Robust Cybersecurity: An Essential Piece of the Modern Hotel Tech Landscape
By John Bailey Chief Financial Officer, Prism Hotels & Resorts | April 12, 2020
From sophisticated revenue management software to mobile room keys and other guest conveniences, technology is a hot topic in the hospitality sector. Hotel owners and operators are understandably optimistic about the disruptive potential for new tools and technologies that could enhance the guest experience and help management professionals make smarter, more sophisticated and more strategic decisions.
But there is a flip side to the tech revolution in hospitality: new conveniences and efficiencies come with new exposures. In a connected environment where more sensitive information is digitized, hackers and other bad actors can do damage on a scale that keeps cybersecurity experts up at night. Security infrastructure and best practices are getting better all the time, but so are the bad guys. In an ongoing battle to stay ahead of creative new criminal schemes and increasingly sophisticated cyber-scams, some hotels are behind the curve.
Hacking is so lucrative and so prevalent, that unscrupulous individuals or entities can even subscribe to professional hacking services through a software-as-a-service model on the dark web. The notorious Emotet malware-a banking trojan designed to steal sensitive data-is just one example of the kind of institutionalized cyber-crime that hotels need to be aware of. Hotel owners and operators need to be especially alert, as the hospitality industry, with its vast stores of personal data, is reportedly second only to the retail sector in the number of annual cybersecurity breaches.
Stories from around the industry are sobering. From near misses, where malware is found on workstations during a remote scan, to eye-opening examples like a professional sports team wiring literally hundreds of thousands of dollars for a reservation deposit to a fraudulent bank account. While there was, thankfully, a happy ending to the latter case, it's a startling example of the consequences that can result from a single employee mistakenly clicking on a link in an email and subsequently exposing her credentials.
In 2018, the world learned that the private information of an estimated 500 million hotel guests for a major international hospitality brand had been exposed. When the source of the exposure-which included personally identifying information like names, emails, and even passport numbers-was discovered, it turned out to be a reservation network vulnerability that had been facilitating unauthorized database access for years. The first incursion took place in 2014, and yet it took years before this damaging breach was discovered and remedied.
Even in cases where disaster is averted, the costs and potential disruption to brands, owners and operators can be substantial. In one recent example, a sales team for a major hotel management company lost nearly a month of productivity, due to an attempted ransomware attack. Paying cyber-forensics experts to comb through hundreds or thousands of email accounts and tens or hundreds of thousands of emails to determine the source of an exposure can be an expensive and time-consuming process.