It is no secret that customer data is king in the hospitality industry, providing powerful insights to operators that enable them to create personal relationships with their guests. However, with great power comes great responsibility, and operators that leverage guest data must also ensure the safety and security of that data.
In the weeks leading up to May 25, there was a flurry of activity as restaurants and hotels scrambled to become compliant with the General Data Protection Regulation. For many, this was the first time they thought critically about what guest data they possess, and how they should manage its protection in the context of privacy rights. However, moving beyond that deadline, it’s really just the start of an ongoing journey that requires a diligent approach to the entire process of data collection, storage and usage. Data security is not just a box to be checked, it’s a core component of any business strategy.
Data collection in a post-GDPR world
First and foremost, before operators can protect guest data, it is crucial that they understand what type of data is collected, where it is stored and how it is used. By taking stock of all the data companies collect, they can better identify the information that is most valuable to cybercriminals and pay special attention to securing that information.
There are three main types of data collected by hospitality operators: personal data, preference data and transaction data. Personal data includes guests’ basic information including name, date of birth and contact information. Preference data is tracked by hotels to understand what guests like the most, including room type, minibar go-tos, late check-out requests, etc. Finally, transaction data is collected through a point of sale, reservation system or payment-enabled service and may include bank numbers, credit card information and more.
Cybercriminals are most interested in personal information, like social security numbers, license numbers, and contact information, as well as transaction data and credit card numbers. Being aware of the most valuable information and knowing where it is stored is a crucial first step in keeping it safe.
Back to the basics of staff training
When a reservation is made by phone, that information is likely input directly into a software system that is accessible by many different levels of staff members. However, these employees may or may not have been trained on data security. When guest data is accessible by employees across the organization, operators need to start by examining who at the organization is handling the data, and what types of guest data they’re handling (e.g. credit cards, basic guest information, etc.). From there, they can segment who can access what information and put strict permissioning in place to lock down the sharing of more sensitive data.
One of the biggest, and easiest, sources of information leaks come from employees exporting data found in internal systems. When data is exported and, even worse, shared through insecure channels such as email or unsanctioned cloud software, whether internal or not, the information is instantly at risk.
The first, and possibly most basic, guard against security leaks is to make sure every employee is trained and comfortable with the data they’re handling, and knows not to share that data through insecure or unsanctioned channels. Hotels can prevent this information from getting into the wrong hands by simply following the principle of least privilege — putting constraints on who can view vs. export data, and enabling multi-factor authentication for trained users who have access to internal data.
Vendors are your first line of defense
In hospitality IT, there has recently been a dramatic shift from on-premises technologies to cloud-based software. With many cloud-native applications now running on smartphones and tablets, which access data outside a trusted network, new processes must be put in place outside of the traditional firewall. We are moving to a BeyondCorp world, as pioneered by Google, where applications are responsible for their own security, and where companies must employ a zero-trust network security model.
This BYOD trend for employees presents a number of data protection and access challenges. However, with the rise of cloud access security brokers, companies can now expand the reach of their security policies, using these CASBs to ensure network traffic between managed and unmanaged devices and cloud-based software vendors follows pre-existing protocols, and comprehensive audit logging captures user activity and behavior. While internal employee training on security procedures is imperative, operators must also consider outside factors when keeping guests’ information secure.
The most important factor is choosing the right vendor to host your guest data, as this decision will determine how well protected that information is. There are a few things you should look for when choosing a vendor who will take data protection seriously.
To start, ask if their system is built on a major cloud like Google or Amazon. These larger cloud players have the budgets to fund large teams dedicated to security, employ full-stack encryption, and have some of the most physically secure data centers in the world. This is in contrast to smaller datacenter operators or self-hosted vendors who will have to do more heavy lifting to achieve the same result at scale. If you choose a vendor who has an unconventional hosting setup, you will want to spend more time on due diligence to ensure they have the right safeguards in place.
Even if the vendor uses a best-in-class cloud provider, be sure to ask about their commitment to Open Web Application Security Project design principles and their commitment to security at the application layer. Countless cloud applications are still subject to classic attack vectors such as SQL-injection attacks and XSS (cross-site scripting) vulnerabilities. Regular vulnerability scanning and penetration testing is key to mitigating these threats.
It’s best practice to ask them what type of standards they can attest to, as this a sure way of knowing if an objective third party has probed their infrastructure. A key question is whether or not the vendor can provide evidence of Service Organization Control 2 compliance, GDPR compliance, and if applicable, payment card industry data security standard 3.2 compliance. If they can attest to these standards and perform the actions associated with them (i.e. vulnerability scanning, data protection impact assessments, infrastructure and OS hardening), they have the basics down, and if not, you will want to perform more due diligence.
Finally, make sure the vendor is enforcing modern encryption across the stack (both in-transit and at-rest). For example, if the vendor has a web platform or API, make sure they don’t just show you ‘https’ and a secure lock symbol in the browser. They should also be enforcing TLS 1.2 connections on their servers, as TLS 1.0 has known vulnerabilities and is no longer PCI compliant.
Security is everyone’s job
Although the government enforces data protection laws that companies are expected to comply with, having a secure system is just good business for every company. The government can’t stop a rogue employee from personally sharing information or downloading a file that could lead to a leak. The best protection for hospitality operators is to always, first and foremost, make sure all employees know best practices and then move onto external factors.
From reservation bookings on social media to Amazon Alexa in hotel rooms, restaurants and hotels are constantly expanding the ways they collect guest data. Although this technology and information is benefiting both the hotel and the guest, it requires a commitment from operators to securely manage the data—from what they collect, to who has access and how it’s used—ensuring it’s protected from falling into the wrong hands.