Hotel Security in a Digital World: How to Prevent Hotel Data Breaches

With the adoption of advanced technology to manage your property and provide the best guest service, have you ever wondered about the potential new threats posed to your hotel security? Nowadays, technology helps hoteliers everywhere manage hotel operations, optimize revenues, and enhance the guest experience. These tech tools give hotels more control over their business, guest satisfaction and profitability. And it’s not just software: the guest room has evolved to include all kinds of smart technology products, such as smart TVs, tablets and even voice-controlled curtains, thermostats and lights.

While convenient, this new wave of interconnected technology also creates new risks and emerging threats. Attackers and cybercriminals will exploit any weakness to gain access to critical systems, often in pursuit of guest data and payment information that can be used or sold. 

Over my career developing security strategies at both large companies and smaller startups, I’ve seen all kinds of hacks and intrusion attempts. To stay safe amidst these constantly evolving threats, hotels must have clear, concrete security plans. 

I’ve put together some useful guidelines to protect the most vulnerable areas of your property, as well as a glossary of key security terms and a few essential best practices to improve your hotel’s defenses overall. Let’s bulk up your hotel security!

The three most vulnerable areas of hotels

A big part of my past role in security preparation involved performing what are called External Penetration Assessments, which simulate an external attacker trying to break into a company’s systems remotely via the Internet. These assessments involve non-technical reconnaissance, such as researching lists of employees and office locations, as well as technical research, such as learning what types of computers they use and what systems they have connected to the internet. This underscores vulnerabilities hotels face across their operations, as attackers exploit both people (non-technical) and systems (technical). 

So where should you focus your security resources first? Here are the three areas that are commonly targeted by attackers: 

• Point-of-sale (POS). Since the POS systems handle payment information, they’re a lucrative target for cybercriminals.  As we’ve seen with a few of the major breaches over the past decade, gaining access to a hotel’s POS system allows cybercriminals to lay dormant and capture a steady stream of payment data.
• Wireless (Wi-Fi) networks. Another vulnerable area is property Wi-Fi. Since it’s publicly discoverable, attackers can sit in the lobby (or book a room) and leisurely probe for weaknesses. If hotel Wi-Fi networks are not secured properly, attackers could create a bridge from the property/hotel’s public network to their private office network/back-end. Even worse, they could then burrow even deeper to find useful information and/or valuable data on the property’s internal network and systems.
• Hotel staff. The third most vulnerable point in a hotel operation is its staff.  Whether it’s the front desk clerk, a reservations agent, or a back-office accountant, attackers see staff as opportunities to gain private information and access through deceptive techniques.

 Key hotel security terms defined

Attackers and cybercriminals use a variety of methods to gain access to a company’s systems. Here are a few of the tools and techniques they use to penetrate hotel security and gather useful information.

• Social engineering encompasses any attempt at using the trusting nature of humans to gain unauthorized access to information or systems. Examples include: 
  • Calling the front desk pretending to be a colleague, and attempting to gain a missing piece of information that can be combined with other data to penetrate a hotel’s systems
  • An attacker following a hotel staff member through a locked door and gaining unauthorized access to non-public areas of the hotel. 
• Phishing is a form of social engineering, where someone creates an official-looking email or document that entices an employee to click a link or download an attachment that contains malware. 
• Spear phishing is a much more targeted version of phishing that focuses on a few high-value targets, such as individuals who have access to sensitive information. Attackers will research companies and single out individuals as the subject of targeted phishing attempts.
• Malware is malicious software that infects a computer and allows attackers to remotely access systems, steal data, or even lock computers and data and hold them for ransom.
• Brute force is when a cybercriminal sets up a program to try every possible permutation of password, eventually “forcing” their way in. Often, weak passwords provide front-door access to attackers. 
• Credential stuffing is an automated process where an attacker takes a username and password found from a previous breach and re-uses it against another system. 

Best practices for hotel security 

Hotel security management is less about finding an absolute solution and more about taking a series of small steps that combine to form a shield and layers of protection to prevent potential attacks. In the security world, we call this technique defense in depth. 

