Travel season is here, and the hotel industry remains a profitable target for hackers looking to sell personal identifiable information on the dark web. With the tremendous increase and steady stream of sensitive information across hotel networks, it is all-too-important that hotel operators establish a clear and secure information storage and disposal plan. Hotel Management and Ann Nickolas-Shred-It, point out key elements to address to help you minimize risk.
Upwards of 88 million travelers are hitting the road this summer, and the risk of cyber attacks remains a concern for the entire hotel industry. Photo credit: Getty Images/ChakisAtelier
An anticipated 88 million Americans are planning to take family vacations this year, and there is no sign of travel slowing down, with 27 percent of traveling families planning to take three or more vacations within the next 12 months—a 12-percent increase from 2016.
However, with increased travel comes heightened security threats to the hotel industry. Hotels are responsible for processing and protecting a range of sensitive customer data from driver’s licenses to credit card information to passports and more, which means it’s important for hotels to have existing security strategies in place to ensure that staff are adequately prepared to handle an influx of sensitive data during the busy season.
To ensure information security for guests and prevent breaches from happening within the hotel, there are important aspects managers need to consider, but are likely overlooking. Here are three things to keep in mind:
1. Knowledge is Power—Have a Strategy in Place
The hospitality industry is known for its high employee turnover—a rate of 66.3 percent according to U.S. Bureau of Labor statistics—and this can hinder front-line defense. Furthermore, insider misuse was one of the top three security threats in this sector last year, stressing the need for an increased awareness around data security.
Managers can help establish a continued culture of information security by developing an all-encompassing data security plan that details how employees should handle the sensitive information they interact with on a daily basis. Offering ongoing training opportunities for employees at all levels of the business, from housekeeping to management to operations, is essential to embedding these principles into everyday work behaviors and protocols.
Without a strategy, your hotel’s guest information could be compromised. Photo credit: Getty Images/scyther5
Conducting regular info sessions, especially for new employees, is a great rule of thumb to ensure that new hires are immediately aware of hotel security standards. Regular training sessions will also serve as an opportunity for seasoned staffers to refresh their knowledge. Leadership should also implement regular review procedures to identify any issues and ensure that sensitive information is being handled properly in daily functions across the business, both in client-facing and behind-the-scenes interactions.
Employee training will help hotel leaders communicate how staff can proactively protect the security of the business – whether it’s through instituting a clean desk policy for the front desk and managerial offices, or teaching employees what type of guest information, if left improperly stored or disposed of, can lead to a breach. Additionally, hotel leaders should implement a best practice guide that details what employees should do when hotel staff find confidential information left by guests in hotel rooms—from old boarding passes to credit card receipts, guests often leave sensitive information behind without knowing the associated security risks.
Another important risk hotels need to consider is their interaction with external vendors including airlines, car rental companies and retail organizations. It’s critical to make sure employees are vetting all third-party partners—which become access points to personal information belonging to both the hotel and its guests—and ensuring that they are equally prioritizing data security. Treat external vendors like internal employees and be diligent in checking the security practices of both existing and potential vendors to be sure that they are reliable partners. For example, hotels are increasingly demanding that third party partners become Payment Card Industry (PCI) compliant—the PCI Security Standards Council fights hotel credit card fraud by maintaining global payment card industry standards. Before sharing any sensitive information or partnering with an external organization, this is just one element to check for.
2. GDPR is Here, and There are Legal Consequences That Hotels Could Face
Hotels are largely impacted by the new General Data Protection Regulation legislation as they process the personal information of visiting European citizens. What’s more, hotels are considered financial institutions when they are collecting and storing customer’s financial information. This means that hotels will have a responsibility to their customers to follow legislative guidelines to protect against unauthorized access to the personal information of their guests.
It’s helpful to develop a detailed security policy handbook that can be used as a reference for all employees, especially outlining details of GDPR legislation. An information security handbook should not only detail best practices related to upcoming legislation, but also identify existing regulations impacting the industry. There are a range of rules and regulations that hotels need to be mindful of—the Gramm-Leach Bliley Act, Sarbanes-Oxley Act and Fair and Accurate Credit Transactions Act are just a few privacy laws that apply in this sector, and the employee handbook could serve as a useful resource to house this information and for continued reference.
As it relates to GDPR, this literature should articulate that any employee who obtains information from EU residents must keep a record of the category of data collected/received, and document how long the data has been stored before being securely destroyed. With that, this guideline should detail the safest information storage and destruction methods for this data, in both physical and digital formats.
Protecting physical security risks, such as credit cards, is also imperative. Photo credit: Getty Images/Jirapong Manustrong
3. Don’t Forget About Physical Data
Hotels around the world have been in the spotlight due to high profile data breaches, and while many hotels have increasingly invested in digital security strategies to combat this, physical data is often overlooked. Meanwhile, as Europay, MasterCard, Visa smart payment chip card processes are increasingly adopted, attackers are looking to target hotel reception desks where the concierge will often write down phoned-in reservation information. Still, the paper trail of sensitive information that hotel guests and employees generate is not always considered to be as risky as computers and devices containing digital data and, as a result, many hotels do not have a physical security plan in place to prevent and protect from the threat of negligent employee behavior.
The first step toward establishing a culture committed to data security is to identify your hotel’s information security strengths and weaknesses. Confidential information can be found in unassuming places—think printers, waste bins, messy desks and storage bins. It’s helpful to conduct a walkthrough of your space and identify these potentially threatening locations, as this will help locate pain points and solidify an information security strategy to keep all forms of data secure and mitigate risk.
Hotel leaders should work with staff to identify a document management process and timeframe that details how to securely organize physical documents for storage, retrieval and record-keeping. Implementing a document management process that identifies a lifespan for physical documents will help employees to quickly and efficiently determine which documents should be stored and which need to be securely discarded. Materials that need to be filed should be stored and locked in secure filing cabinets while all other items should be properly shredded before being thrown away.
At the end of the day, widespread damage can make or break a business, especially in the hospitality industry when consumers have limitless options to choose from. Beyond the associated costs—the total organizational cost of a data breach in the United States is estimated to be $7.35 million—hotels that experience a breach will inevitably face a loss of reputation, revenue and even legal consequences. It’s necessary to consider these steps to establish a secure environment for staff and guests, especially during travel season when an influx of data will be under your watch.