With significant financial transactions and extensive databases of personal, sensitive data, hotels and hospitality venues are a treasure trove for valuable customer information. Consequentially, it comes as no surprise that hospitality has been found to be one of the top industries most susceptible to credit card breaches.
Trustwave SpiderLabs' study of global data breaches revealed that hospitality industries are particularly vulnerable to attack. In 218 investigations spanning 24 countries, 38% were in hotels – and almost all involved stolen credit card information.
While it’s vital that hotels and hospitality venues take the necessary cybersecurity practices to ensure data remains secure and protected from malicious attacks or unauthorised access, it’s not always easy to understand where to start or how to keep up to date with the latest types of attacks, with cybersecurity threats becoming increasingly sophisticated.
Keep reading to find out how hotels can implement cybersecurity practices to help protect against malicious attacks and access to sensitive customer information.
Data security in hotels and hospitality venues
The Ponemon Institute's study on data breaches in the hotel industry found that the average time it takes for a hotel to detect a breach is 200 days. This means that, on average, a hotel may not know it has suffered a breach for nearly seven months. This prolonged detection time can significantly damage a hotel's reputation and financial losses.
The same study found that the average time to contain a breach in the hotel industry is 70 days. This means that, on average, it takes a hotel 70 days from the time it detects a breach to stop it from spreading. This is an important metric, as the longer a breach persists, the more damage it can do to the hotel and its customers.
The study highlights the importance of having strong cybersecurity practices in place and regular security audits to help detect and respond to data breaches as quickly as possible. This can help minimise the impact of a breach and protect both the hotel and its customers.
Most Common Cyberattacks
Across the hotel and wider hospitality industry, Distributed Denial-of-Service (DDoS) attacks are on the rise. This attack involves flooding networks or services with vast amounts of data traffic to disrupt normal operations within an organisation. Unfortunately, victims may even face extortion demands after a DDoS attack - making these cyber breaches all the more serious. Investing time into understanding potential vulnerabilities and strengthening strategies against malicious incidents could help protect your business from experiencing costly disruptions or infringements due to online security risks moving forward.
To protect against DDoS attacks, hotels can invest in technologies and cybersecurity practices that can assist in recognising legitimate traffic spikes, reject bad traffic, and keep systems updated with the latest security patches.
Hotels are also increasingly vulnerable to DarkHotel hacking – a highly targeted form of cyberattack that attempts to gain access to sensitive information from key business travellers. The attack is hard for hotels alone to detect and prevent; however, an understanding of the threat can enable both hotels and their guests to take steps toward better protection. With DarkHotel hacking, attackers typically exploit hotel Wi-Fi networks by monitoring guests' travel plans and then utilise forged digital certificates in an effort to convince victims that ‘software updates’ are available when they actually contain malicious code.
To protect against DarkHotel hacking, hotels are advised to encourage guests to use a virtual private network (VPN) when conducting business that exchanges any personal data and also to be vigilant about double-checking any pop-ups (which should be downloaded directly from a vendor's website).
Spear-phishing is a targeted attack that uses the allure of familiarity to gain access. Cybercriminals research their targets and construct malicious emails appearing from those within victims' networks, tempting them with links or attachments. If they proceed, attackers can exploit user information while skulking in undetected - it's an insidious approach relying on social engineering tricks that take advantage of our natural inclination to trust what we already know.
Protecting your systems requires constant vigilance against this kind of threat; understanding the risks posed by these digital spears makes your venue better equipped for proactively defending itself.
Most effective hotel cybersecurity practices
Verification & review processes
Security breaches at point-of-sale systems continue to increase dramatically, with 91% of security compromises being attributed mostly to Card Not Present (CNP) fraud. To protect against CNP crime, hotels can stick to a few consistent practices, including:
Fraudsters may contact hotels wanting immediate verification and confirmation of accommodation. It’s important for hoteliers to take time and adequately verify identification, including credit card, passport, and other relevant documentation.
Reviewing first-time purchases
Large, first-time transactions can sometimes be a sign of fraudulent activity. If hoteliers have suspicions about a transaction, it is encouraged to make contact to verify legitimacy and confirm identification.
Being aware of inconsistencies
When a guest’s billing and shipping addresses don’t match, it can be a red flag that something is awry. This warning holds especially true in the travel industry where contactless transactions are on the rise.
Protect point-of-sale systems
Protect your infrastructure from potential malicious attacks by investing in the most up-to-date cybersecurity solutions. Ensure encryption and anti-virus software are on all devices, plus firewalls to guard against point-of-sale threats. Hotels can further protect against payment cyberattacks by;
Training all employees on best cybersecurity practices and risks
Hiring specific data security experts
Using end-to-end encryption
Installing and updating antivirus software
Avoid shared email accounts
If a password to a shared account is accidentally exposed, the risk of damage to a hotel becomes far greater than if a single account has been compromised.
Use multi-factor authentication
Multi-factor authentication adds a layer of cybersecurity to accounts even if passwords are discovered. It requests extra information that only a singular user can provide, such as a code sent to a mobile device or a personal answer to a question.
Protect your venue and your guests
By implementing these cybersecurity practices, your venue can ensure it’s doing everything it can to protect against online threats.
These efforts not only protect customers' data but also provide a sense of safety and security that will make any hotel or hospitality venue an attractive option in the eyes of potential visitors.