Hotel cyber security is the practice of protecting a hotel’s digital systems, networks and data from digital threats.

Cyber security can involve a wide array of protective tools and strategies, including safeguarding booking systems, payment processing, Wi-Fi networks and guest information from hacking, data breaches, malware and any other form of unauthorised access.

In this article, we’ll discuss the cybersecurity threats your hotel should be looking for, and how an independent property can minimise its exposure to those threats.

Enjoy high-end security from hotel software that puts you in control

When you implement the Little Hotelier property management system, you can rest easy knowing your tool is fully secure and fully GDPR compliant, leaving you to focus on securing more bookings and generating more revenue.

Learn more

What is hotel data security?

Data security means protecting data from being accessed, stolen, or damaged by unauthorised persons. Data security may be impacted by cyber attacks or data breaches and can have serious consequences for businesses – particularly small ones that may not have the means to recover.

Why are hotels being targeted for data breaches?

Why is hotel cyber security important? Because hotels and bed and breakfast properties have been key targets of data breaches for many years – and there is one main reason for this; that is, credit card payments.

A study by Trustwave’s SpiderLabs showed that of 218 data breach investigations from 24 countries, 38 percent of the attacks occurred on hotels and, of the data stolen, 98 percent was credit card information.

The security breach happens online, because that’s where your guests are making their bookings, or where your front desk staff are making bookings on their behalf.

Unfortunately, going ‘off the grid’ isn’t a feasible solution to the issue – the online space is too big to ignore. Almost 60% of all hotel bookings are now made online, a figure that has been steadily increasing over the years.

Seeing as hotels process countless credit card payments every day, it’s important to protect all the transaction details of each payment. If the correct systems aren’t in place, there is potential for a security breach to occur.

3 common hotel cyber security threats

There are three hospitality cyber security threats hotels need to be aware of:

1. Malware

Malware, short for malicious software, is the most common and most dangerous online security threat thanks to its diversity. It poses many dangers to hotel technology such as reservations systems. Types of malware that you may be familiar with include viruses and ransomware.

2. Spam

Spam refers to an unsolicited message – usually advertising material (think of the ‘spam’ folder in your email). But in some cases spam messages can carry dangerous malware and be very convincing. Avoid opening emails and clicking links that look suspicious or are asking you to provide money or personal details.

3. DoS attacks

A denial-of-service (DoS) attack occurs when a hacker or virus shuts down a machine or network and prevents it being accessed by its intended users. The victims of DoS are usually high-profile organisations who people have a slight against, so you might be off the hook here.

hotel cyber security

Assessing your hotel’s cyber security practices

In terms of cyber security, hotel industry businesses are ahead of many other sectors, simply for the fact that the sector was an early adopter of online payments and other digital tools.

But the cyber security landscape is always changing, so here are some considerations for keeping your business and your guests safe.

Is your hotel PCI compliant?

The PCI Compliance Guide define PCI DSS (Payment Card Industry Data Security Standard) as “a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment”.

PCI compliance means that you have met a set of safety standards that are required for processing financial transactions online. A merchant account that is PCI compliant will have a secure server that allows you to process the payments.

Is your hotel website HTTPS secure?

Website security is critical. Personal and payment details must be kept safe, and all visitors need to know they can trust your site.

Most websites use “SSL encryption” to protect data that’s transmitted between a website and a shopper.

This is indicated to the user in the URL, which displays ‘https’ and a padlock symbol on the left-hand side of the URL bar. Google favours websites that are HTTPS secure. If your site isn’t secure, Google may warn users it isn’t safe, and could even restrict access to your web pages.

84% of users say they would abandon a purchase if data was sent over an insecure connection, with many concerned about their data being stolen. So, if your hotel wants to convert direct bookings and maintain a high ranking on Google’s search results page, it’s vital you become HTTPS secure.

How do you become HTTPS secure?

One of the easiest ways to ensure your website is secure is to invest in a professional website builder tool. This solution will automatically come with secure encryption and will also help you maintain a functional and charming website.

The beauty of using a customisable website builder is that you’ll have your brand new website within days and it will automatically keep pace with Google’s updates as time goes by.

Does your hotel use a secure online payment gateway?

Accepting bookings through your website is wise, but you also need to have a safe and secure online payment gateway to make it work.

Payment gateways are third party services that work with your booking engine to process secure card payments on behalf of your hotel. They will usually take a small percentage of each reservation for the use of their service.

Make sure your property management system (PMS) supports the secure transmission of payment card details and sends guests an automatic confirmation message as soon as payment is accepted. This will show guests you are trustworthy and provide reassurance that their information has gone to the right place.

