Cybersecurity in 2025 for hotels is a game of Russian roulette. Odds are you’ll be safe most of the time, but then there’s the outside chance that it’s game over. The risks are far too great, and this is a topic that deserves constant and close study.
Given the amount of sensitive data and tech complexities of hotel operations, this makes our companies especially vulnerable to cyberattacks. While there’s a ton of ground to cover for all the various elements of cybersecurity, in speaking with Aleksander Ludynia, Chief Security Officer for Shiji Group, one point to further emphasize is the human factor in presenting security weaknesses and developing a strong security culture.
The Human Stack Only Gets Leaner
The issue of strengthening the human stack echoes the broader message of the current Thematic with Shiji focusing on seamless data via a single provider:
In today’s world of leaner upon leaner hotel teams, all-in-one systems increase operational efficiency, not only by augmenting data connections but by saving managers’ time in having to maintain numerous single-task endpoints.
And it’s our team’s time that’s increasingly being squeezed, wherein regular security processes may be put off due to a lack of bandwidth.
- One vendor means one throat to choke (the fun way of saying ‘buying power’)
- But it also means one vendor to monitor and communicate with for security patches
- One platform to train and retrain teams on for security procedures
- One vendor to work with for proper data encryption (in transit and at rest) and local regulatory compliance
- One system to govern access credentials, set up 2FA (two factor authentication) security measures, update whitelisted IPs and remove old records (especially important for seasonal, temporary or transient workers)
Why are hotel teams getting leaner? That’s a whole other article touching on many macroeconomic changes afflicting our industry, but the take-home message is still clear.
Teams will be asked to do more with less going forward. Some vital cyber procedures may be missed due to a lack of time or focus. Hence, hotels need ever morsel of business process automation (BPA) available, for which transitioning to an all-in-one-centric IT infrastructure may be just what’s needed to keep pace with broader changes.
AI-Driven Social Engineering
Most IT professionals know that phishing attempts via disguised emails or other channels represent one of the most common points of entry for bad actors. This falls under the broader category of ‘social engineering’ and — as before with the risks posed by ever-leaner teams — it’s the human factor that’s of concern.
While most hotels, and all businesses for that matter, conduct some form of training, auditing and simulated attack to protect against social engineering, the risk with generative AI is that these phishy emails now look exceedingly genuine.
They have perfect grammar. They can alias as a business colleague (as aided by a bot to scrape the web and reason who you are most likely to be in regular contact with). They can pull details from your social media feeds in order insert personal details.
Adaptive malware is becoming scarily smarter and “personalized”. And all it takes is one slip up for a hacker to get in, wait patiently, then move laterally to cause a large-scale shutdown. Yes, zero-trust security architecture works far better to preventing this than castle-and-moat, but the fundamentals remain the same: bad actors will continue to exploit the human stack to gain entry.
As Ludynia stated, what’s needed to safeguard hotels against these CONST’s tly evolving threats is a security culture. Hotel teams have to make this a regular, recurrent process, while executives must ensure there’s adequate budget and time for promptly tending to important security tasks.
Ultimately, I see security culture as a huge positive for increasing team morale and making hotels great places to work. In the face of automation as a result of agentic workforces, social engineering can happen to an individual’s accounts just as much as it can happen to enterprises or SMBs. Hackers throw out a net, and see whichever fishes they can catch.
Hence, in a ‘start with why’ manner, hotels can turn cybersecurity into a positive for its teams by giving them the education and training to make this a lifelong skill. It’s time to put the hospitality back into a hotel’s security culture!
