Winter is no longer coming. It’s here.
Financial companies and retailers have long been the victims of data breaches and hacking horrors, but now, with Hyatt’s hack revealed in late December, hotels are starting to command the data breach spotlight.
And it’s only the beginning.
Because while hotels appear to be outliers in the growing slew of hacking victims, you know the valuable information your hotel handles: your guests’ data, including their payment cards and verification codes. A juicy target for hackers and identity theft. For the Hyatt, this means more than 627 properties in 52 countries are vulnerable. With this much at risk, hospitality alone isn’t going to cut it. If your hotel isn’t secure, all the wondrous service in the world won’t matter.
But not everyone is a big, corporate hotel chain. And not everyone has a multitude of tech teams and support services to patch faulty systems or install the latest cyber defense programs.
So if you’re a smaller hotel, what can you do to combat growing security threats and keep your customers and their data safe in the new year?
Below, I’ve compiled three steps you can take to get your small hotel on par with the big security teams of major hotel chains, and get you onboard with security in the new year.
Align Security with Your Business Goals
Your concept of security should extend beyond electronic safes or video cameras. Physical security is important, but now cybersecurity is, too. So you need to adapt. It’s 2016 after all.
Your definition needs to now include secure keycards, Wi-Fi, and payment processors to keep your guests’ valuables—including their information—secure.
So what does this mean for the world of hospitality?
It means your priority shouldn’t just be spectacular service, but spectacular security.
Ted Schlein puts it this way when explaining the role of a chief information security officer (CISO): “If a company’s task is ‘selling shoes online,’ its…task is now ‘selling shoes online securely.’”
Similarly, your hotel should evolve with the concerns of your guests. It’s no longer enough to guarantee 5 a.m. wake up calls or a complimentary breakfast. You need to ensure your guests are in good hands, not just because of your excellent service, but because of your excellent security.
“Fraud is increasingly shifting toward the online space,” Rurik Bradbury tells Skift. “It is getting harder and harder to commit fraud in person because cards are getting chips in them….and it is getting very hard to forge a counterfeit card with a chip. What that means is it is more attractive to do fraud on the Internet.”
So apply practical measures.
For example, in the fragile world of secure Wi-Fi, it’s easy for guests to trust a network named “Hotel Guest Network,” even if it’s actually not your official network. To combat this, direct them to your actual, secure Wi-Fi network, whether it’s with an information sheet by the television or a card by the nightstand. Make sure they don’t log on to a malicious network where their passwords and data can be intercepted. It’s your responsibility to safeguard your guests’ online information during their stay.
This also includes the growing problem of room break-ins through corrupted keycards, so be willing to shell out extra cash to patch up vulnerabilities if you continue to use them. However, the use of keycards is becoming outdated, with many hotels now opting to replace keycards with biometrics or smartphone technology.
Shake Up Your Managerial Structure
Many companies instill a CSO or CISO only after bad publicity from a breach. Target most notably did so after payment information of more than 70 million customers was compromised in late 2013. This hiring functioned not only as a step to improve their security, but also as an act to restore consumer confidence.
Now, if you have a some extra wiggle room in your budget, you can invest in a position specifically tasked with cybersecurity. Way cheaper than the consequences of a breach, which average around $7 million in the industry with $4 million of that resulting from reputation fallout and lost sales.
Yet, the installation of a security manager doesn’t always guarantee safety. Aside from the fact that a data breach is inevitable these days, you also have to make sure that your security head is included in on important meetings and decisions to ensure that a security remains a key priority. Even in enterprise businesses, CSOs/CISOs struggle to remain in the loop with their C-suite peers, which is a top reason why many companies still suffer from preventable breaches.
This means that even if you do hire a security director, you need to be communicating with them directly and often. They can keep you up-to-date on the latest security threats and remind you to consider a security perspective on any new initiatives.
Still, you may be under some tight budget constraints. I understand. So if you’re struggling with the concept of a new hire, you can always invest in computer security software or network security software to curb the possibility of a breach. Tools like Clock PMS, a hospitality property management solution, also offer secure online payment and invoicing for those concerned about following in the Hyatt’s footsteps.
Any defense is better than no defense.
Change Your Damage Control Strategy
When the Hyatt was hacked, they sent out a general statement meant to affirm their security to their guests. They also said that past guests should check their bank statements and can call a toll-free number, placing the responsibility of the breach on the shoulders of the people they’re supposed to serve.
Doesn’t sound very hospitable to me.
So let’s take a look at some logic:
You’re a hospitality powerhouse. Your hotel is renowned for your personalized service, including standout features like five-star room service and a personal dog walker to take your pooches out for a stroll while your guests go snorkeling. You’re the kind of hotel that tourists dream of.
So why would you put the responsibility of your problem on the backs of your guests?
Most of us have been in these situations before. So when I receive a statement like this, I roll my eyes. Gee, thanks for all the help.
Now, I know that it’s my personal responsibility to notice any unusual charges to my debit or credit card, but how does that really reaffirm your reputation of security? You were supposed to safeguard my information, so why do I have to be vigilant when your hotel wasn’t?
Let’s go back to Target again.
In the wave of negative publicity after the breach’s reveal, Target responded much the same, but also invited customers to call a toll-free number, where they could speak to a customer service representative and check on the status of their Target cards. Too bad the retail giant didn’t anticipate the flood of calls from its millions of customers, resulting in a slew of complaints on their Facebook pages.
The banks, on the other hand, fared better, likely due to the extra mile they went to reaffirm their security. Target may have “opened an investigation,” but the banks walked the walked by issuing more than 15 million replacement cards to prevent identity theft, both to customers who requested a new one and proactively to those they saw as potentially at risk.
Now that’s customer service.
So what does this mean for your hotel?
Your need to implement the same above-and-beyond approach. Go beyond a public statement on your site. Really do something about it. (Because we’re all going to get breached. It’s only a matter of time.)
So whether it’s sending personalized notes of apology, providing a free stay to guests, or informing them of new security measures you’re taking, really apologize and keep your guests in the loop. Be proactive. Bad publicity can be turned if you take an active approach instead of simply sitting back and taking the heat.
However, don’t forget to remind your customers to check their accounts for any signs of fraud. They know their accounts better than anyone. But while it is the responsibility of the cardholder to report unauthorized charges, going the extra mile can mean big points for your hotel’s reputation.
What other wakeup calls do you see the Hyatt hack providing for the hotel industry? Think there are better ways to combat the rise of hotel hacking? Let me know in the comments below.
Header by Rachel Wille