IHIF's Road to Berlin: Protecting your asset from data theft

IHIF Road to Berlin

Asset security has never been more top-of-mind than it is right now. Multiple terrorist attacks on hotels have illustrated why physical security for guests and the property need to be of utmost importance to hotel operators and owners. This was dicussed in part one of our look at hotel security, which you can access, here.

In part two of hotel security, we turn to the cyber half, and how data breaches are becoming all too common in the hospitality space.

At IHIF in March, attendees will learn all about the threat, during a discussion on cyber security, date theft and privacy, led by Stewart Room, partner & global head of cyber security and data protection for PwC. His talk will pivot off this premise: With the international movement of data and the growing conflict between privacy and consumer demands, how do companies manage this cyber risk to their brand and reputation while protecting privacy? Are companies aware of the new EU laws coming into effect in this area?

Cyber insurance is fast becoming a consideration for the hospitality industry, particularly after Hyatt Hotels Corp.’s recent disclosure of a payment breach that impacted 250 hotels in approximately 50 countries, Starwood Hotels & Resorts Worldwide’s malware discovery at 54 hotels in North America late last year and Wyndham Worldwide suffering data breaches three times between 2008 and 2010.

“Hackers are growing increasingly sophisticated and no business can be considered immune. Planning for a potential breach is simply part of doing business today,” said Korin Neff, SVP and corporate compliance officer at Wyndham Worldwide. She recommends working with external resources such as forensic firms in preparation for possible cyber threats. “As important as it is to have a program in place to try to prevent cyber attacks, it is equally important to appropriately prepare for and respond to these threats,” she said. “Establish relationships with qualified external resources, and know who should be notified depending upon the specific facts and circumstances involving the potential threat.”

While partnering with a third party to secure data is an expense, the cost of a data breach can be exorbitant, especially in instances where a strategic response isn’t already in place, allowing the breach to reach crisis levels. “There’s real loss with a breach; resources and intellectual capital are stolen and those things have costs associated with them,” said Bill Stewart, EVP at strategy and technology consulting firm Booz Allen Hamilton and head of the firm’s commercial cyber security business. He points out that lawsuits and the propensity to grossly overspend on a new security program can also increase the price tag of a data breach.


Brand damage is also an issue. Along with payment details, cyber hackers who go after hospitality businesses may also be interested in the personal information that’s typically included in customers’ loyalty reward profiles. “There’s no panacea and no guarantee that a breach can be avoided, but you can increase your chances of not being breached,” he said.

According to Stewart, hackers often use the same techniques and exploitations. Defenses, then, should be configured accordingly. But that also requires knowing where a system’s vulnerabilities lie and the various types of malware that can potentially be used in an attack and then building capabilities that can minimize damage should an attack occur.

Protecting the access controls that automate a hotel’s physical functionalities, including generators, electricity and elevators, from malicious intent or control is yet another reason to onboard an outside firm that specializes in technology. “This isn’t limited to IT systems,” Stewart said. “Any type of hotel technology potentially needs to be defended.”

Should a data breach occur, law enforcement may need to be called upon if a crime was committed. Stewart also recommends having a law firm that specializes in cyber crime on retainer. “In my experience, companies that have a law firm [or consulting firm] on retainer do better financially than those without,” he said.