Keeping hotels safe and secure from cyber attacks is an endless and vital task that changes from day to day. At The Hospitality Show in June—presented by the American Hotel & Lodging Association and Questex, parent company of Hotel Management Magazine—insiders shared insights on how they are working to maintain high security standards and a high guest experience at the same time.
Kristen Dalton is director of strategic engagement, research & analytics at RH-ISAC, a membership-based association that brings retail and hospitality businesses together to share cyber-threat intelligence and mature their information security programs through research, working groups and events. As the panel’s moderator, she focused the conversation on the logistics of security, especially as an element of brand standards in a shifting brand environment.
Ken Haertling, SVP of global cybersecurity for Las Vegas Sands, noted that compared to other industries like retail, hotels have much more valuable personal identifiable information to attract cybercriminals. For example, international guests arriving at a property will frequently need to provide a passport or a national identity number. While a store may only have a customer’s credit card number and home address on file, a hotel could well have a guest’s social security number. “That data is exponentially more profitable,” he said.
Charles Fedorko, director of IT security at Sage Hospitality Group said that decreasing the risk around sensitive guest and employee data and increasing the security posture of the hotels, spas and restaurants the company manages can be complex. “When an ownership group comes to us and wants us to manage their property for them, we inherit a lot of risk,” he explained. A team may come onsite to find unpatched systems, unpatched firewalls and security tools that haven't been deployed. “Our job is to remediate that as fast as possible.”
Steve Bonilla, executive director of information security at Wynn Las Vegas, said that his team is seeing increased adoption of cloud and software-as-a-service technologies. “We have a lot of discussions around, ‘what is the data that our systems are generating? What level of privacy do we really need to apply to that? And where is it actually going?’”
Regulators, Bonilla added, are becoming more and more aware of the concerns around data privacy. “We're seeing regulations come out [because of] that.” For example, he said, New Jersey is strengthening cybersecurity notification rules and Nevada recently released updated regulations for breach notifications. “So the need to drive managing third-party risk is … a big part of the direction that we're heading in.”
A global company like Sands has properties with a number of verticals across a single resort, such as food and beverage, hotel rooms, casinos, malls and the hotel towers themselves. “The key for us is segmenting all that data,” Haertling said. At the company’s Macau property, each division is run as an “independent island,” he explained, that shares the bare minimum of data to other islands. “If one of our patrons is staying at Hotel X but [eating] at Food and Beverage Y and they want to [charge their meal to] their room, you don't really need to share their passport data, for example.” The Sands team “put a lot of technology out there” to make sure the bare minimum of data is being shared to enable the guest experience and not expose the customer's data from a privacy protection perspective.
Haertling lives by the mantra “trust, but verify” when it comes to cybersecurity. His team members talk with key partners who often have “well thought out” solutions—“but we just don't want to take it at face value,” he added. To confirm a partner’s credentials, they seek out an external assessment or certification that verifies the capabilities of the cyber program. “We typically will put in our contracts either a right to audit or at least some level of attestation there,” he said. “It keeps it a scalable model for our vendors: They can stripe that across a multitude of their customers. And for us, it really spares us the effort of having to go on it, but we will selectively go and assess them if they don't have that certification.”
Sage works with a number of different brands, Fedorko said, and as such follows a number of different brand standards and regulations. “Part of that is being a steward of the brand,” he noted. As a property switches flags or ownership, its leaders might decide to switch from an on-premise property-management system to one that is based in the cloud, or an owner might decide to add a check-in kiosk or a self-serve beverage station. “As a steward of the brand and a partner for these ownership groups, we have to roll with it and implement these services,” Fedorko said, joking that while adding a self-serve bar may sound like fun, the logistics can be a “sobering experience.”