There is no question that AI offers significant business opportunities. Examples of top trends in hospitality for AI adoption are language translation for both guests and staff, predictive analytics for demand forecasting, enhanced guest experiences, staff scheduling, room management and more.
However, in terms of business threats or risks, cyber attackers are ahead of “defenders” and are using the speed and scale of AI to carry out their exploits. Further, the attackers continue to have success with the same techniques and schemes aimed at well-known vulnerabilities.
The probability of data breaches continues to increase. The impact in terms of expense, disruption to the business and reputational damage are well known. In short, we can’t afford to lose sight of managing the increasing risks associated with cybersecurity.
According to the Center for Internet Security (CIS), the top five attacks, aren't new.
THE TOP 5 CYBERSECURITY ATTACKS
- Malware
- Ransomware
- Web Application Hacking
- Insider and Privilege Misuse
- Targeted Intrusions
Defenders have opportunities to harness AI to strengthen fundamental security controls. This is particularly true for organizations with small IT operations or IT security staff who are stretched thin managing security risk controls. And the effectiveness of locking down those security risk controls is huge. Just by practicing basic security hygiene controls such as thorough and speedy software patching, attention to configuration management, strict privilege control, etc., 77% to 83% of attacks can be
prevented. And if the full set of best practice controls is implemented, that prevention rate increases to 94% to 95%.
There are some additional insights into attacks provided by the 2025 Verizon Data Breach Investigations Report, which analyzed 12,195 data breaches across 139 countries from January through December 2025. Below are some of the key findings.
- Third-party management is a top risk control to prioritize because the percentage of breaches involving a third party doubled from 15% the previous year to 30%. To strengthen risk control in this area, require your third parties to have external and internal penetration testing completed, preferably at their expense and with deadlines to remediate issues found.
- Vulnerability management, a core risk control considered to be security “hygiene” (like brushing your teeth), suffered a 34% increase in exploitation of vulnerabilities as an initial access step for data breaches. This accounted for 20% of all breaches analyzed. Furthermore, there was a leap from 3% to 22% of edge devices and VPNs as a target on exploitation of vulnerabilities. It seems there was a challenge to patch those edge device vulnerabilities because the analysis showed only about 54% of those were fully remediated throughout the year, and it took a median of 32 days to accomplish.
- Ransomware isn't going away and the median amount paid to ransomware groups was $115,000. This doesn’t include the disruptive impact on an organization and its operations or service delivery to guests. 44% of cyber-security breaches involved ransomware, up 37% from the previous year. And yet the discipline of frequent backups of data on offline systems combined with strong encryption of sensitive and confidential data are proven to provide the ability to quickly recover from a ransomware attack.
- Credential abuse is still the most common attack technique and was deployed in 22% of the breaches analyzed. The common risk controls for this threat include measures such as not sharing passwords, least privilege access needed for job roles, enforcing complex and lengthy passwords and multi-factor authentication.
This leads us back to how to have a strategic focus. Start with an overall governance scope for data privacy, security and compliance, which is expanded to include AI governance. It is essential to have properly authorized accountability and oversight which is ideally carried out by a cross-functional governance board.
This shouldn't be a group of IT specialists. Business stakeholders such as marketing, guest relations, public relations, legal, finance, human resources and risk management should all be engaged, as well as an information security leader.
This group of business stakeholders should take steps to ensure that adequate resources and budgets are approved to meet the risk
management objectives.
This group should be reviewing the health of security risk controls put in place and updating policies to address acceptable use and training programs for AI.
Implementation of training programs for people can make or break successful deployment of any AI tool or model and its related privacy and security safeguards. The scope of training needs to cover 1.) all employees and contractors for acceptable use of AI and 2.) technology employees involved in developing, provisioning or operating AI systems.
As a final component, governance should be updated and aligned with international and national frameworks for AI including:
- NIST AI Risk Management Framework (AI RMF)
- EU AI Act
- OECD AI Principles
- ISO/IEC 42001:2023: International standard for AI management
- UNESCO AI Ethics Framework
A well-thought-out governance program will go far to ensure successful adoption of AI and strengthen security risk controls reducing the likelihood of a data breach or severe data security incident.
