There have been a myriad of data breaches in the hospitality industry in the past year, with one of the latest being the Choice Hotels data breach. The breach left 700,000 guest records vulnerable, disrupting customer trust and potentially leading to a major drop in customer loyalty, impacting their bottom line.
While cybersecurity hacks are commonplace in the industry, and it’s critical that organizations have processes in place to protect guests from these threats, the threat of physical data security is often not addressed as thoroughly. This begs the question, how can hotels bolster their security processes to better include physical information security protection, and how can hospitality brands ensure they are properly securing sensitive guest information? Let’s explore three steps for hospitality organizations to safeguard their guests’ information, protecting customer trust and loyalty.
- Understand the Connection Between Data Breaches and Consumer Trust
There’s a clear connection between data breaches and consumer trust - when a consumer’s confidential information is compromised, it’s not only an annoyance, but it is often disruptive and may cause financial problems ranging from fraudulent credit card activity to identity theft. Despite the fact that 31% of hospitality businesses think their customers will stop doing business with them if the customer’s information is compromised during a data breach, and 77% of Americans say data protection is important to them when deciding which hotel to book, more than a third (36%) of hospitality organizations don’t consider data breaches a big deal, and think they are blown out of proportion.
Given it’s not only consumers who bear a financial burden, it’s surprising that a large number of hospitality organizations have a laissez faire attitude toward breaches. On average, companies report that data breaches cost about $150 per stolen record. When you amplify that cost by hundreds of thousands, or millions, of records, it’s clear that it pays to invest in better information security policies and protocols.
- Reinvent Policies and Protocols to Protect Information Security
With customer loyalty and the bottom line at stake, hospitality companies must have processes in place to protect sensitive and confidential data. However, nearly one in three (31%) say they don’t have a policy in place for storing and disposing of confidential information on end-of-life electronic devices, and 19% don't have a policy for storing or disposing of confidential paper documents. Although this is alarming for consumers who trust these brands with their information, it does give these companies the impetus for policy implementation in order to better protect information for the future.
The information customers provide to hospitality companies can include drivers licenses, passport copies, credit card information, rewards numbers and more. All of this physical information must be protected with the same priority as online information. Implementing policies for document destruction and storage is the first step in creating a more secure line of protection for customer information. For example, hotels can implement a Clean Desk Policy, or a policy determining how employees should leave their desks or working spaces while they are not there. Workspaces (including computers) should be clear of all documents containing sensitive information, as well as non-essential documents. For hotel staff, this may mean keeping up the habit for the front desk or even a table in a back office and locking up any sensitive information for further protection. This policy not only protects against the potential for physically stolen information, but also visual hacking.
- Implement Robust Employee Training Programs
In order to build out the training programs needed to help employees understand the importance of information security, the policies we discussed above must first be in place.
Two in five (41%) hospitality businesses believe it’s likely their organization will experience a data breach in the next five years, and 44% believe the source of that breach will be human error or accidental loss by an employee or insider. That said, there’s no question employee training is essential for preventing data breaches. However, nearly a fifth (18%) of hospitality companies only train their employees once during their employment on how to identify common cyber-attack tactics such as phishing, ransomware and other malware. Furthermore, a quarter (25%) don’t provide this training at all. Additionally, 27% percent of hospitality businesses train their staff only once a year on the organization's information security policies or procedures and another 14% never train their employees, or don’t have any policy in place.
Creating a variety of training programs that all staff (from managers to maintenance) must participate in, and continuing that training as an ongoing program, will help employees fully grasp the gravity of these policies and remember the specific actions they need to take. Additionally, catering to different learning styles through a variety of training formats such as workshops, online courses, on-the-job training, etc., will help to ensure all staff members are committed to developing a culture of security.
Although some hospitality organizations are not approaching data breaches with the care they need, the good news is that 93% of hotel owners feel they need to do more to show employees and consumers how they are protecting information. By fully understanding the connection between security policies and consumer trust, reevaluating security protocols and implementing employee training programs, hospitality companies can better prove to their employees and customers that they are serious about protecting their confidential information.
- About the Author
Ann Nickolas is SVP at Stericycle, the provider of Shred-it information security solutions, where she oversees new business development and account management for customers in the commercial, health care and government verticals. Nickolas helps businesses secure their confidential information with products, services, policies and training that help protect them from the risks, fines, penalties and loss of revenue that come with an information breach.