Complex Ownership Structures
Restaurants, hotels and other businesses within the hospitality industry generally have complex ownership structures in which there’s a franchisor, an individual owner or a group of owners and a management company that acts as the operator. Each of these groups may use different computer systems to store information and this data can often be shared across many systems amongst employees.
The hospitality industry relies heavily on credit cards as a means of payment. Hotels and restaurants often require credit card details to confirm reservations and final payments are regularly made with the same card. Cybercriminals use this reliance on cards to infect point-of-sale (POS) with malware that steals credit and debit card information. As malware can move between POS systems utilised by the same business, many systems can be affected by these attacks.
High Staff Turnover
A vital part of ensuring your business’ data remains secure is to train your team on the many aspects of cybersecurity. Well-trained staff also know how to recognise social engineering attempts and they fully understand a business’ compliance requirements. High staff turnover is generally accepted within the hospitality industry as many employees are seasonal and might leave the company after a few months, therefore it becomes a challenge to ensure each team member is appropriately trained in cybersecurity. All it takes is one person who isn’t familiar with your data protection policies to allow a breach to occur.
Data security breaches within the hospitality industry extend beyond the reputational damage that would occur if a guest’s data is compromised. Regulations have recently been introduced to ensure businesses store data securely. The introduction of GDPR as a landmark legislation that aims to return the control of personal information to the individuals while enforcing stricter rules for businesses in protecting this data. While GDPR protects data within the EU and EEA, its effects have been felt worldwide as businesses have had to put greater compliance measures in place.
This form of data risk is much more subtle as it involves employees selling data to third parties without the knowledge of their employer. These insider threats generally happens to data which pertains to customer preferences and behaviour, which hospitality businesses can collect at multiple touchpoints, from interactions with hotel websites to data stored in booking systems and review data. This data could be potentially lucrative when it ends up in the hands, in particular those who know how to use this data to gain a competitive advantage.
Best Practices For Data Security In Hospitality
- Always encrypt payment information
- Continuously train employees on the importance of cybersecurity
- Ensure your business is GDPR compliant
- Use cybersecurity protection measures, such as firewalls, network monitoring, multi-factor authentication, external vulnerability testing, etc.
- Test your cybersecurity defences
- Know where your data is stored and ensure only authorised employees can access it