The hospitality industry is one of the most vulnerable sectors in the world when it comes to data protection. Collecting large amounts of sensitive data on a regular basis, it often lacks the cybersecurity frameworks that companies with large IT departments can implement. Due to their extensive databases and low levels of security, hospitality organizations often make an attractive target for cybercriminals and as a consequence some of the biggest names in the industry have been targeted and breached. In the last year alone, the likes of the Marriott hotel chain, Best Western’s Autoclerk reservations management system and the Choice Hotel franchise all suffered major breaches.
In the age of the GDPR though, when countries across the world are adopting new legislation that aims to protect individuals’ sensitive information and make companies liable in case of data breaches, hospitality companies must put cybersecurity at the top of their agenda or risk potential financial losses, fines and disastrous consequences for their reputation.
But what can the hospitality industry do to protect its sensitive data from breaches? Here are three tips:
1. Hire cybersecurity personnel
Many companies in the hospitality industry are conscious of the need for a solid cybersecurity strategy, but often choose to reach out to external experts rather than hire their own staff to develop and implement it. In this way, they feel like they can add security to their IT infrastructure at a lower price and don’t have to deal with the problem of additional on-site personnel.
But here’s the thing: the issue of cybersecurity is not solved through a one-off implementation. For a cybersecurity framework to be effective, it needs constant supervision and improvement which cannot happen without staff whose responsibility it is to monitor it. Cyberattacks happen because of vulnerabilities, small issues that on-site cybersecurity experts can deal with as soon as they come to light. New threats can also be more easily handled and systems updated by proactive staff.
While perhaps they do not require the extensive IT departments of companies in other sectors, hospitality companies do need to acknowledge the need for cybersecurity personnel and hire a team that can keep their cybersecurity framework up to date and react in real-time to any security incidents that may arise.
2. Protect against insider threats
Whether through ignorance or malice, employees are often at the heart of data breaches. And while rigorous data protection training of personnel can reduce incidents of negligence, the high turnover rate of staff in many hospitality organizations can mean that training can be a costly affair.
Another way companies can protect against human error or insider threats is through strong data protection policies. Among them, limiting access to sensitive data only to those employees who need it to perform their job functions and restricting the use of personal mobile phones or portable storage devices in the work place.
This can be easily done through Data Loss Prevention (DLP) tools that can manage different levels of access based on an individual’s department or group. Not only that, they can also monitor and restrict the transfer of personal information, block devices from being connected to endpoints and search for sensitive data across an entire network and take remediation actions when it is found in places it shouldn’t be.
3. Look into compliance
Compliance with data protection regulations is no longer optional. Many of the new laws that have been adopted in the wake of the GDPR have put the burden of protecting individuals’ sensitive data on companies’ shoulders, with heavy penalties for noncompliance. The hospitality industry will be especially hard hit by these laws’ extraterritoriality clauses because it offers services across borders: bookings can be made from anywhere in the world.
To avoid penalties, hospitality companies must ensure that they have a high level of data protection in place. They must also be ready to deal with requests from individuals that may exercise their rights to data access, deletion, portability and more. Companies must therefore look into where their customers come from and what data protection laws are in place in their countries of origin and ensure they can protect their sensitive data accordingly.
While developing a global compliance strategy can seem like an overwhelming task, many data protection laws overlap as they are based on the same international data protection standards. Abiding by these standards should ensure that hospitality companies are protected from most potential data breaches and can thus stay clear of any penalties that would otherwise come their way.The author is Channel Manager at CoSoSys, developer of endpoint centric Data Loss Prevention (DLP) solutions and security software.