Here are a few of my recommendations for hotel security best practices. Keep in mind that every hotel and situation is different, and if you have any questions about your specific situation, you should consult with proper security professionals, attorneys/lawyers, consultants, etc.  

Effective security is proactive, not reactive; with these best practices in place, you’ll be better positioned to prevent intrusions in the first place!

#1: HOTEL SECURITY TRAINING

In the hospitality world, we’re always trying to meet – and even exceed – our guest’s expectations, right?  Well, sometimes that spirit of helpfulness was exactly what I needed when performing social engineering assessments and/or phishing tests. When given a believable story, a helpful employee might have been willing to give me access to a computer, give me sensitive information or even the main computer/server room! That said, human nature is the hardest thing to “secure.”

I recommend that you incorporate security awareness training as part of your onboarding, as well as ongoing training. This will help make staff more aware of security-related concepts and issues, and less susceptible to social engineering and phishing attempts, whether in person, via phone, or through email.  

• Do this: Follow the 3Cs of effective hotel security training for staff: Clear, consistent, constant. The training must be easy to understand, it must be consistent and it must be repeated regularly until it becomes second nature. It only takes one intrusion to deliver a major blow to a hotel’s reputation, so clear, consistent and constant training keeps security top-of-mind with staff. 
• Also this: Teach staff to identify suspicious behavior and prevent unauthorized persons from gaining access to any physical infrastructure (computers, servers) on property. A “see something, say something” policy, coupled with a standard operating procedure to report any suspicious activity, can be a major protection against attackers. When in doubt, ask!

#2: SECURE YOUR ON-PROPERTY NETWORKS

One of the most frequent vulnerabilities for hotels is within the public Wi-Fi network. That’s because the public network is all-too-often thinly separated from critical back-office systems.  All an attacker has to do is book a room and use your network to probe for vulnerabilities, steal data and spy on guests. 

If a hotel does not have the in-house expertise to implement the practices below, then they should consider partnering with an IT consulting and/or management firm that does. 

• Do this: Newer Wi-Fi technologies and solutions have tools built in to help prevent malicious activity. These technologies, called Intrusion Prevention Systems (IPS), identify potentially malicious activities and automatically block them, all without human intervention. 
• Also this: Make sure you separate wireless networks used by guests from those for internal use, such as by staff and/or property computer systems. This can be done either physically (by having two completely separate sets of hardware) or through the use of virtual networks (VLANs). VLANs allow you to use the same hardware but build in another layer of security between your Wi-Fi network and your property’s computers.  

Additionally, any networks used by guests (wired or wireless) should keep guest devices isolated both from each other and any computer systems and networks used by staff. This prevents one guest computer from even being able to contact another, and thus prevents the spread of malware or other malicious activity. This also prevents guests from being able to listen in/snoop on any staff-related traffic. 

#3: BE SMART ABOUT YOUR PASSWORDS

This one is simple-yet-powerful: choose your passwords wisely and strategically.

First, password security standards set forth by the National Institute of Standard and Technology (NIST) are ever-changing. In recent years, NIST has taken a stance to suggest using longer, more complex passwords, but not requiring passwords to change as often (or even at all). 

That said, choosing a password that’s hard for an unauthorized party to guess and easy for you to remember is the suggestion here. This practice will help prevent your hotel staff from writing passwords down and leaving them places where someone (like me in my consulting past) could find and use them to gain unauthorized access! 

Secondly, require unique passwords for each login. If you use the same password for your email account as you do other systems (such as your Property Management System), an attacker could phish/steal your email username and password, and then try the same credentials on your PMS! 

• Do this: Invest in a digital password manager so that staff can store passwords securely in an encrypted digital vault instead of writing them down on paper. 
• Extra credit: Password managers allow you to generate long, strong, random passwords and securely store them by use of a master password and multi-factor authentication. When logging into sites/services, the password manager can then automatically fill in your usernames/passwords for you. 

As part of your hotel security awareness training, teach your staff about password managers, generating random passwords, and securing them via master password and Multi-Factor Authentication. 

