You need to start with the simple stuff: strong passwords, robust login and access credentials, and segregated information systems that keep back-office systems separate from internet and publicfacing applications.
“This is basic cyber-sensible practice, which I call ‘cyberhygiene’,” says Bill Egerton, chief strategy officer at Vauban Group. “Every hotel employee needs to understand data is sacred – particularly guests’ personal data, but the staff’s too.”
It’s safe to estimate that about 80% of attacks on computer systems can be stopped by simple housekeeping measures, according to Egerton. Not leaving ports open when they don’t have to be, properly configuring firewalls, updating antivirus protection, and making sure passwords are strong and routers and Wi-Fi points are properly configured – not just set to default – are good starting points.
Controlling staff access to systems with two-factor authentication processes, such as an access card and a subsequent PIN number or fingerprint, will also go a long way towards beefing up security.
Close the window
Unauthorised access to networks can make a gift to criminals of clients’ personal data, such as credit card details, and give insight into guests’ taste based on purchase histories, special requests, ordered entertainment and bills paid. “This data is a goldmine,” Egerton says, “and needs to be protected above all else.
“This is not rocket science. If you haven’t trained your staff adequately, patched systems and done basic housekeeping of information systems, your insurer will ask, ‘Are you seriously looking at me to pay out when you’ve left every single possible window open?’”
Any hack or attack can cause serious reputational damage to hotel brands, which can take a long time to heal. The problem, as Andrew Pickthorn, managing principal at Integro Insurance Brokers UK, says, is that time is a luxury most don’t have in a competitive market.
Protect and repair
“Hotel brands need to be able to repair their reputations instantly,” Pickthorn says. “They can help do this by using experts that provide a robust insurance policy, which helps to implement security strategies, identify threats and vulnerabilities, and provide support after an incident. It should include cover for the cost of identifying the cause of a breach and how to avoid its repetition, and pay for the expense of notifying guests of the breach and subsequent monitoring costs. That’s why your insurance needs to cover a multitude of different problems you’re facing: reputational and financial damage, and the cost of getting back up and running as quickly as possible.”
The average time between hack and discovery is six months, so a degree of embarrassment is more or less inevitable, because of the assumption that security breaches have been going on for a long time.
“The important thing, whatever happens, is that the response is seen as definitive, resolute, rapid and organised – not a bunch of hand-waving apologies,” Egerton says.
Face the consequences
By this time next year, the General Data Protection Regulation (GDPR) will impose a duty on businesses to notify everybody of their losing, or potentially having lost, credit card details.
“GDPR will be robust,” Pickthorn says. “It’s going to make quite a big difference to the bottom line for everybody because of the expense of compliance. Hotels will need to offer guests prolonged credit monitoring in case of later financial loss as a result of the attack.”
While not an expressed certainty of the GDPR, it is worth it for hotel operators to encrypt all data as a matter of good practice. “The bad guys only need to get lucky once, but good guys have to be lucky all the time,” Egerton says.
“You need to demonstrate you are taking sensible measures to mitigate your risks. The GDPR doesn’t say there will never be breaches, because it can’t; it says if there is a breach, you have to face the consequences. It doesn’t take a big overhead to put data on an encrypted drive when it’s at rest. You should do that as a matter of course.”
Safety first
Hotels can go a long way in safeguarding their guests and personnel’s data by following good cyberhygiene principles. However, when breaches do occur, it is vital to have an insurance policy in place to help with the costs of notifying those affected, as well as guidance on rebuilding the brand in the wake of the attack.