24 Mar 2017

Who takes responsibility for cyber security in a hotel?

While hotels have a strong handle on the physical security of their guests, are they as dedicated to protecting these guests’ data?

According to a recent Trustwave 2016 Global Security Report, the hospitality industry accounted for the second largest share of data compromises among any other last year.

NB: This an analysis by Geoff Milton, a security strategist at ShieldQ.

Unfortunately, this industry is a popular target for attack, because of the type of data it holds – credit card data, frequently used throughout the hotel either at check-in, in bars, restaurants, or shops – as well as relatively poor cyber security.

Many of the vulnerabilities are due to a gap in hotel franchise’s cyber security responsibility.

Franchisees are not security experts, yet they do carry huge responsibility for protecting the hotels’ wider brand reputation.

Protecting the franchisor

The majority of hotel franchise agreements state that the specific hotel – and its owners – will be responsible for defending the franchisor.

However, currently, too many hotel owners rely heavily on central reservation systems; thus, they don’t have much, if any, involvement in data collection or storage. That makes it difficult to implement an effective cyber security policy.

Hotel franchisees should see themselves as leaders in the battle against cyber-crime.

Meanwhile, it is vital that franchisors and their corporate security teams communicate franchisees’ contractual duties; after all, if they don’t know their responsibilities, how can they be effective in cyber security efforts?

Adding to the cyber security difficulty: most franchisees have multiple properties, each with their own brands and contracts, making it even more important for cyber security policies to be implemented and upheld.

Protecting the brand

Over the last year, there have been multiple data breaches in some of the biggest hotel chains, with 55% of data compromises resulting from a corporate/internal network breach.

When breaches like this happen, it’s the hotel brand that takes the hit, even if the breach occurs at one specific franchisee. Franchisees must work to protect the commercial interests of both themselves and their franchisors.

Be prepared for GDPR

Here in Europe, for example, the new EU General Data Protection Regulation (GDPR) looming provides more urgency to clearing up who’s responsible for the cyber security issue.

If the lines are still blurred come May 2018 – when GDPR is implemented – hotels may not be compliant and will face strict penalties.

The question of who will be paying these penalties is also difficult to answer.

That’s why here, too, it’s essential that all stakeholders in a franchise – namely the franchisees, franchisors, as well as their employees and vendors – be well informed about GDPR’s requirements, so that they can ensure compliance.

What’s the bottom line?

Last year’s Ponemon study found the average total cost of a data breach is $4 million.

The study also reported that the cost for each lost or stolen record containing sensitive and confidential information increased from an average of $154 to $158.

These numbers are sobering.

And, while there’s no definitive answer to who owns cyber security in a hotel franchise, hotel owners or franchisees can take measures, such as investing in cyber insurance and maintaining updated systems, to prevent a cyber attack.

Franchisors, take note: you should have a firm understanding of how your franchisees address cyber security concerns.

It’s you who may need to ensure all policies are upheld, that’s why it pays to provide incentives that will make it worth franchisees’ while to comply.

NB: This an analysis by Geoff Milton, a security strategist at ShieldQ.

NB2: Cyber security image via Pixabay.