3 Things Every Hotel Manager Should Do to Ensure Information Security
Every traveler has different needs when searching for a hotel, but there is one factor that seems to be a unanimous requirement -- data security. The growing concern over data security has become a deciding factor for consumers when choosing a hotel, with 77% of Americans saying that data protection is important to them when deciding which hotel to book.
However, despite the growing concern over security when traveling, one in three hospitality businesses admit to having never trained their staff on information security policies, or do not even have information security policies in place. To ensure information security for guests and to mitigate the risk of a data breach within your hotel, there are important aspects hotel managers need to consider.
This article from Shred-it offers three things hotel managers should keep in mind:
1) Your employees are your information security guards – train them as such
The hospitality industry is known for its high employee turnover – a rate of 73.8 percent according to the U.S. Bureau of Labor statistics – and this can hinder the ability of a solid front-line defense. In order to establish a culture of information security, hotel managers should offer ongoing training opportunities for employees at all levels of the business, from housekeeping to management to operations.
Conducting regular training, especially for new employees, is a great way to ensure that new hires are immediately aware of your hotel’s security standards. Hosting seasonal informational sessions will also serve as an opportunity for long-term employees to refresh their knowledge of how to handle the sensitive information they interact with regularly, especially ahead of busy travel seasons like the summertime and holidays.
In addition to training employees on how to handle work documents and devices, they should also be taught what to do when handling information left behind by guests. From boarding passes to credit card receipts, guests frequently leave physical information behind without knowing the associated security risks. Employees should understand what type of guest information, if left improperly stored or disposed of, can lead to a breach.
An additional security risk hotels often neglect to consider when training staff is their association with external vendors, including airlines, car rental companies, restaurants and retail organizations. Hotels are constantly exchanging information with external organizations, which become access points to sensitive guest and hotel information. It’s important to make sure employees are vetting all third-party partners and ensuring that they have similar standards when it comes to data security. For example, hotels are increasingly demanding that third party partners become Payment Card Industry (PCI) compliant – the PCI Security Standards Council fights hotel credit card fraud by maintaining global payment card industry standards. Before sharing any sensitive information or partnering with an external organization, this is just one element to check for.
2) Think twice before tossing
As daily functions and procedures continue to digitize, physical data security is slowly becoming an afterthought, with 32 percent of hospitality businesses admitting they have no known policy for storing and disposing of confidential paper documents. This is despite the fact that as Europay, MasterCard, Visa (EMV) smart payment chip card processes are increasingly adopted, attackers are targeting hotel reception desks where the concierge will often write down phoned-in reservation information. Not only
that, dumpster thieves have long always been able to obtain sensitive information from garbage that has been inappropriately thrown away instead of shredded.
Implementing a document management process is a great way to create standard protocol for handling physical data, including how to securely organize documents for storage, retrieval and record-keeping. Additionally, the document management process determines a standard lifespan for physical documents, helping employees efficiently identify which documents should be stored and which need to be securely discarded. Materials that need to be filed should be stored and locked in secure filing cabinets, while all other items should be properly shredded before being discarded.
3) Noncompliance could mean legal consequences
Hotels are considered financial institutions when they are collecting and storing customer’s financial information, which means that they have a responsibility to their customers to follow legislative guidelines to protect against unauthorized access to the personal information of their guests.
There are a range of rules and regulations that hotels need to be mindful of, including General Data Protection Regulation (GDPR) for those with international guests. It’s helpful to create a security policy handbook that can be used as a reference for employees. In addition to GDPR, the Gramm-Leach Bliley Act, Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act (HIPAA) are just a few privacy laws that apply in this sector, and the employee handbook could serve as a useful resource to house this information.
At the end of the day, widespread damage can make or break a business, especially in the hospitality industry when consumers have limitless options to choose from. Hotels must be proactive in addressing the growing consumer concern over data security and privacy, as their livelihood depends on it.