2020 Hotel & Restaurant Security Study

10/31/2019

The saying among security experts goes, “There are two types of companies: those that have had a security breach and those that don’t know yet that they have been breached.”

Hospitality has been a target of hackers for many reasons, perhaps sometimes due to a sluggishness to roll out appropriate measures to protect organizations. Data has not only become a commodity for hotels and restaurants – but for hackers and fraudsters as well. News of security lapses in the hospitality industry have become increasingly common. In 2017, BakerHostetler Data Security Incident Response Report put hospitality as the fourth most impacted industry for data breaches after healthcare, finance and higher education. As more ways to utilize guest information for nefarious gain materialize, bad actors who seek ways to access valuable data from businesses will not be deterred.

One well-placed security roadblock simply becomes a mere detour for fraudsters to find new routes to valuable guest, payment and business data. With this, companies need to be hyper-vigilant, which can yield confusion, frustration and a general sense of hopelessness as business struggle to stay ahead of the security curve – or curveballs.

In Hospitality Technology’s 2020 Payment & Data Security Study, hotel and restaurant operators pull back the curtain on security investments, strategy and frustration points to provide a fuller picture of the state of security in hospitality.

Benchmarking Security Budgets & Investments

Technology budgets for hotels and restaurants are notoriously lean. Hospitality Technology’s annual lodging and restaurant studies indicate that in 2019, hotel technology budgets on average were 4.6% of overall revenue and restaurants were even sparser at 2.5% of overall revenue. That same research indicates that security measures fall under the purview of IT as 22% of restaurant executives report that improving security is a strategic goal of IT investments and hotels rate enhancing data and payment security as a high priority.

Technology creep means that IT spend is spread across the enterprise, which requires careful thought when making allocations. Respondents were asked to estimate the average percentage of overall technology budgets that are earmarked for security measures. In 2019, hotels and restaurants both allocated 22% of overall IT spend for security. Looking ahead to 2020, both industries plan to put more resources to security.

Overall, restaurant security budgets will increase slightly at 2%. Hotels, however, anticipate a more sizeable increase in spend, as on average, the overall increase in security budgets is 14%.

For a fuller picture of current security strategies in hospitality, respondents were asked to identify tactics already in use in their organizations and those that will be implemented within the next year. The results indicate that hotels (Chart 1) are more advanced in security practices compared to restaurants (Chart 2). More than 50% of hotels have already implemented 12 of the 14 areas measured. On the restaurant side, nine measures had 50% or more implementation.

CHART 1

Hotels and restaurants both have widespread implementation of anti-virus software. All of the hotel respondents and 93% of restaurants say they already have anti-virus tech in place, which is not surprising as the majority of computer systems come with embedded anti-virus software and costs have considerably reduced over the years.

Firewall software is the second most implemented tactic for both hotels (94%) and restaurants (93%), with the remaining respondents planning to implement it within 12 months. Restaurants are slightly more advanced with PCI compliance (87%) than hotels (82%), but hotels’ planned investments make up for the current lag. Restaurants fall behind when it comes to EMV with slightly more than half (56%) of respondents currently having EMV compatible systems compared to 69% of hotels. About one out of three restaurants (33%) plan to implement within 12 months, making it the top priority in terms of implementation. Another 25% of hotels indicate implementation plans. This indicates that restaurants are still playing catchup in the post-liability shift era, likely due to the costs of updating POS hardware to go from swipe to insert. This will impact the ability of many restaurants to invest heavily in other security-related areas. Hotels meanwhile are slightly farther along with EMV, as 70% of hotels already having implemented devices and 25% plan to do so within 12 months. This is most likely more often than not due to mandates from brands.  

CHART 2

Hotels & Restaurants Focus Security Dollars on Detect & Deter

Security tactics that will see greater adoption in both hotels and restaurants focus on two key areas: deterring breaches as well as detecting where breaches are likely to occur.

Hotels will be bullish about making sure system weaknesses are identified before a breach can occur. The majority of hotels already have implemented access control (75%), internet security systems scanner (73%), encrypted login (71%), intrusion detection and endpoint detection and response (67%). Each of these will see increased implementation in the next 12 months to near or exceed 90% implementation rate in hotels.