Third, enable Multi-Factor Authentication (MFA) wherever possible: on every site, every system, everywhere! MFA, also known as Two-Factor Authentication (2FA) is an added layer of security that only grants a user access to a system after successfully presenting another authentication mechanism along with a password, such as: 

• Something you know (password, PIN number, etc.)
• Something you have (USB security key, push notification to phone/device, code generated via Authenticator app, etc.)
• Something you are (biometrics such as fingerprint, Face ID, etc.)

Even if a username and password becomes compromised (by way of phishing, brute force, credential stuffing, etc.), Multi-Factor Authentication protects against unauthorized access to that account by requiring another piece of information, action, data, etc. in order to proceed with login.

#4: UPDATE TECHNOLOGY AT A REASONABLE INTERVAL

It can get very expensive to upgrade a property’s technology, but cybercriminals love outdated technology! Whether it’s the computers in the back office or your property’s digital locks, older hardware running outdated software become easy targets. 

• Do this:  Whenever you procure new technology, set a “shelf life” so that you can budget for replacements over time. That way you set expectations and can factor your replacement schedule into your longer-term budgeting. 
• Also this: Keep all computers up to date using the latest security patches provided by both the operating system vendor (Microsoft, Apple, etc.), as well as any software they might have installed.

#5: VET TECH PARTNERS AND VENDORS CAREFULLY

It’s essential that you know who you’re doing business with. When it comes to hotel security, you’re only as strong as our weakest link. A poor or weak system opens your property up to all kinds of vulnerabilities. 

Hotels should ensure they do their research on the smart technology vendors and/or companies they are looking to buy from. It’s always good to have conversations and ask questions about security before you implement something new, rather than having a guest ask “How does your digital key vendor secure my personal data?” and you as the hotelier have no answer for this.  

• Do this: Question your tech vendors and partners until you’re satisfied with their answers. I suggest asking the following questions, at a minimum:

1. 1. How are you protecting the data of our guests? 
   2. How are you protecting my hotel/property data? 
   3. Do you sell or monetize any of the data or information we share with you?
   4. What security and/or privacy regulations does your company adhere to? 
   5. In the event of a data breach of any information we entrust to you (guest, hotel/property, etc.), how and when would you report this to us? 
   6. If we stop using your services, what is your data retention policy? When is data deleted? 

#6: ISOLATE SENSITIVE INFORMATION

When fighting an adversary, it’s helpful to understand their motivations. For cybercriminals, it’s pretty much all financial: Verizon’s 2019 Data Breach Investigation Report found that 100% of breaches in the accommodation industry were financially motivated!  

Hotels and hospitality management companies should ensure they secure all computer systems and applications used for accessing financial information. This especially includes locations where properties might be holding and accepting financial information, such as at the front desk or in their Property Management System.    

•  Do this: For any sensitive systems, such as those that include financial information and/or guest data, use multi-factor authentication wherever possible.
• Also this: Protect sensitive data from prying eyes. Face any computer, tablet or laptop away from public areas. Additionally, consider installing a computer privacy screen to help prevent someone from being able to see sensitive guest data/information.

What to do in the event of a breach

I’m not an attorney – and I definitely don’t even play one on TV! So, if you suspect a data breach, you should consult with both a data security expert and someone who has legal expertise in this area. That way you can ensure you comply with all applicable data protection laws, regulations, and industry standards while also working diligently to close any gaps exploited by attackers.

That said, I have always firmly believed that honesty is the best policy. Put yourself in the guests’ shoes: would you rather stay with a brand that’s proactive and notifies you of a (potential) breach? Or would you rather find out by someone misusing your personal information (such as opening a bank account in your name, making unauthorized charges on your credit card, etc.) It’s a no-brainer – protect your reputation and get in front of any breaches. 

Unfortunately, in today’s digital economy, it’s no longer a question of if but when your company will face some sort of security breach. And a successful attempt can not only cost you money in consulting fees and lost revenue, but the public relations hit to your reputation can also be catastrophic. 

Properties of all sizes and across all categories must be prepared for threats coming from multiple directions and sources, including guests, staff or public citizens. To protect your hotel from unwanted intrusions, take time today to prevent future disasters. A little preparation goes a long way in preventing security attacks and keeping your hotel’s systems (and your guest data!) safe and secure.