Cybersecurity is not just a buzzword. In today’s technology-abundant world, it has become a critical undertaking for companies across all industries—including hospitality. The reality is that threats are lurking around each digital corner: Attacks, the headlines proclaim, are now a question of “when,” not “if.”
In fact, the FBI’s "2018 Internet Crime Report" revealed that upwards of $2.7 billion was lost to cybercrime. Also sounding the alarm is Juniper Research, which further predicts more than 146 billion records will be stolen by 2023. It only takes a quick look at the widely publicized data breaches of corporate giants like Equifax and Facebook to know that the issue is dire and no company nor industry is safe. Especially not hotel operators.
Hotels are Among the Most Affected Cyberattack Victims
Trustwave’s "2018 Global Security Report" lists hospitality as one of the top three industries most vulnerable to payment card breaches. Other estimates project that hotels are the unwelcome recipients of around 20 percent of all cyberattacks.
Additional anecdotal evidence supports these numbers. One need not look further than Marriott International’s Starwood Hotels & Resorts Worldwide group, which recently disclosed the theft of more than 25 million passport numbers and 380 million unique guests’ personal information. Such losses, however, are not new to the industry. Hilton, Hyatt Hotels Corp. and Trump hotels have all been cited for large-scale data negligence over the past few years.
Such unfortunate trends should not come as much of a surprise since hotels are hotbeds of sensitive information. Their data is spread out across porous digital systems and their sales are usually conducted through weak point-of-sale systems. The rigid security measures enforced at banks and tech companies simply do not come as naturally to hotels. After all, the industry has been and continues to be focused on cultivating a user-friendly atmosphere. Unfortunately, for hackers this combination is nothing short of a gold mine.
The Risks of Attack Extend Far Beyond Poor Ethics
Phishing. Malware. Web attacks. Denial of service. The practical implications of these and other cyberattacks are far-reaching for any business— hotels very much included. Perhaps the greatest implication of a widespread data scandal is the brand’s integrity. Since a businesses' hard-earned reputation relies heavily on instilling confidence in its customer base, a breach of trust is sure to compromise that relationship. If an attack affects millions and is publicized to millions more, the impact on brand equity can be difficult to recover.
This begs another extremely important question: How does a hospitality owner/operator respond to such an egregious violation? Marriott, for instance, was criticized not only for the breach, but also for responding inadequately and unprofessionally. This is an example of how a truly terrible situation was quickly made even worse.
Beyond trust, the actual value of the brand in question now becomes cheapened. This also has additional far-reaching effects when a single brand is part of a larger national or multinational hospitality company. With the speed of light, all of the brands and the parent company are tied to that with the breach. In short, as more and more consumers become aware of the importance of reliable cybersecurity, a hotel that neglects this pain point is compromising the strength of its product among its competitive set.
Of course, there is the loss-of-revenue aspect to consider. Immediate reactions of outrage and continuous erosion of brand integrity both stand to hurt profits, as does the possibility of fines or reparation payments.
Legal action may pose the greatest risk of all, especially with the General Data Protection Regulation currently working to protect data privacy on a global scale. Violations can be devastating. Take Hilton, for example: While the brand “only” lost $700,000 back in 2015, today it could be fined up to $420 million.
Hospitality Companies Need to be Hyper-Vigilant
Considering that the annual frequency and severity of cyberattacks are only rising, the time is now to establish organizationwide security operations, recovery plans and budget allocations. To cover all angles of a potential hack, a cohesive top-to-bottom strategy is required and often is best delegated to a trusted strategic advisor with depth of experience in cybersecurity breach prevention and resolution.
Next, the goal becomes full-scale protection. From the technical side, this includes setting up firewalls and securing weak points (such as point-of-sale terminals). Furthermore, this is where regulatory compliance comes into play; beyond ensuring that it is currently maintained, field experts can come in to educate employees on best practices moving forward.
Now, what if a breach does occur? There needs to be an efficient method for detecting the attack and mitigating any damages. Lastly, to avoid the pitfalls noted above, a predetermined plan to address this worst-case scenario is vital. From reviewing insurance policies to preparing for impending litigation, recovery is a process best started with a go-to advisor before it is needed.
Undoubtedly, knowing where to begin this whole process is daunting. Being hacked can be devastating to the brand and bottom line. While most in-house teams lack the depth of resources offered by a one-stop cybersecurity advisor, there is immense value in collaborating with an advisor with a proven track record that is capable of covering all these bases. The only way to avoid being another statistic in future Internet crime reports is by staying as ahead of the looming threats as possible.
Lena Combs is a hospitality services practice leader and Joshua Davis is a senior manager at Withum, an advisory and accounting firm.