Another way to stay ahead of potential breaches is through vulnerability scanning which examines computers and networks to identify weak points that could be potential security holes. This technology also calculates the efficacy of possible counter tactics. Respondents indicate that vulnerability assessment is already in place for 64% of hotels, and 36% plan to implement in a year.   

Restaurants also see the benefit of proactive strategies with 68% performing vulnerability assessment scans and another 16% considering the technology. Other tactics currently utilized by restaurants to detect potential security breaches include intrusion detection systems (59%) and endpoint detection and response (50%).

Preventative measures that restaurants already utilize include encrypted logins (50%), multi-factor authentication (MFA; 47%) and encrypted files (44%). These strategies are expected to increase in usage in 2020 as 30% of restaurant operators are considering adding encrypted logins, 29% will add MFA and 28% will add encrypted files to their security measures.

 

Survey participants were asked to evaluate a list of 18 statements and rate their agreement from strongly disagree to strongly agree. The resulting sentiment meters for hotels (Charts 3) and restaurants (Chart 4) indicate areas of confidence and concern.

Hotels report strong agreement when asked to consider updating anti-virus files regularly, training employees on how to protect computers and being up-to-date with security software updates and patches. Hotels also are generally confident that electronic connections to outside partners are protected with 46% strongly agreeing and 23% agreeing. An equal number of participants (40%) strongly agree and agree that they have a method of authorizing new accounts and getting rid of old ones. This is encouraging news considering the high turnover rate in hospitality industry, however, there remains anecdotal evidence that former employees often tell other that they can still login to critical software of the company with the username/password that they had years ago. The majority of hotels feel they have complicated password policies with 53% strongly agreeing and 20% agreeing.

About one out of three hotels (33%) strongly agree that their organizations have procedures to identify users before resetting passwords and the same amount say they have an emergency plan for network failures.

Hotels do not believe they have enough resources to monitor and protect electronic information. Only a small percentage (13%) strongly agreed that their organization provides enough resources to monitor and protect electronic information security, 19% agreed, while 19% disagreed, and 6% strongly disagreed. This aligns with hotels reporting the top challenge facing security is lack of budget.

Restaurant sentiment deviates from hotels markedly when it comes to backing up information on a daily basis. Overwhelmingly, this is a practice that restaurants have adopted, with 100% agreeing with the statement. In contrast, 27% of hotels disagreed.

Restaurants are also confident in the connections to outside partners and 63%.

Restaurant sentiment indicates that IT staff  is lacking in security acumen, but brands are taking steps to make sure that all employees – front-line to kitchen to managers -- are not the weak links in a security strategy. A majority of restaurants (63%) say they have some method of authorizing new accounts and getting rid of old accounts and 71% have a procedure of identifying users before resetting passwords.  Slightly less than half, 40% train employees on how to protect their computers (laptop and desktop) both physically and electronically.

Both hotels and restaurants disagree that the same security policies are in place for mobile systems. While mobile solutions must be a top priority for security strategies, they should be evaluated in distinct ways as they are open to different attacks than other pathways.  

 

Hotel & Restaurant Security Efforts Stymied by Insufficient Budgets, Network Demands and Lack of Skilled Staff    

Both hotels and restaurants stress that more investment is needed in order to effectively steel organizations against security risks (Chart 5). Where these budget dollars need to be allocated can be seen in the challenges that hotels and restaurants identified as fast-followers to the lack of funds issue.

Restaurants are not confident that employees are adequately trained to be a part of a security strategy. This sentiment aligns with the increased focus in utilizing technology to identify network weaknesses and possible pathways for hackers to gain access, rather than rely on staff to be able to do so. Unskilled staff is second only to lack of budget in challenges impeding progress in security in restaurants.

Hotels put the increasing demands being placed on networks as both guests and staff require robust and constant access as the second hurdle facing security progress. Hoteliers echo the sentiment of restaurant operators in that an unskilled or untrained workforce makes the successful execution of security practices increasingly difficult.

