Over the past few years, the hospitality industry has been the target of numerous security breaches and threats, meaning that now more than ever, hotel businesses must make data protection a priority.
According to Verizon’s 2017 Data Breach Investigations Report, external data breaches constitute 96 per cent of all breaches in the hospitality industry. In 2017, one of the world’s largest hotel chains faced a three-month-long cyber-attack that compromised credit card information at over 1,200 locations. This breach was a result of malware installed at the point-of-sale (PoS) system that put every single transaction at risk. PoS data breaches are amongst the most common in the hospitality industry, with nearly 9 out of 10 industry breaches linked to point-of-sale.
Third-party vendors, from online booking to keycard room access to digital check-in, that do not have strict data security practices can often put the hospitality industry at risk and are quickly becoming some of the primary drivers of data breaches. One of 2017’s most prominent data breaches involved a third party reservation system used by the hotel. This system’s security breach allowed unauthorized access to the network of 14 properties, compromising account numbers, credit card information and other critical data. Later it was discovered that the third-party system did not encrypt the data, therefore making it accessible for months.
While strengthening organization defense in the face of cyber security can be complicated, there are simple things organizations can do and policies to put in place to protect its business and guests from data breaches.
In advance of International Fraud Awareness Week (Nov. 11-17, 2018), Shred-it surveyed more than 1,200 respondents over the age of 18 in order to check the pulse on consumers and their security practices to help shed some light on potential concerns within the industry. One of the most interesting findings of the survey concluded that consumers lack confidence in brands and businesses with whom they share information and who have previously suffered a data breach – regardless of if they were personally affected. Consumers strongly feel that companies do not do their best in safeguarding their personal information.
According to the survey, 43 percent of consumers believe that personal information they share with businesses could be vulnerable to a security breach and 40 percent of consumers said that they would stop doing business with a company or brand if they have previously suffered a data breach. With hospitality businesses having one of the largest repositories of valuable information, such as credit card credentials and identity documents, they are one of the most prominent targets for these breaches. With numerous hotels and restaurants falling victim to breaches over the past few years, it is imperative for businesses to maintain strong security practices to gain back the confidence of their customers.
Many guests are increasingly choosing to stay at hotels that prioritize information security since many employees are working remotely or must take work away with them on vacation. As a result, hotels should offer document destruction services or secure places to lock confidential documents. In an industry where customer rapport is everything, and information safety is critical, here are some ways in which your business can raise awareness and stay protected from information breaches:
- Make a comprehensive “shred list” for employees: Despite the industry’s strong move towards digitization, much of the information used and collected by hotels and restaurants continues to be stored physically, which means it is vulnerable to a physical breach. Documents such as copies of travel information, passport and identity documents, licenses, customer lists, etc. should be shredded daily. Train employees to identify materials for shredding and keep a list accessible for all staff. Use Shred-it’s “Knowing what to shred” resource to compile a list of documents for shredding.
- Be Compliant: Verify that the hotel’s privacy policy complies with federal and provincial laws that apply. Ensure that your staff remains compliant of these laws by making them a mandatory part of staff training to avoid breaches and fines.
- Regulations such as PIPEDA (Personal Information Protection and Electronic Documents Act) exist to ensure private businesses are not disclosing personal information, and that they are employing the right technology to protect their customers. The Consumers Protection Act also exists in Canada to protect the rights of consumers when conducting business with the private sector.
- IT Safeguards: Stay up-to-date with new technologies being employed in the industry when it comes to information security.
- In 2017, 88 per cent of hotel guests preferred to book their rooms online. When partnering with online sites for services such as reservations, ensure that these partners are following the same information security standards as your business.
- Invest in cyber-security tools such as firewalls and tokenization and encryption to avoid online breaches through the business’ website or third-party sites.
- Regularly update equipment and software with monitoring systems that can detect breaches at numerous terminals to avoid PoS breaches.
- Employee Training: One area of vulnerability in the hospitality industry comes from high employee turnover – among service level employees, it is often up to 50 percent. Most hospitality employees are on the front lines when it comes to customer service and data security, and high turnover can invariably affect the data security of the business. Ongoing training helps ensure employees understand and follow policies and best practices. They should also be trained on how to recognize potential risks such as phishing.