For the past few years, HU has worked with Leora Lanz and her Boston University hospitality students. As part of an overall project, future hospitality professionals research and develop problem-solving insights for industry hot topics. Here is the first in this year’s series. 

March 2015:
Mandarin Oriental Hotel Group
October 2015: Trump Hotel Collection
November 2015: Starwood Hotels & Resorts Worldwide and Hilton Worldwide Holdings
December 2015: Hyatt Hotels Corporation
April 2016: Trump Hotel Collection
July 2016: Kimpton Hotels & Restaurants, Omni Hotels & Resorts, and Hard Rock Hotel & Casino Las Vegas
August 2016: Millennium Hotels & Resorts
February 2017: InterContinental Hotels Group
July 2017: Sabre Hospitality Solutions
The last two years have been invaded with mass data breaches and the hospitality industry has not been immune to these attacks. With the swell of guest data being collected, through online bookings, loyalty programs, and social media profiling, security of Personally Identifiable Information (PII) is something hotels need to be particularly aware of. Failure to protect PII leaves hotels vulnerable to financial penalty as well as decreased brand reputation.
According to a 2016 report by Trustwave, the hospitality industry had the second largest number of data incidents. Consequently, the industry should be taking some primal steps to prevent personalized information data breaches. The European Union (EU) is already taking measures to protect PII with its impending General Data Protection Regulation (GDPR). According to the Council of the European Union, the GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission are trying to strengthen and unify data protection for all individuals within the EU and addresses the export of personal data outside the EU. The GDPR is set in place to give control back to citizens and residents over their personal data and to streamline the regulatory environment for international business. U.S. companies, including hotels, that operate in the EU will have to comply with these unifying data privacy requirements, or else they face extensive fines. So there is no better time for the industry to think about the steps they should be taking to protect guest information and protect themselves for fines and other consequences.
Unfortunately, many people still don’t realize the importance of secure passwords. A strong password is the first line of defense against intruders and imposters. Make sure passwords use a variety of upper and lowercase letters, numbers and special characters in order to keep the property’s defense up against hackers. Many security experts recommend unique password phrases that are longer and harder crack. Hospitality services should also look into two-factor authentication which adds an extra layer of security by sending a six-digit code to the account holder’s phone. Furthermore, change property passwords on important accounts such as banks, emails and company files, once every three months. Ultimately the most crucial note to make about password protection: do not use the same password for more than one account.
Unfortunately, having a safe password is not always going to keep the user safe. The use of traditional, simple passwords means that companies keep a database of all that information. Whether encrypted or not, that database is vulnerable to attacks, leaving each user’s passwords and information vulnerable as well. That is why the use of multi-factor authentication (MFA) is on the rise.
MFA requires more than one method of authentication from separate categories of credentials to verify a user’s identity. The goal of this being to create a layered defense, making it more difficult for accounts to be hacked, since, if one factor is compromised there is still one more barrier protecting user information. These layers of protection include entering a pin after swiping a card, logging into a website and being required to enter an additional one-time password, swiping a card and then scanning a fingerprint, the list goes on. Using MFA is already prevalent in online banking, but should not be discredited for use in the hospitality industry.

Security Testing
Something as simple as an internet connected thermostat or an electronic door lock can give an attacker access to vital hotel systems connected to the very same online network. With data as serious as credit card numbers, passport information, and personally identifiable information, such as home addresses, it is imperative that properties take every necessary precaution to protect each of these potential entry points. To identify any weak spots or vulnerabilities, companies should hire professional penetration testers. These testers conduct comprehensive assessments of all hotel systems, using manual and automated approaches to look at it from a cybercriminal’s perspective, giving prioritized recommendations on what a company can do to better protect themselves. Hotels can, and should, conduct these tests cyclically, in addition to when new partners and technologies are added, as part of their regular risk management process.
Ransomware Protection 
Ransomware is a destructive code that encrypts files, hindering access until the demanded ransom is received. Worst case scenario: an organization must pay the ransom or risk a shut down of the entire system. It is highly recommended that regular and multiple backups are in place so a redundancy protocol can be implemented. To protect businesses from this growing pandemic, there are important steps one can take. The first is to never download from sites that try to say that the computer's software is outdated. Furthermore, always keep antivirus programs up-to-date. Last, but not least, be cautious of email attachment downloads and internet pop-ups that seem to be from software providers.
Secure Personnel Training
Creating a security training program for employees is not an easy task, but it is a very important step in the path toward success. Employees should be trained and retrained that confidential information must be secured and know the proper way to do so. If this is not understood, any company, hotel or restaurant may face the risk of having personal or payment information distributed to public parties.
Customers want to know that their information is being held safe and secure so they can continue to trust the company. With so much personal information at the hands of hotel staff, it is very important that guests feel their information is secure. Hotels must make active efforts to ensure that that trust is there. As trust is important to any business, consider developing and implementing procedures to prevent personal and payment information from being leaked in the first place. Additionally, conduct activities or assign personnel to make sure these standards and procedures are being upheld and working effectively. Finally, create incentives or enforce discipline to guarantee that every employee is complying with training and correct measures.
Taking these measures seriously, and effectively training personnel on the proper ways to handle and protect guest information, is an important step in building guest trust. It is no longer just about credit card info, which can be easily replaced, PII is in businesses hands and that kind of loss is a lot harder from which to recover. With so much at stake, it is essential to build guest trust, and training staff to be aware is the best way to do so.
Action Plan
Ultimately, it is the hotel and restaurant’s responsibility to have a recovery plan in case a data breach occurs. Companies must make sure that they are consistently backing up data files into hard drives to secure their own private data as well as to protect their customers’ information. According to a 2016 study, conducted by the U.S. National Cyber Security Alliance, approximately 60 percent of small businesses, mainly those in the hospitality industry, close within six months of a cyber-attack. Therefore, backing up files on a daily basis is a necessity.
Obtaining cybersecurity insurance is an additional step the hospitality industry needs to take in order to mitigate losses in the event of a cyber incident, including data breaches, business interruption and network damage. In addition, it is vital to make sure properties have a direct line to a professional that it can trust and help the company in the event of a breach. When a cyber-attack occurs within a business, hotels and restaurants need to initially notify the executive team so they can consult with one another and make the next logical decision, along with informing law enforcement about the incident at hand. Disclosing the details behind the data breach to the public in a timely manner may cause some stir in the short run but increases transparency and trust within the company during the long run.