Hotel Cybersecurity: Closing the Doors Before the Horses Leave the Barn - By Jim Butler

Silhouette of a hacker uses a command on graphic user interface
Hotel Cybersecurity: Closing the Doors Before the Horses Leave the Barn

One of the great breakout sessions at our recent Meet the Money® hotel conference in Los Angeles was organized by my partner Bob Braun and moderated by Jeff Higley of HotelNewsNow. I was particularly impressed by the panel’s evidence of how costly cybersecurity breaches can be, how much can be done to prevent or limit exposure, and how reasonable the cost can be for a pro-active approach.

Here is Bob Braun’s summary of this panel last week in Los Angeles. This is a compelling call for an ounce of prevention. 

5 Cybersecurity takeaways from Meet the Money® - by Bob Braun, Hotel Lawyer and Data Security Advisor

Meet the Money® changes with the times, and the 2016 conference showcased the first panel on Cybersecurity in the hospitality industry – “Who’s Knocking at Your Digital Door,” featuring Bob Braun, from JMBM’s Global Hospitality Group and Co-Chair of the Firm’s Cybersecurity and Privacy Group; Bob Justus, of Optiv Security; Brad Maryman, from Maryman & Associates; Christian Ryan, from MARSH; and Kevin Shamoun, from Zeamster.  Jeff Higley, of STR/ moderated the panel.

The panelists, representing technical, legal law, law enforcement, insurance and payment systems, identified key cybersecurity challenges for the hospitality industry.  Five key takeaways were:

  • Compliance does not equal security. Each of the panelists agreed that while meeting legal and business requirements is essential, compliance does not necessarily achieve real cybersecurity — completing checkboxes on a task list or questionnaire is only a first step. The panelists noted that each of the major hotel breaches in the last year, which involved every major hotel chain, implicated point of service credit card systems that complied with industry standards.  Hotels and hotel companies need to look beyond complying with standardized requirements and has to evaluate their own risk profile and apply meaningful security plans.
  • Informed response is better than instant response. Too many organizations make the mistake of reacting before they think, especially when reporting a breach. Data breaches can be complicated matters, and it is essential to understand the scope of the breach, the data and individuals involved, and how a firm can remediate the source of the problem before disclosure. There is no question that speed is important, but some breaches do not require notification, while acting without ascertaining the facts can require multiple notifications, which is damaging to reputation and sends the wrong message.
  • Credit cards are not the only risk. While much focus is placed on the theft of credit card numbers, hotels must consider other risks. Hotels and hotel companies hold massive amounts of sensitive personal information that can be used to steal a guest’s identity.  Moreover, hotels need to consider more than data; the interconnection of systems means that breaking into a financial structure can give a hacker access to door locks, heating and air conditioning systems, electrical, plumbing and other key structural and physical parts of the hotel.  What would happen if a hacker flooded a hotel, or opened the doors?  This damage can far exceed the damage from lost credit cards, and cause untold damage to the hotel, its brand and owners.
  • Cybersecurity cannot be achieved without addressing the Human Factor. 95% of all data breaches can be traced to human causes. Individuals make mistakes, don’t consider cybersecurity, steal, or intentionally damage data systems. While technical measures are necessary, any individual can undo all technical planning – all it takes is a click on the wrong website or responding to the wrong email.  The answer is for hotels and hotel companies to train their personnel at all levels to reduce incident and create a secure environment.
  • Hotels need to create a culture of Security. Hotels are obligated to maintain the physical security of guests; if a guest does not feel safe in their room, they will not patronize the hotel or the hotel brand.  This need for physical security applies to data security as well; hotels must make guests feel that the hotel they visit is as concerned about their personal and financial data as they are about their physical security.  Moreover, hotels hold and must protect great amounts of data that is key to their competitive survival.  Hotels companies can only achieve security for guests and integrity for their own data by creating a culture of security at all levels.

The last point might be the most important – hotels should look at themselves as leaders in the fight for cybersecurity. Hotels every day take responsibility for the security and safety of their guests. Guests will only feel secure if they believe all of their property, including their digital, property, is protected. Hotels can transform themselves from being the most likely source of data theft to becoming the model for data security.

This is Jim Butler, author of and hotel lawyer, signing off. We’ve done more than $71 billion of hotel transactions and have developed innovative solutions to unlock value from hotels. Who’s your hotel lawyer?

Logos, product and company names mentioned are the property of their respective owners.