Here’s a sobering stat. Two-thirds of hotel websites leave guests’ personal data exposed to hackers.
However this is not new knowledge! Just think back to the 2018 headlines of Marriott’s epic data breach of some 500 million guest details. There’s been a raft of high profile data breaches in the hotel and travel sector in the last year.
With hotels dealing with highly personal data – from payments to passports they are prime targets for hackers looking to exploit weaknesses. However, criminals aren’t the only threat hotels are dealing with. Here we explore those threats and offer tips to keep your organisation, staff and guest data safe.
Hackers target small hotels too
While large-scale hacks may be getting front-page attention, it’s important to note that it’s small and medium size businesses that hackers target most often. In October 2018 Hiscox reported that UK small businesses are being targeted with an average of 65,000 attempted cyber attacks every day.
It’s precisely their size that makes them attractive – smaller businesses are unlikely to have teams of cyber security experts on hand, and are more likely to have missed major holes in their data protection processes, technologies and training.
While small businesses might not have the resources to hire a cyber security team, there are standards, tools and certifications that not only protect systems, but show customers you take their data privacy seriously.
In an era of growing digital mistrust it’s not only data you’re protecting by taking defensive steps, it’s your reputation.
The threat from within…
In 2018 it was reported that half of data breaches actually come from within the organisation itself; employees, third party suppliers and partners.
Usually such accidental breaches can be attributed to a lack of training and poor data protection policies. Unfortunately, with GDPR now in full effect you can’t get away with saying ‘oops, sorry’.
Insider mismanagement will fall just as foul of the regulations as poor cybersecurity defence against criminal breach.
Tips and tools for small hotels tackling data breach
1) Know your weaknesses
No one can truly defend themselves if they don’t know where their weaknesses are. The first step in any defence strategy is to take an objective view of weak links. Whether that’s unpatched technology, incomplete processes or untrained staff. A data protection health-check from an independent third-party can give you a true picture of your position.
2) Make use of automation
People make mistakes, especially where time and resources are in short supply. Using automated processes removes a lot of risk while providing auditable trails – an essential part of GDPR compliance that many forget to consider.
Despite a vast array of tools available to help streamline and simplify data protection processes many small businesses still rely on outdated systems like Excel to manage databases. Where more sophisticated tools are used, they are not being taken full advantage or businesses may be paying for services they do not use or need. It’s healthy to review your tools regularly to make sure you are getting the most from them.
4) Make training more than a tick box
With employees often the weakest link in your defences it’s essential not only to train staff, but actively engage them in data protection. This means committing to more than thirty minutes of tick-box training. It means instilling a culture of data awareness through regular communications, refresher training and leading by example.
Importantly it means putting each person’s role into context. Team-specific training can help focus employees on the particular issues they might encounter, and explain the potential consequences for sloppy practice.
5) Demand more from suppliers and partners
Under GDPR organisations have responsibilities to ensure that suppliers who deal with customer data comply with the regulations. Rather than take their word for it, demand evidence from third-parties you entrust data to.
There are schemes such as the UK government’s Cybersmart accreditation and the international ISO 27001 certification that provide this kind of evidence. In fact 73% of organisations report that they have had customers enquire about their ISO 27001 status, with 40% of new business contracts and tenders demanding it.
Make competitors your allies in the fight against data breach
While hoteliers work in a competitive industry, there are no winners if we don’t work together to stem data breach and poor data protection practices. It is no good rubbing hands with glee if a competitor gets busted – next time it might be you.
With a complex range of policies, practices and regulations to contend with, it can be a constant battle to ensure your defenses are strong. The good news is there are tools and expertise available to do the hard work for you.
If as an industry hoteliers can work together to shore up defences then hotels will no longer be an attractive prospect for hackers, and internal standards will be raised across the board.