Assured Cyber Protection (ACP)
Partner Content
Assured Cyber Protection (ACP)
This content was paid for by Assured Cyber Protection (ACP) and produced in partnership with the Financial Times Commercial department.

Hotel systems could be playing host to unwelcome cyber guests

The hospitality industry is all about providing a warm welcome to strangers – but experts say cyber intruders must be treated with reservation

Hotel groups celebrating a return to pre-pandemic booking levels should beware of one particular group of visitors, experts have warned. Cyber criminals targeting the sector pose a greater threat than ever, thanks to the growing array of technologies made available to customers. “Older five-star hotels are digitally transforming,” says Mitchell Scherr, Chief Executive Officer at Assured Cyber Protection (ACP). “Everybody’s looking to upgrade [their digital technology]. Five-star hotels want their customers to have the best experience and so are more likely to adopt the latest technology without considering the security implications.”

An eagerness to create an inviting hi-tech environment for guests could also create opportunities for cyber attacks, Scherr says. Cyber criminals can get into hotel IT systems via digital endpoints such as closed-circuit television cameras or point-of-sale devices. Or, in many cases, they simply get invited in by staff. Trained to serve customers, a concierge might not think twice about plugging a would-be client’s pen drive into the hotel computer to help print out a document. “Then I’m in the system,” says Scherr. “I can do whatever I want.”

In most cases, however, hackers can break in without even visiting the hotel. The most prevalent form of cyber attack in hospitality is phishing, where hackers encourage an unsuspecting computer user to click on a link that appears legitimate but gives the criminal access to the user’s systems.

Hotel staff are susceptible to these kinds of attacks not only because they may be contacted by a wide range of customers using diverse digital channels, but also because many workers are young and relatively inexperienced. Annual staff turnover of 20 per cent isn’t unusual, according to Scherr. With cyber security low on the list of training priorities, and most employees caring little about their long-term job prospects, it is asking a lot for workers to pay attention to every email they receive.

Hackers are getting smarter and sophisticated, and we need to stay ahead [...] That starts with protecting guest data

Filip Boyen, ex-CEO, Forbes Travel Guides

Furthermore, if a breach occurs then it will not usually be obvious for a while. Hackers go undetected on a system for an average of six months, Scherr says. In one notorious case, the Marriott hotel group was subject to a breach in 2014 that was not discovered until 2018. Elsewhere, the first notice of a breach may come when systems shut down. In October 2021, Meliá Hotels International, one of the biggest hotel chains in the world, suffered a reported ransomware attack that took down its Spanish reservation system and public websites for several days.

“Cyber security is really important to us because we rely on software to operate,” says Jay Gauer, General Manager at the Hôtel des Trois Couronnes in Vevey, Switzerland. “If we were to have a breach, or if we were not to be able to rely on our operational systems, we could not function normally.”

Even more than the impact on operations, data breaches can dent a hotel’s reputation through the loss of sensitive or personally identifiable information. Hotels typically hold personal details ranging from passport and credit card numbers to, increasingly, facial recognition patterns and healthcare information. And this information can sometimes relate to high-profile people, such as political leaders.

“Hotels are taking cyber security more seriously, but a lot needs to be done,” says Filip Boyen, ex-CEO of Forbes Travel Guides. “We know hotel guests feel that hotels are not investing enough in cyber security. Hackers are getting smarter and more sophisticated, and we need to stay ahead. We promise our clients a safe and memorable experience and we need to keep that promise in every way. That starts with protecting guest data.”

To make sure it does not go astray, Scherr recommends security checks that go beyond typical cyber defences – such as firewalls and antivirus systems – and look at human factors, as well. One technique is to simulate a phishing attack and see which members of staff get taken in. “We get an idea of who falls victim,” Scherr says. “Better that the good guys do it than the bad guys. The overriding risk is really associated with the staff, and they are also the first line of defence.” Hospitality is ostensibly a people business so, if you are designing a strategy to ward off hackers, it arguably makes sense to start with your team.

Find out more about Assured Cyber Protection (ACP)

Related Content