Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)

Protecting Your Business Against Data Breaches

Protecting Your Business Against Data Breaches
Written by

Alex Hollis

Published on

20 Nov 2018

Protecting Your Business Against Data Breaches


Our GRC Practice Director, Alex Hollis, was recently approached by Click. to provide commentary for the headline article, “Protecting your business against data breaches”.


With 74% of hotels lacking proper data protection measures, Click. looks at simple steps hoteliers can take to protect their guests – and themselves.


Data thieves are increasingly targeting hotels, thanks to the sheer volume of personal information collected from guests. When a reservation is made, a hotel will take information including names, phone numbers, addresses, card details, and even IP address information when a guest books online. Once a guest checks in, additional data may be collected, such as CCTV footage and personal information including medical conditions.


And yet, despite having so much sensitive information at their fingertips, the majority of hoteliers aren’t dealing with it correctly. Hospitality Technology’s 2017 Lodging Technology Study revealed that 74% of hotels don’t have proper data protection measures in place. The recent GDPR changes mean that hotels in the EU have to be even more careful with information they handle. Data breaches can cost hotels not only financially, with huge fines levied, but also reputation-wise, which can take years to redress.


Data privacy in practice

Thankfully, there are a number of practical steps that hotels can take to protect themselves and their guests. Alex Hollis, GRC Practice Director at SureCloud, is a security expert who has worked with a number of top global hotel chains on data privacy and risk. He advises hoteliers to first list the information they are collecting about their guests, in order to better understand that information and where it is stored.


Hotels need to think about the information they’ve got, and decide whether it’s really necessary to have that many pools of data, or whether they can reduce the amount. 


Reduce the number of systems where data is duplicated, such as paper copies printed at guest registration. If paper is necessary, consider shredding it afterward. Treat personal data with more respect for its value, more like money, reduce the places that you’re storing it and then protect those places.


The key, Hollis suggests, is ensuring that the places where information is stored are secure, with encryption and good IT security-based practices. Since there is no audit trail of paper, he suggests moving away from manual storage to electronic format, particularly in larger hotels. Systems should have the right software development lifecycle to make sure they’ve been built securely.


Get a reputable guest registration system, and ask the third party who built the software questions like: how are we protecting our customers’ data? Is it encrypted? How do we prevent unauthorized access to that data?


Paul Leybourne, data security expert and Head of Sales at Vodat International, agrees that data should be stored in a secure cloud environment, and recommends a double authentic sign-in.


Instead of using single passwords, use multiple passwords or different devices to sign in. Choose a password that is complex, with a mix of alphanumerics and symbols, and change it every month.


Briefing the team

Hoteliers have a responsibility to keep their staff updated with training, Leybourne suggests.


Training manuals should be standard, but it has to be an ongoing process – cybercriminals are becoming extremely clever and the tactics that they use are changing on a regular basis as we become familiar with them. Hotels need to respond to these changes and keep their security systems updated to keep their guests safe.


For Hollis, limiting access among staff and not sharing passwords is an easy way hoteliers can retain control of guest data.


Each employee with a legitimate reason to access should have separate credentials, and when they leave the organization those credentials should be shut down to ensure there’s no malice done on exit.


And although there is no specific direction on retention periods for information under GDPR, he recommends removing any guest data not relating to current or future bookings after 12 months.


Guest information for marketing purposes can be retained beyond this, provided there is clearly established consent which should be confirmed every 12 months.


So what should you do if you discover you’ve been hacked and have lost guest data?


  • The first step is to declare it to your local supervisory authority within 72 hours of discovery.


  • Then, isolate the problem to ensure you’re not still under attack, by preventing people from accessing your system.


If you’re going to collect evidence, create CD or USB copies and lock them away, so you know the chain of custody. Once secure, you can start to restore service.


For Hollis, gone are the days when it was just the banks falling foul to data breaches.


Unlike banking where the internet has had a massive effect, guest registration in hotels is pretty much the same as it’s always been. This sameness has created some apathy, but times are changing and hoteliers need to wake up to this.