The hospitality industry has become an attractive target for cybercriminals who specialize in stealing data or holding it hostage. Hotels have troves of such data: personal info, credit card details, passport and driver’s license numbers, travel habits, even personal preferences such as in-room entertainment and minibar choices. Threat actors also have leverage in hampering hotel systems. The 2023 MGM Resorts hack in Las Vegas shut down slot machines, elevators, and guestroom keycards, and it cost MGM about $100 million.
Not to pick on MGM. Some 31% of hospitality firms admit to having been hacked at some point, most more than once, with an average cost of $3.4 million. Industry titans including Marriott, Hyatt, Hilton, IHG, Wyndham, Choice Hotels, Trump Hotels, Radisson, and Omni all count among the victims.
Making matters worse, hotels have a lot of what cybersecurity experts call “attack surface.” There are high transaction volumes, complex supply chains, global operations with diverse security standards, and lots of legacy platforms and aging systems. There’s high staff turnover and, often, seasonal staff, with minimal training in good cybersecurity hygiene. There are also growing numbers of digital touchpoints – not least a proliferation of internet of things (IoT) devices that can render an HVAC system a customer-data threat. Mergers and acquisitions exacerbate problems as additions in regions with weaker data-protection laws, aging IT infrastructure, and weak security bring outsize threats with them.
Fortunately, problems invite solutions, and the industry is implementing them. Here are five of the most important steps hospitality organizations can take to boost cybersecurity.
- Create a strong cybersecurity governance model
A cybersecurity governance model is a framework to guide an organization’s approach to protecting its data. It enables hotels and resorts to implement consistent cybersecurity practices across all properties and partner networks. It should cover five pillars: identify, protect, detect, respond, and recover.
A cybersecurity governance model is not a one-and-done effort, but rather a continuous process that’s ideally part of the organization’s strategic-planning regime. Additions to the digital footprint such as new check-in technologies, smart-room features, resort expansions, and property acquisitions may mean updates to the model. Cybersecurity is ultimately a business issue, and the cybersecurity governance model codifies that.
- Move to the cloud (if you haven’t already)
The cloud brings many benefits, and cybersecurity is a big one. Consolidating systems in the cloud can unify security operations, standardize security protocols, and reduce reliance on legacy systems. The cloud enables secure logins, end-to-end encryption, centralized access management, and continuous updates and patches. It also provides a unified way to ensure that IoT devices are password protected, have updated firmware, and encrypt the data they transmit.
Further, the cloud enhances compliance by aligning with global data privacy regulations. It allows regular vulnerability assessments and penetration testing. It enables security information and event management (SEIM) systems that provide a bird’s-eye view of activity across the organization’s entire network and enable faster threat response. And the cloud has built-in disaster-recovery, minimizing downtime if there is an attack.
- Turn human behavior – the weakest link in hospitality cybersecurity – into an asset.
Social engineering hacks such as phishing represent exceptional threats to hotels and resorts. Hospitality organizations should institutionalize cybersecurity awareness at all levels. Mandatory onboarding sessions, periodic cybersecurity training refreshers, and phishing simulations can help staff develop a security-first mindset. Implementing role-based access controls ensures that users only access data relevant to their function. Automated, immediate provisioning and deprovisioning minimize risks from staff transitions, and multifactor authentication and access revocation policies should be enforced universally.
- Pay particular attention in M&A
M&A due diligence must include cybersecurity audits, the results of which identify inherited vulnerabilities and inform the integration roadmap. Cloud integration is vital here, as it enables the quick adaptation of the less-sophisticated entity to unified user-access policies, the standardization of security protocols, and the transition of legacy systems to modern governance frameworks and systems, significantly reducing postmerger exposure.
- Embrace AI in cybersecurity
Gartner estimates that, by 2027, 17% of all cyberattacks will involve generative AI, primarily in mass social-engineering attacks. But AI also increasingly helps hospitality organizations harden their defenses. AI can monitor data traffic, including at connected supply chain endpoints; detect anomalies at both data center and application levels in real time; and trigger automatic responses faster than manual teams – and AI can do it all 24/7 across multiple sites and regions, which is invaluable for a hospitality business that never sleeps.
Also, AI can scan systems to pinpoint vulnerabilities and conduct predictive analysis to suggest security improvements, and, if there’s a breach, it can isolate impacted areas, notify the right people, and even activate AI agents to counteract the threat.
AI is evolving fast, and AI-based threats will mutate accordingly. But then, cybersecurity has always been a moving target.
Now more than ever, hospitality organizations must partner with cybersecurity experts and technology providers to stay abreast of the latest threat intelligence, AI innovations, and benchmarking against global best practices to keep vital systems – and guests – safe going forward.
