Cybersecurity is an increasingly pressing concern and hotel brands are particularly susceptible to cyber threats. The vast quantities of sensitive guest information that hotels process, and the increasing reliance on digital systems and online platforms, provide malicious actors with a host of potential vulnerabilities to exploit. Compounding this, hotel networks are often managed by third parties for services and supplies—with this comes increased exposure to cybercrime, as IT systems interlink.
From a brand perspective, hotels rely on positive feedback and reviews. In such an intensely competitive environment, cyberattacks represent a real risk to a hotel’s brand and reputation. In the past 12 months, there have been numerous high-profile cyberattacks on hotel chains, so, while there is risk awareness, cybersecurity is now front of mind for hotel general managers, security directors, and corporate leaders.
Last August, a hotel property operated by a U.K.-based multinational was the victim of a ransomware attack. The following month, the wider hotel group suffered a more pervasive cyberattack, with the brand acknowledging that it was being targeted by a malicious actor in an ongoing incident. This left prospective guests unable to make reservations, view or modify their bookings, access loyalty scheme accounts or search for other hotels. The operator reported that its booking channels were “significantly disrupted”—at least 15 employees and more than 4,000 users were compromised in the attack.
In October, more than 290,000 people who had stayed at three hotels belonging to a luxury Hong Kong-based hotel chain had their personal information compromised during a long-running cyberattack.
As a fallout from COVID-19, guests also have higher expectations of service with an increased focus on safety, security and privacy. To meet the enhanced needs and safety of their guests, hotel properties are prioritizing and raising awareness of systems and processes that previously may have been considered as behind the scenes—for example, hygiene factors—but are now priorities. Collectively, all these aspects are pushing security and cybersecurity up the corporate agenda.
What This Means for Hotel Brands
Service and reputation are key differentiators and major factors in a brand’s appeal in winning and retaining clients. Word of mouth, positive media coverage and online reviews all substantially contribute to brand engagement. But what happens when there is a cyberattack? With physical attacks—such as acts of terrorism—target brands are often viewed with a degree of sympathy. However, if you look at media coverage around a cyberattack, the target organization is often considered to be unprepared, even negligent. This negative media narrative puts target brands in the spotlight and can leave reputation significantly damaged.
Unique Challenges of the Hotel Sector
Many people we speak to in the luxury hotel sector are not confident that their organization is adequately prepared for a malicious cyberattack. When compared to other sectors, there are few multinational organizations that have a similar number of physical locations with such a broad geographic footprint.
An additional complication for corporate brands: Individual locations might be franchised or operating with relative independence. This means that while operational control may be decentralized, reputational damage in the event of a cyber incident will always come back to the same place: the corporate office of the central brand.
Preparedness and Prevention of a Cyber Incident
Risk managers within hotel organizations are aware of the repercussions and impact a cyber incident at one site can have across the whole brand. A strong corporatewide cybersecurity policy is increasingly important for hotels to protect their brand reputation, and a key component in instilling confidence in guests.
Steps to mitigate and prevent a cyberattack, and being prepared to respond to a crisis, are central elements of business continuity planning. Brands should follow a similar methodology and approach to evaluating risks and developing mitigation strategies in the cyber domain as they do in the physical one.
Given the fast pace at which technology, and therefore malicious cyber methodologies, are proliferating, staying one step ahead of the threat requires organizations to be proactive and deliberate in their security planning, using dynamic systems to keep on top of their threat, vulnerability and risk assessments.
To ensure guest confidence, hotels may need to provide overt reassurances through a multifaceted, well-communicated security strategy. Firewalls, multi-factor authentication, and intrusion detection systems are the baseline requirement in ensuring safe networks. Additionally, a cyber security strategy should include regular audited training for staff on the importance of cybersecurity, cyberthreats, and best practices. This extends to data handling procedures, ensuring software is up-to-date, and regular system vulnerability assessments for all owned and third-party systems.
Being able to demonstrate a genuine commitment to cybersecurity is a vital component in ensuring business and brand resilience in the unfortunate event of a malicious cyber incident taking place.
Hotel Specific Cyber Vulnerabilities
One area hotels differ is the fluctuating and often unpredictable nature of the threat posed by malicious actors. For many organizations, the threat of cyberattacks is largely consistent. But for hotels, the risk might be aligned to hotel guests or specific events. For example: should a high-profile guest stay at a hotel, or they host a high-profile event / one with links to a particular political agenda, the risk of malicious attack, including cyberattacks, can increase dramatically. At these times, malicious actors may be motivated to gain access to the sensitive personal information of certain high-profile or politically-aligned guests.
Even if the hotel brand does not outwardly support a cause or political view, the hosting of certain guests or events can be construed as implicit endorsement of these positions, increasing the likelihood of actors motivated by politics or ideologies conducting cyberattacks. This is not confined solely to the cyber domain either — it could lead to real-world activism, including protest or even civil commotion on or near hotel property.
To help prevent cybersecurity incidents, organizations should constantly assess their risk exposure across their portfolio and look to redress issues based on informed recommendations.
Crisis Response
It is unrealistic to try and prevent all incidents, especially when dealing with threats as diverse and variable as those in the cyber domain. However, teams should plan in advance to allow swift and effective responses to crises. This planning should include the preparation of documented, well-rehearsed incident response plans (to be actioned on site) and corporate crisis management plans (to be undertaken when broader organizational support is required).
It is important not to underestimate the importance of pre-planning and drafting your crisis communications to guests, suppliers and staff. For the case of cyberattacks, much of the long-lasting brand damage is not done by the attack itself but down to the quality and timeliness of communications that follow. Hospitality is a people-focused industry, so there is a higher-than-average expectation of effective communication. Therefore, a well-developed crisis communications plan is essential.
Cyber and Physical Security
Increased technology creates a nexus between cyber and physical security in which multiple vulnerabilities exist, and which malicious actors can exploit. Investment in security cameras and access control systems are crucial aspects in the deterrence of criminality, and rely heavily on cyber to function.
For example, a cyberattack could infiltrate hotel room key systems, which could allow malicious actors to undertake a physical attack. Managing these interrelationships is very important for hotel brands. Indeed, to avoid unwittingly building vulnerabilities into one’s own security architecture, hotel brands should consider security in a holistic way.
Looking Forward
As technology is integrated into systems and the guest experience, hotel brands are becoming more reliant on digital systems to function. Systems to check in and out, card payment devices and communications channels are all critical to the running of a property and a seamless guest experience.
Even if a serious cyber incident is avoided, a lower level cyberattack can affect these operating systems, damaging guest experience and, without doubt, brand reputation. This essentially increases the opportunities for malicious actors and the ways in which assailants can attempt to gain unauthorized entry, especially when data is being shared with third-party technology suppliers.
Given the fast pace at which technology, and therefore malicious cyber methodologies, are proliferating, staying one step ahead of the threat requires hotels to be proactive and deliberate in their security planning. To help prevent cybersecurity incidents, hotel brands should ensure they understand the risk exposure across their portfolio, make investments to redress issues based on informed recommendations and prioritize duty of care responsibilities to their guests and staff.
As cyber concerns become a greater priority for travelers and the places they stay, the need for hotels to have appropriate systems, policies, and procedures in place is more pronounced than ever, and is central to positive reputation management.
Ben Hawkins is partner and director of advisory at CHC Global.