost equally attractive target for hackers. Consider these key statistics highlighting the growing significance of cybersecurity in the hospitality industry:

• The average cost of a data breach in the hospitality sector rose to $3.36 million in 2023, up 14% from 2022, according to IBM.
• The proportion of data breaches in hospitality doubled from 2% in 2019 to 4% by 2023.
• Nearly one-third of hospitality organisations have experienced a data breach, with average costs of around $3.4 million.

To emphasize the importance of cybersecurity, let’s look at two real-life examples that illustrate the consequences of not taking necessary precautions:

Data compromised at MGM Resorts

A recent example underscores the urgency of cybersecurity in the hospitality industry. In mid-2023, MGM Resorts fell victim to a cyberattack initiated through social engineering. A hacker impersonated an employee and gained access to a super admin account. The breach resulted in encrypted guest and company data, as well as disruption to keycard and payment systems. The total financial damage exceeded $100 million, including legal fees, consultancy costs, and reputational harm.

Major data breach at Marriott International

In June 2022, Marriott International suffered its third major data breach in eight years when hackers used social engineering to access an employee’s computer, exfiltrating 20 GB of data, including confidential information. Marriott stated that its core network wasn’t compromised, but non-sensitive internal business files were accessed. The company identified the breach before the attackers attempted extortion, which Marriott refused to pay. Marriott notified 300-400 individuals and law enforcement. Previous breaches in 2014 and 2020 affected millions, with the 2014 breach leading to a $15.4 million fine for failing to safeguard customer data.

The most common cyberattacks in the hospitality industry

The hospitality industry is particularly vulnerable to several types of cyberattacks due to its reliance on technology and the large volumes of guest data it handles. Here are the most common threats:

• Phishing scams: Attackers send deceptive emails or messages that appear legitimate, tricking recipients into revealing sensitive information like passwords, and credit card details.
• Social engineering attacks: Hackers manipulate individuals using psychological tactics to gain access to confidential information or systems.
• Brute-force attacks: Automated tools are used to repeatedly guess passwords until the correct one is found, often exploiting weak or common passwords.
• Denial-of-Service (DoS) attacks: These attacks overwhelm a system or network with traffic, disrupting operations and denying access to legitimate users.
• Malware: Malicious software such as viruses, worms, or ransomware is covertly installed, allowing hackers to steal data, encrypt files, or disrupt operations.

One might assume that cybercriminals primarily target large hotel chains, and while those are indeed valuable targets, smaller properties must also be prepared. Without proper safeguards, hackers can exploit their vulnerabilities, potentially leading to significant losses.

Best practices to avoid hotel data breaches

Given the human factor’s role in many cyberattacks, staff education and vigilance are critical to preventing breaches. Here are some best practices to help hotels strengthen their cybersecurity defences:

1. Practice basic security hygiene
   • Enable Multi-Factor Authentication (MFA): Add an extra layer of protection by requiring employees to verify their identity using multiple methods.
   • Store and process only necessary data: Minimise the risk of breaches by only collecting and processing essential guest information.
   • Use strong passwords: Ensure that all staff use complex, unique passwords stored securely in a password manager to prevent easy breaches.
   • Keep systems up to date: Regularly update software and systems to patch vulnerabilities and stay ahead of emerging threats.
   • Use detection tools and anti-malware: Implement advanced tools to detect and block potential threats before they cause damage.
   • Lock computers when leaving workstations: Ensure that staff lock their computers when away from their desks to prevent unauthorised access.
   • Maintain system backups: Regularly back up critical data to ensure a swift recovery in the event of an attack.
     
     
2. Practice risk assessment
   Conduct regular audits of systems and procedures to identify vulnerabilities and assess risk exposure. This includes evaluating how data is handled by different applications, such as reservations and payment systems, and ensuring staff are aware of security protocols. Focusing resources on the most vulnerable areas can help reduce overall risk.
   
   
3. Create a cybersecurity policy
   A well-defined cybersecurity policy is vital for any hotel. This policy should clearly outline staff responsibilities, action plans for potential incidents, and the correct procedures for securely handling guest data. Keeping this documentation up to date is key to maintaining an effective defence strategy.
   
   
4. Work with the right partners
   Hotels rely on multiple technology partners - ranging from hotel management systems to payment processors and HR tools. Carefully vetting partners and ensuring their security compliance is essential to protecting guest data and maintaining operational security.
   
   
5. Raise awareness
   Cybersecurity should be a shared responsibility, extending beyond the IT department. Employees, who are often the first line of defence, need regular training on the latest threats and security procedures. Ongoing education is critical to building a vigilant workforce capable of responding to cyber threats effectively.

How SabeeApp helps to prevent cyber attacks

SabeeApp prioritises security to help hoteliers prevent cyber attacks. As a native cloud-based service hosted on Amazon Web Services (AWS), SabeeApp benefits from one of the best infrastructure and advanced security protocols. All data traffic is encrypted, passwords are hashed, and critical data is stored using multi-layered encryption. Regular penetration testing ensures vulnerabilities are identified and addressed. SabeeApp is PCI-DSS compliant, guaranteeing that all online transactions, including those processed through our secure integrated payment system, SabeePay, meet the highest standards of payment security.

SabeeApp also offers 2-factor authentication (2FA), adding an extra layer of security during login. This only means a few extra clicks for you, but greatly improved protection for your account. With 2FA you can ensure that only authorised users can access your account. SabeeApp account owners also have the freedom to make 2FA a requirement for all of their users. These security measures help you manage your hotel operations while minimising the risk of cyber threats.

Activating and enforcing 2FA is just a few clicks in SabeeApp

Conclusion

Cybersecurity in the hospitality industry is becoming increasingly critical as digital threats evolve alongside technological advancements. Protecting your hotel’s reputation and preventing costly data breaches requires staying informed about the latest security risks and solutions. SabeeApp offers a secure, cloud-based hotel management system that makes hotel operations easy and effective. With its integrated, secure payment system, SabeePay, and 2-factor authentication (2FA), SabeeApp helps you protect both your hotel and guest data. Click here to learn more about the benefits SabeeApp can bring to your hotel!