As a small hotel operator, there are a few key features you should look for in an online payment gateway:

  • Consistent and reliable service

The experience of processing an online payment should be effortless for your guests. They should not even be aware that an online payment gateway is being used.

It’s essential that you work with a gateway that connects with your booking engine and works with it properly.

You want your customers to be able to book their rooms at your hotel without having any issues during the online payment process.

  • Security

A study by Trustwave’s SpiderLabs showed that of 218 data breach investigations from 24 countries, 38% of the attacks occurred on hotels and, of the data stolen, 98% was credit card information.

It’s not enough to have an SSL certificate on your website, or rely solely on third-party payment services such as Paypal or Google Checkout to handle your guests’ credit card security. Each program you use must be securely locked down.

Discuss data storage techniques with your online payment gateway in order to be sure that your valued customers’ information will be safe and secure at all times.

  • Customer support

It’s essential to have a positive working relationship with the support team at the online payment gateway that you choose.

They should be available to assist you in the event of an unforeseen circumstance or if any issues arise.

  • Currency conversion

People from all over the world will want to book your rooms, especially when they can do it easily online.

Choose an online payment gateway that will convert any currency without charging you excessive fees to do so.

How can hotel cyber security threats be avoided?

Prevention is far better than cure when it comes to hospitality cyber security threats. Here are some simple steps that can help to create strong cyber security for hotels

Review hotel cyber security measures

Conduct a review of hotel cyber security issues and potential weak spots, and the current measures that you have in place. This might include:

  • Assessing data encryption to ensure that sensitive data is secured.
  • Review access controls, such as multi-factor authentication (MFA) and role-based access, to ensure specific staff and customers can only access specific data.
  • Evaluate the security of your network, from Wi-Fi, to firewalls, to intrusion detection systems.
  • Check whether you have a clear plan to respond to data breaches, including notifying affected customers and authorities.
  • Check the security compliance of third-party tools and vendors.
  • Review the hotel cyber security training you offer your staff to ensure it is relevant and up to date.

Implement GDPR for hotels

While it might be an EU regulation, hotel GDPR compliance has become the data privacy standard for properties across the globe. You should work with your web developer or website tool provider to ensure that your site achieves total GDPR compliance, including obtaining clear consent from visitors when you collect personal data.

Reduce the risk of hotel data breaches

Cybersecurity is the technology, processes and practices designed to protect networks, computers, programs and data from unauthorised access.

Here are CERT Australia’s most critical tips for businesses to reduce the risk of a data breach:

1. Keep malware from attacking your computer by keeping your software up to date

A good method for this is to use internet based cloud technology instead of updating software programs on multiple computers. With cloud technology you will only require one application login and your data will be backed up in real time.

Because cloud-based suppliers automatically backup and update their system, the need for costly hardware and the worry of losing important customer information during difficult installations will be eliminated.

2. Use unique passwords and access

Creating different users and splitting access levels for each employee will reduce the opportunity for a hacker to gain control of your system. Managing what access employees have also makes it easier to track user activity and restrict access to certain areas.

For example, Little Hotelier allows you to select between ‘User’ or ‘Supervisor’ and implements a two-factor authentication for sensitive information. This adds a high level of security for your front desk system, and the guest information it stores, by limiting access to only your necessary employees.

Supervisors will be prompted to enter a security code when:

  •   Viewing card details within a reservation
  •   Editing card details within a reservation
  •   Changing email address in the user account settings page

Responding to a hotel data breach

Even the largest hotel chains can experience data breaches, despite having huge cyber security budgets. So what should you do if, despite your best efforts, your hotel is compromised?

Contain and investigate

Immediately secure your systems after you’ve identified the hotel data breach: isolate affected networks to prevent more data being exposed. Work to identify the cause of the breach, the systems that were affected, and the data that may have been compromised.

Clearly communicate with staff and guests

Alert your staff to the breach, and provide them with next steps. Inform all guests and other parties whose data may have been compromised, explaining what happened and the steps they should take to protect themselves.

Comply with legal and regulatory requirements

Report the breach with the relevant authorities. In the EU, for example, a hotel must notify its data protection authority within 72 hours in order to comply with GDPR.

By Dean Elphick

Dean is the Senior Content Marketing Specialist of Little Hotelier, the all-in-one software solution purpose-built to make the lives of small accommodation providers easier. Dean has made writing and creating content his passion for the entirety of his professional life, which includes more than six years at Little Hotelier. Through content, Dean aims to provide education, inspiration, assistance, and, ultimately, value for small accommodation businesses looking to improve the way they run their operations (and live their life).