 

CHART 5

Looking Ahead: Alternative Payments Could be Key to Solving for Security Risks

To get a sense of how security technology may evolve in the future, respondents were asked to select the technologies or technology developments that will have a significant impact on IT security in the hospitality industry in the next three to five years (Chart 6). The most popular development for hotels was cloud systems with 27% respondents naming that a top technology. This was followed by equal representation of 20% for next-gen firewall (NGFW) and alternative payments (Venmo, Alipay etc,). The rise of mobile payments could serve a major function for protecting hotels and restaurants by removing credit card information from properties, thereby protecting the brands from liability and risk.

1 out of 3 restaurant operators believe alternative payments will be a game changer for security.

Restaurants also ranked the migration to cloud systems as one of the top positive impacts on security (27%), however foodservice brands see more benefit in the development of alternative payments (31%) making it the top pick.

CHART 6

RISK, REACTION & RESPONSE

When asked about experiencing a data breach in the last five years, one third of hoteliers (35%) answered affirmatively. Of those companies that had experienced a breach, proportionally, the cumulative percentage of inside and outside attacks was the same (60%). The results indicate that 40% of all those breached received internal attacks, 40% were impacted by external attacks, and the remaining 20% suffered from both. Interestingly, those respondents who reported the highest number of breaches (10) in the last five years were attacked from outside.

The majority of respondents representing the restaurant segment did not experience a data or payment breach in the last five years (88%). The remaining 13% of the restaurant sample reported being affected by a data or payment breach. Interestingly, the restaurant industry was not affected by attacks from inside (100%), but instead reported one (50%), two (25%), or three (25%) external data breaches. Which is about 2.5 times lower than in the hotel sector.

35% OF HOTELS HAVE EXPERIENCED A DATA BREACH IN THE LAST FIVE YEARS

Respondents were asked to indicate all channels that alerted them about the breach or breaches that they experienced (Chart 7). The most frequently reported categories for hoteliers were company partner or law enforcement, and bank or credit brand (40% each), followed by internal self-assessment by security staff, and customers (20% each), and lastly, by internal check from hired security assessor or monitor (10%).

CHART 7

Most frequently restaurants were alerted to the breaches by a bank or payment card brand (50%). In other instances, a breach was discovered during self-assessment by in-house security staff (25%), reported by a customer (25%), and identified by a restaurant partner or law enforcement (25%).

Charting Hospitality’s Most Common Breach Incidents

By the nature of the breach incident, customer personal identifiable information was the most attractive to hackers for hotels – 40% of respondents experienced this type of breach. This finding is not surprising, as lodging industry is guest-centric and transient, generating high volumes of customer information on a daily basis. The results of this study confirm that hotels and restaurants still need to be increasingly vigilant about protecting customer information and privacy.

  • Privacy & the Impact on Security

    Global Data Privacy Regulations (GDPR) and U.S.-based privacy legislation including, but not limited to the CCPA (California Consumer Privacy Act), are changing the privacy landscape. This will have implications on security teams responsible for making sure guest data is used appropriately and that guests are alerted as to how, where and why their data is being used. This study’s findings indicate that hotels have made further strides in this regard, with 60% feeling they are compliant with GDPR rules and 20% say they will be in 12 months. Restaurants admit to not being compliant with GDPR standards at this time, but 22% plan to make it a focus in 2020. However, 78% reveal they don’t believe the regulations are a high priority for their business. As more domestic policies are rolled out, we anticipate seeing privacy regulations to become more of a focus for restaurants.

The next most frequently reported attack category for hotels was system penetration by outsider (30%). The third place went to viruses (20%). This finding is unexpected in light of previously reported adoption of anti-virus software (100%). However, it is in line with the cumulative percentage of those hotels that do not update the antivirus files regularly (18%)Such results remind hoteliers that it is not sufficient to only install an anti-virus, rather the regular maintenance and updating of systems will be key to a successful security strategy. Regular scans and timely updates are necessary to ensure protection.

Most restaurants were affected by system penetration by outsider (50%) and phishing (50%). Other types of incidents were reported by restaurants equally frequently, and included card track (mag stripe) breach (25%), and spoofing (25%). With a quarter of restaurant breaches still being related to mag stripe, the increase in EMV investments referenced earlier in this report will be a key part of reducing that number. Phishing scams and spoofing often target employees, therefore restaurants – and hotels – must prioritize training staff on what to be aware of when accessing any company systems.

