There are many examples of cybercrime impacting the hotel and lodging industry. A particularly notable incident occurred in September 2022, when a prominent UK-based multinational hospitality company experienced a significant cyber-attack that led to a two-day outage of their online booking system. The financial impact of this attack was substantial, with the company facing immediate operational disruptions and long-term reputational damage.
While the exact figures were not disclosed, the average cost of a data breach in the hospitality industry is estimated to be around $2.94 million. Another example took place in September 2023, when an attack on a hotel and casino company was carried out by a Russian ransomware group. The company affected by this attack estimates the attack had a negative impact of approximately $100 million. These examples underscore the critical need for robust cybersecurity measures in the hotel and lodging industry.
Hotel and lodging companies are particularly vulnerable to cyber-attacks due to the vast amounts of sensitive customer data they handle, including payment information, personal identification details, and travel itineraries. Cybercriminals target this data for financial gain, identity theft, and other malicious activities. To mitigate these risks, hospitality companies must adopt comprehensive cybersecurity strategies.
Essential Cybersecurity Strategies
Implement Strong Access Controls
- Multi-Factor Authentication (MFA): Require MFA for all employees accessing sensitive systems and data. This adds an extra layer of security beyond just passwords. An example of multi-factor authentication would be requiring employees to access sensitive data using a unique password, as well as entering a random code sent to the employee’s phone via text message. MFA also helps comply with Payment Card Industry Data Security Standard (PCI DSS) and avoid potential fines and legal costs.
- Role-Based Access Control (RBAC): Limit access to sensitive information based on an employee’s role within the organization. Ensure that only authorized personnel can access critical systems. This can reduce security incidents by up to 50% and compliance-related issues by 40%.
Regular Security Training and Awareness
- Employee Training Programs: Conduct regular cybersecurity training sessions to educate employees about the latest threats and best practices for avoiding phishing scams, malware, and other cyber risks.
- Simulated Phishing Attacks: Periodically test employees with simulated phishing emails to gauge their awareness and improve their ability to recognize and report suspicious activities.
- Robust Data Encryption: Ensure that all sensitive customer data, both in transit and at rest, is encrypted using strong encryption protocols. This makes it more difficult for cybercriminals to access and exploit the data.
- Secure Payment Processing: Use secure payment gateways and comply with PCI DSS requirements to protect payment information.
Incident Response Planning
- Develop an Incident Response Plan: Create a detailed incident response plan outlining the steps to be taken in a cyber-attack. This should include roles and responsibilities, communication protocols, and recovery procedures.
- Regular Drills: Conduct regular incident response drills to ensure that all employees are familiar with the plan and can respond effectively during an actual incident.
Review Technical Controls
- Regular Software Updates and Patch Management:
- Regularly update all software, including operating systems, applications, and security tools, to protect against known vulnerabilities.
- Implemented automated systems to manage and deploy patches across the organization, ensuring that all systems are up to date.
- Network Security Measures:
- Deploy firewalls and Intrusion Detection Systems (IDS) to monitor and protect the network from unauthorized access and malicious activities.
- Segmented the network to limit the spread of malware and restrict access to sensitive areas of the network.
- Penetration Testing: Performing penetration testing (a simulated cyber-attack on the network) can uncover security weaknesses and provide insights on how to fix them before they can be exploited by real attackers.
Third-Party Risk Management
- Vendor Assessments: Conduct thorough security assessments of third-party vendors and partners to ensure they meet the organization’s cybersecurity standards.
- Contractual Security Requirements: Include cybersecurity requirements in contracts with third-party vendors to ensure they adhere to best practices.
- Cybersecurity Insurance: Cybersecurity insurance helps cover the costs associated with data breaches, ransomware attacks, and other cyber incidents. This can include legal fees, customer and vendor notification costs, and even ransom payments.
The hotel and lodging industry must prioritize cybersecurity to safeguard sensitive customer data and maintain operational integrity. The recent cyber-attacks on prominent hospitality companies underscore the severe financial and reputational consequences of inadequate security measures. By implementing comprehensive cybersecurity strategies, including strong access controls, regular training, robust encryption, timely updates, and thorough incident response planning, hotels can significantly reduce their vulnerability to cyber threats. Investing in these measures not only protects valuable data but also enhances customer trust, ultimately providing a competitive edge in the industry.
About Withum
Withum is a forward-thinking, technology-driven advisory and accounting firm, committed to helping clients in the hospitality industry be more profitable, efficient, and productive in the modern business landscape. For further information about Withum and their cybersecurity, digital advisory and hospitality services teams, contact Lena Combs or visit our Hospitality Services page.
Authors: Lena Combs, CPA, CGMA, Partner and Hospitality Practice Leader | [email protected] and Timothy Houmes | [email protected]
Contact Us
For more information on this topic, please contact a member of Withum’s Hospitality Services Team.
