The hotel industry faces many more data security challenges than most, with multiple points of payment, email and online booking systems and faxes containing card data. All of which makes them an easy target for cyber criminals: in fact, according to a recent report, the hospitality industry accounted for the second largest share of cyber incidents last year.
Now, with the GDPR on the horizon – and stricter penalties for serious data breaches - there is added impetus for hoteliers to bolster data security processes.
We spoke with Geoff Milton, Security Strategist at ShieldQ on the challenges facing the hospitality industry and how they can be overcome.
What are the specific challenges the hotel / hospitality industry faces with regards to preparing for the GDPR?
The hotel industry has been considered one of the most vulnerable to data threats, because hotels process a very high volume of guests' payment card transactions daily. They also receive this information from many sources: third-party booking systems, point of sale systems, concessions, their own website, emails and faxes, phones and walk ins. Additionally, they generally store payment card data in several places. This data, from so many sources, placed in so many locations, must be protected. But before hotels even begin protecting the data, they first need to know where all of it is. Yet, a very large number, unfortunately, still have not instituted measures recommended for PCI compliance, whose regulations have many requirements in common with GDPR.
Do you believe that the industry is more / less vulnerable to data theft or cyber attacks than other industry sectors? Why is this the case?
According to Verizon’s 2016 Data Breach Investigations Report, the hotel industry accounts for one of the highest number of breaches in any sector and has the highest volume, when it comes to lost cards following a breach. Verizon say that this is "unsurprising, as they process information which is highly desirable to financially motivated criminals."
Are the big hotel brands any better at closing the security gaps that may exist?
Larger hotels may be better positioned financially to institute data security measures. But not all do so. There is little doubt that they’re rich pickings for cybercriminals in the US hospitality industry, where EMV is not fully implemented on point-of-sale systems. In Europe, attention is now turning to smaller hotel groups, which are less secured, while security has improved in some large groups.
In terms of readiness – and with a little under 18 months until the GDPR comes into effect - how well prepared do you consider the hotel / hospitality industry to be?
The sector is very poorly prepared. Almost all have underestimated the amount of work required to be compliant. Furthermore, hotels won’t necessarily share what they are doing, because they may not be doing anything. While they may be aware of GDPR's substantial fines, they may be deterred by what they perceive as the heavy investment involved and the long implementation times. Yet, there are solutions in the market that can help them comply much more easily, without requiring such outlays or time.
What are the first tasks that hoteliers should be addressing in order to prepare for GDPR?
Among the GDPR's imperatives are accountability, worldwide reach, data breach notifications, and oversight by one, independent supervisory authority. To ensure compliance with these regulations, hotels need to undertake some seemingly obvious, but rather intensive actions:
First, they must define their principles; then, follow the hotel’s guidelines for the collection and management of PII data. They must establish a code of practice, and define self-regulatory audit questions. This covers activities such as:
Internal processing, providing very detailed information on why they need to process personal data, and how long they plan to keep it. This procedure requires organised retention policies, so that they always know the status of such information.
Keeping technical and organisational records to prove they are protecting data. They will also need to show the SA that they have these mechanisms in place.
Then, data discovery. Where’s the data? It could be located in paper binders, in warehouses, in old email archive files, anywhere. It can even be found in scribbled notes that the front desk use to write down sensitive information, like payment card data.
Once all the data is found, decisions must be made about how it should be handled, taking into consideration the hotel’s principles and code of practice. Actions can include deletion, redaction, encryption, quarantine or storage in an accredited, cloud-based storage solution where it can be accessed by staff easily using very strong access controls and auditing.
It's key to ensure IT systems are set up and updated for maximum data protection, even though it may mean the team needs to learn new technologies, and to always be on guard, day in and day out. Unfortunately, many companies still use outdated security systems and data protection software; it’s only to be expected, considering that new threats appear daily, requiring ever-new solutions.
Can you provide some specific examples of what hoteliers should be doing with regards to:
• Training and preparing their personnel
We can take our cue from various regulatory guidelines, such as PCI DSS which include; collecting, accessing, using, and disclosing personal information only for reasons that are for a legitimate job function. Restricting access to cardholder data and the proper disposal of documents containing payment card data.
In addition, storing media back-ups in a secure location, preferably off site, using strong passwords and adopting a good e-learning system. They should also develop e-learning programs for PCI and PII security for front desk staff, and enforce staff education across all hotel properties.
• Adapting their website
A key requirement of GDPR is the ability to access and view data held by organisations; in this case, hotels. They need to have access to the data and be able to change it or delete it.
Guests typically need to opt into a scheme that holds more data than is needed for reservations/bookings. This is a very significant change, most likely affecting not only hotels, but their partners as well. This is huge, since hotels are heavily dependent on partners.
Other security architecture issues to address include the encryption of cardholder data across open, public networks, using strong cryptography and security protocols. To install and maintain a firewall configuration to protect cardholder data and similarly, protect against malware and suspicious URLs.
Hoteliers also must ensure they are able to track and monitor all access to network resources and cardholder data using system activity logs. They must show a consistent and appropriate patching process as well as institute log-review procedures, change control policy, vulnerability-testing policy and a penetration-testing methodology.
• The Partners that they work with
Partners can be a weak link in an otherwise secured environment. More and more hotels are demanding that their third-party partners become PCI compliant, as well as GDPR-ready.
• How can they accept and store documents safely, without investing in more personnel?
An accredited, cloud-based software service can solve the issue of secured documents, which as mentioned above, requires constant IT vigilance to maintain updated measures against intrusions and other malicious events. It can solve the issue of adding specially trained security personnel, which also incurs added expense, year in and year out.
For such a solution to be effective, however, it must be a service that does it all for you, without requiring a large investment. It must be compliant with the most stringent safety standards, while offering the ability to accept confidential documents from multiple channels, so that all documents are easily discoverable and protected in one, secured location, for purposes of GDPR compliance.
Aside from achieving compliance – what are the key benefits for hoteliers in addressing these areas and protecting their guest's data?
They'll finally know where all the confidential data is and take the many steps necessary to secure payment card data. Often, improved security solutions can result in significant operational efficiencies. One leading hotel chain was able to save 80 per cent of their time processing incoming, insecure fax bookings containing PII data by storing faxes in a secure environment in the cloud, accessed only via a portal.
They'll also avoid the large penalties and bad publicity arising from any data breach. Just think of how data breaches have created media embarrassment and untold losses for known hotels such as the Marriott, the Sheraton and the Wyndham.
Geoff Milton, Security Strategist, ShieldQ
Image source: Shutterstock/Wright Studio