Weak Cybersecurity Defenses May Hinder Pandemic Recovery in the Hospitality Industry

When it comes to cyberthreats, 89 percent of polled hospitality IT decision makers said their organizations lack expertise, 83 percent said they lack resources, 71 percent said they lack the time to respond to threats, and 58 percent said they have insufficient training information.
cybersecurity lock

Now that customers are dining and traveling for business and pleasure once again, companies are seeking a path to full recovery amidst new variants. Restaurants, hotels, and others in the industry find themselves navigating a wide array of new challenges while trying to build back from months of lost revenue. These challenges include supply chain shortages and unprecedented labor market tightness, but also more familiar but rapidly evolving concerns, such as cyberattacks, which haven’t abated during the pandemic, but instead have increased in their complexity.

Like other industries, hospitality has become increasingly dependent on technology to manage the dizzying array of methods that cyber criminals have at their disposal, including advanced persistent threats (APTs), denial of service attacks, phishing, and ransomware, just to name a few.

Now, more than ever, cyber incidents have the potential to cripple organizations that are ramping back up from the depths of COVID. But as leaders across the industry seek to navigate these threats, our recent survey of more than 1,400 global IT leaders, including 235 hospitality decisionmakers, raised some red flags.

The Nature of Cyberthreats in Hospitality
According to our survey, APTs (advanced persistent threat) attacks are the leading cyberthreat to hospitality, impacting 49 percent of the organizations we surveyed, while 47 percent have seen incidents involving stolen credentials and 42 percent have experienced unauthorized exposure of data. And the threats extend well beyond companies own networks. While 61 percent percent of organizations have seen attacks on network/platforms, more than half (51 percent) say they are also managing attacks on web applications.

When asked about the root cause of these vulnerabilities, half of hospitality leaders surveyed cite the growing sophistication of threats and attack methods, while 42 percent say that the growth in data, digital operations and remote work have increased their exposure to new threats. Further, 36 percent say that sophisticated, well-funded adversaries, including state sponsored cybercriminals, still present a challenge. 

Industry Preparedness and Resource Challenges

Most worrying is the lack of confidence that hospitality IT leaders have in their ability to respond to cyberthreats, given resource and talent constraints. Only 44 percent said they can effectively respond to incidents or understand the nature of the threats they are facing, while fewer than half (41 percent) say they can mitigate threats in an increasingly complex IT environment where DevOps, faster release/delivery cycles, microservice application architectures, and hybrid/multicloud environments are commonplace.

Moreover, hospitality IT-decision-makers face severe cybersecurity talent and resource shortages. Over half (52 percent) of respondents identified recruiting and retaining cybersecurity talent and maintaining skills as a challenge. Eighty-nine percent said their organizations lack expertise, 83 percent said they lack resources, 71 percent said they lack the time to respond to threats, and 58 percent said they have insufficient training information. The greatest gaps in cybersecurity skills cited were in cloud security (34 percent) and network security (30 percent).

Identifying a Path Forward

When asked how they intend to fill cybersecurity skill deficits, 54 percent of hospitality companies said their internal training is effective for cybersecurity talent retention, while 38 percent said they will look to external recruitment agencies. But it’s increasingly clear that addressing cyber challenges is both an internal and an external job that requires coordination between companies’ IT team and third-party experts such as managed security service providers (MSSPs), managed detection and response providers (MDRs) and systems integrators. Going it alone is simply not an option.

As the economy continues to recover from its greatest shock in decades, hospitality organizations will need to remain vigilant and get more creative in addressing cyber vulnerabilities, despite stretched IT budgets and labor market pains. Third party providers are clearly poised to play a larger role, as is technology, including cloud-native security tools. Organizations should review their current investments and identify areas where they can more effectively use existing capabilities such as automation.

With labor shortages unlikely to make significant short-term improvements, the hospitality companies best positioned to emerge successfully from the pandemic will be those making the right external cybersecurity investments, while maximizing the efficiency of their internal teams.

*Most of the companies/organizations polled were founded before the year 2000, have from 101 to 999 employees, and an annual revenue between $50m and $1b.  They also have anywhere from 2 to 15 employees dedicated to cybersecurity and spend 5% to 15% of their IT budget on cybersecurity.


Gary Alterson


Gary Alterson is VP of Security Services at Rackspace. In this role he acts as GM for Rackspace’s security solutions focused on supporting digital transformations and cloud acceleration.

Previously, Gary led Customer Experience and Services Product Management at Cisco Systems where he built professional, managed, and support services addressing cloud security and advanced threats. At Cisco and at Neohapsis, a nationally recognized cybersecurity boutique consultancy, Gary and his teams were instrumental in transforming enterprise and government security programs to effectively address shifting business models, emerging technologies, and the evolving threat environment.

As a previous CISO and security architect, Gary has over 20 years experience on the front lines of security, protecting and responding to threats across multiple industries. Gary is often sought out to speak on secure digitization, cloud, and emerging technology security frameworks as well as enterprise security.

This ad will auto-close in 10 seconds