26th November 2018
Our GRC Practice Director, Alex Hollis, was recently approached by Click. to provide commentary for a headline article, “Protecting your business against data breaches”, which you can read below:
“With 74% of hotels lacking proper data protection measures, Click. looks at simple steps hoteliers can take to protect their guests – and themselves.
Data thieves are increasingly targeting hotels, thanks to the sheer volume of personal information collected from guests. When a reservation is made, a hotel will take information including names, phone numbers, addresses, card details, and even IP address information when a guest books online. Once a guest checks in, additional data may be collected, such as CCTV footage and personal information including medical conditions.
And yet, despite having so much sensitive information at their fingertips, the majority of hoteliers aren’t dealing with it correctly. Hospitality Technology’s 2017 Lodging Technology Study revealed that 74% of hotels don’t have proper data protection measures in place. The recent GDPR changes mean that hotels in the EU have to be even more careful with information they handle. Data breaches can cost hotels not only financially, with huge fines levied, but also reputation-wise, which can take years to redress.
Thankfully, there are a number of practical steps that hotels can take to protect themselves and their guests. Alex Hollis, GRC Practice Director at SureCloud, is a security expert who has worked with a number of top global hotel chains on data privacy and risk. He advises hoteliers to first list the information they are collecting about their guests, in order to better understand that information and where it is stored.
“Hotels need to think about the information they’ve got, and decide whether it’s really necessary to have that many pools of data, or whether they can reduce the amount,” Hollis says. “Reduce the number of systems where data is duplicated, such as paper copies printed at guest registration. If paper is necessary, consider shredding it afterward. Treat personal data with more respect for its value, more like money, reduce the places that you’re storing it and then protect those places.”
The key, Hollis suggests, is ensuring that the places where information is stored are secure, with encryption and good IT security-based practices. Since there is no audit trail of paper, he suggests moving away from manual storage to electronic format, particularly in larger hotels. Systems should have the right software development lifecycle to make sure they’ve been built securely. Hollis says: “Get a reputable guest registration system, and ask the third party who built the software questions like: how are we protecting our customers’ data? Is it encrypted? How do we prevent unauthorized access to that data?”
Paul Leybourne, data security expert and Head of Sales at Vodat International, agrees that data should be stored in a secure cloud environment, and recommends a double authentic sign-in. “Instead of using single passwords, use multiple passwords or different devices to sign in. Choose a password that is complex, with a mix of alphanumerics and symbols, and change it every month.”
Hoteliers have a responsibility to keep their staff updated with training, Leybourne suggests. “Training manuals should be standard, but it has to be an ongoing process – cybercriminals are becoming extremely clever and the tactics that they use are changing on a regular basis as we become familiar with them. Hotels need to respond to these changes and keep their security systems updated to keep their guests safe,” he says.
For Hollis, limiting access among staff and not sharing passwords is an easy way hoteliers can retain control of guest data. He says: “Each employee with a legitimate reason to access should have separate credentials, and when they leave the organization those credentials should be shut down to ensure there’s no malice done on exit.” And although there is no specific direction on retention periods for information under GDPR, he recommends removing any guest data not relating to current or future bookings after 12 months. “Guest information for marketing purposes can be retained beyond this, provided there is clearly established consent which should be confirmed every 12 months,” he adds.
So what should you do if you discover you’ve been hacked and have lost guest data? The first step is to declare it to your local supervisory authority within 72 hours of discovery. Then, isolate the problem to ensure you’re not still under attack, by preventing people from accessing your system. If you’re going to collect evidence, create CD or USB copies and lock them away, so you know the chain of custody. Once secure, you can start to restore service.
For Hollis, gone are the days when it was just the banks falling foul to data breaches. “Unlike banking where the internet has had a massive effect, guest registration in hotels is pretty much the same as it’s always been. This sameness has created some apathy,” he says. But times are changing and hoteliers need to wake up to this.”