On a positive side, none of the hotels or restaurants that participated in the study were affected by card-not-present data breach, denial of service attacks, laptop/cell phone theft, unauthorized insider access, cryptojacking, and attack on IoT devices.

 

THE COST OF A BREACH

As reported by hoteliers, the cost associated with data or payment breach ranges from $0 to $15,000,000. Unfortunately, the most frequently reported category was the highest cost category – $15,000,000 (20%). Restaurants reported breach-related costs in the range from $20,000 to $11,000,000. However, half of the responses were clustered in the $20,000-$25,000 range, and another half in the $10,000,000-$11,000,000 range.

WHO YA GONNA CALL? REPORTING EFFORTS POST BREACH DETECTION

After experiencing a data breach, 30% of hoteliers chose not to report the accident, and the remaining 70% reported to one or multiple agencies. Of those brands that did report the incident, the majority of hoteliers notified legal counsel (70%). The next most frequent reporting protocol was notifying law enforcement (50%).

In the case of the data or payment breach, all restaurants (100%) reported the incident to legal counsel, and half of the study participants representing the restaurant segment notified law enforcement (50%).

 

  • MOST COMMON BREACH REPORTING PROTOCOL

    Agency                                                      HOTELS    RESTAURANTS
    Reported to law enforcement                    50%            50%
    Reported to legal counsel                         70%            100%
    Did not report                                            30%             0%

Learning from the Hard Lessons: Hotels & Restaurants Rank Mitigation Steps

Respondents who experienced breaches also reveal the steps taken to prevent future incidents. The most popular approach to mitigate the risk of future breaches in hotels was to replace the software or system that was the point of intrusion (60%), and to work with a consultant (60%). The next most frequently reported measure to avoid future breaches was to patch the holes (40%). About one out of five (20%) of hoteliers chose to rely on vendor partners to diminish the impact on the brand. About one third of hotel respondents (30%) used “other” tactics as well. The “other” category included such measures as refining policies and procedures, changing internal processes, and enforcing security measures in employee training.

  • STOP THE BADNESS: TOP METHODS TO PREVENT FUTURE BR


                                                                               HOTELS    RESTAURANTS
    Replaced software/systems                                60%           50%
    Worked with consultant to mitigate risk               60%           50%
    Patched holes                                                     40%            75%
    Relied on vendor partners to diminish impac      20%            50%

The majority of restaurant operators (75%) relied on patching holes as the key method to avoid future breaches. The next most popular strategies included replacing the breached software or systems (50%), working with consultants (50%) and vendor partners (50%) to mitigate future threats. One quarter of respondents (25%), indicated that they used other measures to offset potential future risks. An example of such measure includes implementing enhanced internal control mechanisms.

  • METHODOLOGY

    Hospitality Technology polled restaurant and lodging executives in the third quarter of 2019. 

    Breakdown of Business Types
    Restaurant         52%
    Hotel                  48%

    Represents 3767 restaurant properties.

    QSR/FAST CASUAL     83%
    FAMILY CASUAL          15%
    FINE DINING                 2%

    HOTEL 
    Corporate brand               34%
    Management company    28%
    Independent                     24%
    Franchisee                       10%

    EXECUTIVE MAKEUP
                                              TOTAL        RESTAURANT    HOTEL

    C-Suite                               25%            31%                    17%
    SVP, EVP, VP                    18%            16%                     21%
    Director                              43%            44%                     41%
    Manager                             11%            6%                       17%


    FAMILIARITY WITH SECURITY STRATEGY
                                              TOTAL    HOTEL        RESTAURANT
    Extremely Familiar            90%        86%            94%        
    Very Familiar                     59%        66%            53%
    Somewhat Familiar            9%         14%            6%


    ANNUAL REVENUES
                                              TOTAL        RESTAURANT     HOTEL
    < $100 MILLION                 56%            66%                     48%
    $100 M to $499 million       18%            63%                      48%
    $500 M to $999                  16%            25%                      10%
    $1 billion to $4.9 billion        8%            9%                         24%
    $5 billion +                           2%            3%                         14%
     

  • ACADEMIC PARTNERS

    Hospitality Technology thanks its academic partners for their participation in the gathering of data, analysis and writing of this report.

X
This ad will auto-close in 10 seconds