Combatting Fraud Together: Best Cybersecurity Practices for Hotels

The hospitality industry is founded on customer service, giving travelers satisfaction, safety, and security. But in recent years, the security component has become noticeably trickier.

From shopping to banking to healthcare, consumers have become accustomed to doing everything online, and they expect the same seamless digital interactions when booking accommodations, making reservations, or otherwise engaging with hospitality services. 

While digital experiences undoubtedly bring greater efficiencies and smoother customer experiences, they can also open the door to new cybersecurity risks. In fact, a new report reveals there are major cyber vulnerabilities “affecting all top 10 travel and hospitality websites.” According to the report, threat actors are most likely to take advantage of these vulnerabilities during peak travel seasons when they hope increased traffic will help cover their footprints.

But websites aren’t bad actors’ only means of infiltration. A key reason the hospitality industry is an attractive target for fraudsters is its friendly, open, and accommodating nature; in other words, the very characteristics that travelers seek in hotels and travel agencies are also what contributes to their vulnerability.

For example, social engineering attacks are a growing threat for hoteliers. Bad actors manipulate staff into revealing sensitive information by impersonating a trustworthy source, such as a boss, customer, or partner. Today, hotels and other hospitality organizations are facing an uptick in social engineering via fraudulent phone calls. Increasingly, modern attackers are using AI and deepfake technology to mimic the voices of real people with startling accuracy to defraud hotel staff. 

Emails pose another threat to hospitality organizations. Hackers can also carry out social engineering attacks via emails. One common tactic is to pose as a customer of booking representatives, luring employees into clicking on malicious links, like HTML attachments.

How Hospitality Organizations Can Step Up Their Cybersecurity

From AI- and deepfake-powered social engineering attacks to ransomware, malware, and other modern hacking strategies, hotels, and travel agencies face growing risks, with 31% of hospitality organizations reporting they’ve been victim to at least one data breach. But in an increasingly digital landscape where hackers have sophisticated technology at their fingertips, how can hospitality organizations pivot to bolster cybersecurity defenses and deflect fraudulent behavior while still giving travelers the streamlined digital experiences they’ve come to expect?

Retail & Hospitality ISAC (RH-ISAC), a global retail- and hospitality-focused cyber intelligence community, has established a set of cybersecurity industry standards and best practices to guide hoteliers and other hospitality stakeholders.

Top Cybersecurity Best Practices for Hoteliers

1. Data Encryption & Multi-Factor Authentication: Hotels are responsible for safeguarding guests’ sensitive data, such as credit card numbers, addresses, IDs, etc. To shield this information from cyberattackers, hoteliers must take steps to encrypt sensitive data. Securing guest Wi-Fi networks with strong encryption and passwords is also important. Implementing multi-factor authentication (MFA) for administration systems adds another critical layer of defense.
2. Update & Patch Software: Whether a hotel is a small independent boutique property or part of an international chain with thousands of locations, all hoteliers rely heavily on digital platforms to manage numerous critical business functions. Digital platforms rely on software that is constantly updated to introduce new features and address cybersecurity vulnerabilities. While a particular feature might not seem relevant to a specific hotel, regularly updating and patching software is essential to safeguarding these systems from cyber threats.
3. Cybersecurity Training & Staff Access:  A strong cybersecurity posture is about more than just deploying the right tools; it’s also about educating the people who use them. To that end, hotels should prioritize training staff on cybersecurity awareness and best practices, and work to create a culture of accountability for staff. It’s also a good idea to conduct thorough background checks on employees who handle guest data to mitigate insider risk. Additionally, IT teams should restrict employee access to sensitive information on a need-to-know basis, and also monitor and log all access to guest data and systems.
4. Risk Assessment & Incident Response Plans: If cyberattackers successfully carry out a breach, hotels should be ready to take action. At all times, hotel executives should be equipped with an incident response plan and team to detect, contain, and mitigate the damage of breaches. It’s also important to conduct periodic risk assessments to identify and address vulnerabilities.

The Best Cybersecurity Defense is Collaboration

Despite modern hackers’ advancing tactics to defraud hotels, hospitality organizations maintain a stark advantage: They have strength in numbers.

By joining forces and collaborating with cybersecurity practitioners in the industry, hospitality service providers can share information and intelligence to solve problems together. As a part of a larger industry group, a hotel can both increase the scope and enhance the capabilities of its security and risk management activities. For example, RH-ISAC offers a global, trusted community for retail and hospitality organizations, empowering them to connect security teams at strategic, operational, and tactical levels to share best practices, exchange intelligence, and work together to build better security for all. Collaborating with industry peers unlocks access to cybersecurity insights, information, and resources that might otherwise be inaccessible to or unattainable for a singular organization, especially those with small teams and budget constraints. 

Particularly for the hospitality industry, which faces rising cybercrimes with consequences for both internal operations and guests’ data, information sharing plays a fundamental role in helping prevent and mitigate cyberattacks. By participating in industry initiatives, hotel executives can double-down on their cybersecurity efforts with a collaborative approach that helps them strengthen their cyber defenses, thwart bad actors, and keep their guests, employees, and operations protected.