Managing cybersecurity as a hotel operator.

In Business /

So, why are hotels targeted?

In short, hotels collect, store and process a huge amount of information and personal data on their guests, customers, meeting delegates, staff, partners, vendors, etc.
The hospitality industry has seen a growth in the number of cybersecurity and data privacy concerns, with some recent high-profile data breaches.

The most recent and one of the largest was the breach at Marriott International in November, 2018. This breach of the Starwood customer database accessed information on up to 500 million guests who had made a reservation at a Starwood property.

Cyber criminals are looking to steal personal information and possibly combine it with other data to carry out identity theft, hacking and other malicious activities.
A hotel is a hive of activity night and day, from guests checking-in and out, delegates arriving for meetings, public areas full of people, customers dining at restaurants and hotel staff starting work and finishing shifts.

An environment that is difficult to control

In the Verizon 2018 Verizon Data Breach Report, analysis on more than 53,000 confirmed security incidents and more than 2,200 data breaches globally (that were officially reported) it showed evidence of a growing number of hospitality companies being targeted.

The hospitality sector is as likely as many other sectors who make the common mistake of believing that as a business they are too small to be considered a target for a cyberattack.

Why hotels?

It is common knowledge that the hospitality industry has been a slow adopter of and investor in new technology.
It is a mature business sector, one that has been around for many years, and continues to grow steadily through the increase of tourism and a buoyant corporate travel market.

Global travel industry gross bookings reached $1.6 trillion in 2017, making it one of the largest and fastest growing sectors in the world.
The priority of many hotel operators has been to minimise operating costs and grow margins. For the majority of operators, they manage the best they can in a cyclical market, trying to flatten out the effects of a boom and slump, peak, off-peak demand.

Investing in internal systems and new technology can be difficult to justify when it is not easy to immediately demonstrate a ROI.

This means that many hotels continue to utilise legacy systems and are slow to patch or update even the systems they do use. And it’s this lack of a robust security infrastructure that makes hotels an easy target for hackers.

Most hotel operations are:

  • Underfunded when it comes to cybersecurity defences
  • Lack the specialist knowledge on how to manage threats
  • Don’t invest in adequate staff training on how to spot and deal with threats
  • Don’t have a cybersecurity mindset
  • Allow staff to use their own devices at work without detailing the do’s and don’ts of a BYOD (Bring Your Own Device) policy
  • As a business hold and process significant personal and financial information

The majority of cyber-attacks are automated and indiscriminate, exploiting known vulnerabilities within IT systems.
It can be bad enough as an operator to be hit with the “clean-up costs” of taking remedial action following a cyber-attack, but there is also reputational damage and revenue loss.

Worst still if a hotel is part of a corporate brand then there is also the scenario of a hacker being able to access a corporate network and causing havoc with multiple other hotels linked to the network.

In the past, data breaches may have been left under reported avoiding reputational damage, but with the introduction in May 2018 of the GDPR this will be difficult to avoid as there are regulatory consequences of a breach.

As an operator, there are many variables that are challenging to control and manage that contribute to the risk of a cyber-attack.

Hotels need to create a culture of security

Modern technology has brought huge benefits in terms of growing the number of distribution channels and fueled the digital transformation of how customers buy online in a connected world.

Hotels may already be concerned not just about their compliance requirements (PCI) for payment and credit card transactions but also by malware and the threat of having assets held for ransom.

Staff play a critical role as the first line of defence in flagging up and dealing with suspicious activities.
Employees need to understand the value of keeping sensitive information safe, including the use of strong passwords, protecting personal data whether you are full, part-time or agency staff.

When you start out on preparing a cybersecurity plan for your hotel operation, there are practical controls that you can put in place to defend your business, remove any ongoing threats, address any gaps in your security and prepare for the worst.

Cybersecurity checklist:

  1. Keep up to date with what is happening in the industry, the common risks and threats.
  2. Keep in touch with suppliers, customers and experts on the latest trends and technology.
  3. Encrypt data and ensure good password hygiene.
  4. Get employees to participate in cybersecurity training.
  5. Get up to speed with the GDPR and its implications.
  6. Manage and limit the access of staff, third-parties and contractors to your IT equipment, systems and business applications.
  7. Audit your level of security regularly.
  8. Look to remove any outdated program software or hardware as soon as possible.
  9. Review system access, for new staff and making sure you remove staff access when they leave.
  10. Would you know if your IT system was compromised?
  11. How are you promoting a cybersecurity culture at the hotel?
  12. What would you do if you were breached?
  13. Do you have a cyber-attack drill ready to be implemented if required?
  14. What measures have your third-party vendors taken in keeping your data secure?
  15. Do you know where your data is and who can access it?

Cybersecurity trends for the hospitality industry

Legacy systems

Legacy systems top the list because of their lack of security infrastructure that makes them easy to breach.

One major reason why computer systems and networks become insecure is because the technology itself has become outdated and cannot be updated. If you have old hardware, it needs to be decommissioned rather than left in service where it may be providing an open door into the network.

Smart technology

Modern technology has brought huge benefits to the hotel industry, in terms of increasing operating efficiencies, cutting costs and improving the guest experience.

Many hotels operate their HVAC controls, Wi-Fi, alarms, lighting, security cameras, entertainment systems and electronic doors all connected and controlled via the internet.
Each of these smart items provides a potential route into a network leaving it vulnerable to attack.

Passwords and training

Many breaches occur because employees keep the same password for multiple applications.
Or staff use short-cuts with easy passwords which a brute force attack on an IT system may be able to crack.

A security culture

To keep on top of the threat of cyber-attacks hotels need to ensure staff are knowledgeable of the risks and understand the important role they play.
For a security regime to work, it cannot be perceived as an obstacle to productivity. It's important that the processes and technology combine to enable users to be productive and safe.

Taking care of your business

Happybooking loves happy customers and they do their very best to help every customer to be satisfied and have a safe system to use.
Security is Happybooking’s number one concern, so they have invested a lot of effort in reducing the security risks and continue to update the system all year round.

They do not save credit card information, carry out backups to the servers hosted in a secure location and employ secure encrypted access with SSL (https).

Happybooking is first and foremost a property management system (PMS). That means they help you with the admin and automate tedious tasks freeing up time for you to focus on a positive customer experience.
On average Happybooking customers can get back up to 10 hours per week – think what you could do with that extra time!
Happybooking have always focused on creating a user-friendly booking system to help property owners improve their revenue performance.
Check out how easy the Happybooking system is, open up a free trial account

Our guest blogger is John Kennedy. John is a hospitality consultant, dedicated to helping increase profits through marketing, revenue management and efficient operations.

Image source:


Interested in what we do and want to know more? Enter your email adress below and we will be in touch!

A selection of our customers

  • Untitled -2
  • Angel Inn Midhurst
  • Gasthaus _pyorealogo

Contact us for a demonstration