By Dennis Nessler | July 28, 2021
The lockdowns and shutdown of global travel was a ‘black swan,’ and even as we embark on a steadfast recovery in the latter half of 2021, we’re all still thinking to ourselves, “What’s the next big one that will crash our industry?” While we are admittedly not smart enough to speculate with any degree of certainty, we nevertheless propose that a massive hack or malware incursion is one of the biggest threats on the horizon for hotels.
Let’s backtrack. As hoteliers, we are trained in service. The pandemic, though, has caused every hotel’s tech stack to expand in order to meet the need for contactless guest service. This means that understanding technology is now a base requirement for any role in the organization. But cybersecurity is complicated, especially when every new point of technology added to the stack can act as a potential vulnerability for attacks.
This is a clear-cut matter of risk management in that a breach can besmirch a hotel brand’s reputation for many years to come. And just as a rising tide can raise all ships, a serious breach or other incident at a major chain or other travel seller can erode trust throughout the entire industry.
Or on a simpler and more micro-level, just imagine the damage if it was discovered (and made public) that, when using an electronic document platform for handling credit card payments, staff members at your property were able to see a guest’s full credit card details while transferring them into the PMS. Furthermore, someone on your team was then illegally using that information.
As an analogous example to help demonstrate why data security is critical for operating in 2021, suppose that your hotel is confirmed as the site of a superspreader event for COVID-19. Regardless of the legal ramifications, your name would all but forever be associated with this deadly virus, which would subtly or explicitly deter future guests from choosing you. When you look at some of the earliest outbreaks which occurred on cruise ships in Spring 2020, some of the parent corporations are still reeling from this negative media coverage. Much like protecting your guests or staff from exposure to COVID, so too must you do the same regarding data security.
But that’s what the IT director is here for, right? Yes and no. Your technology team is there to identify needs, maintain system integrities and remedy problems as they occur, but if the executive committee doesn’t have a firm grasp on some of the processes that enable these technologies to exist then there won’t be a viable strategic vision to guide these specialists. Cybersecurity, even down to the minutia of ensuring your own team never sees a full credit card, must be ingrained into upper management’s plans.
Because when it comes to breaches don’t say it won’t happen. It’s not an ‘if’ but a ‘when.’ There are already hacker cells soliciting their skills as ‘malware as a service.’ Indeed, there have already been a few successful cyberattacks that have resulted in major damages for leading hotel chains. Now, though, with our post-pandemic dependence on mobile apps and IoT-enabled devices for practically every significant point of interaction in the guest experience, the risk of a breach only becomes amplified as we continue to add to our tech stacks.
The end goal of a breach for a hacker, phisher or fraudster is money. They are looking for ways to cheat a property or individual from their possessions, or to impersonate someone as a means of unlawfully confiscating goods or cash. Certainly, the latest version of your PMS has layers of security to protect your guests’ identities housed within their data stores, but it still doesn’t hurt to reach out to them so that they can audit your systems and offer advice on mitigating any vulnerabilities.
Even better would be to hire an external consultant specializing in data security to perform a comprehensive audit of your entire tech stack. You never know what they may uncover. Particularly with so many new platforms and devices set up hastily during the early stages of COVID, perhaps there were some weaknesses that weren’t adequately addressed given the intense pressure we were all under to react on the spot.
Instead of a massive and systemic breach, however, the more common possibility comes from people falsifying credit card information. Although these may take place on a much smaller scale then, say, a man-in-a-middle attack where the hacker imitates a WiFi login portal then gains access and scrapes an entire guest database, they are still a nuisance to manage.
Foremost is mitigating the reputational damage. People who have had fraudulent charges put on their cards won’t exactly have the best impression of your hotel, regardless of your property’s culpability. Hence, you need systems and protocols in place to prevent fraud from occurring as well as deal with any fallout that may crop up on third-party review sites.
Next is chargebacks, which are becoming all but unavoidable for what’s called ‘card not present’ transactions. For reference, these are in contrast to ‘Chip and PIN’ or ‘Chip and Signature’ transactions where there is some form of in-the-moment two factor authentication (2FA) to confirm that the person using the credit card is who they say they are. The problem with the chip-and-PIN or chip-and-signature methods is that they require some form of direct contact between the customer and an employee. At present, this isn’t contactless and comes with the risk of COVID spread. Hence, lodging merchant terminals (that’s us) are increasingly resorting to card-not-present payments where fraud and chargeback disputes are both significantly higher in likelihood.
Coming out of the last economic crisis just over a decade ago, there was a big push for all senior executives to learn the basics of revenue management, so much so that nowadays RM, yield management and dynamic pricing are everyday aspects of the life of a hotelier. Today, the same knowledge adoption has just happened for all matters related to viral safety through the understanding of such terms as disinfection, sanitization, social distancing, electrostatic sprayers, PPE, cleanliness theater, occupancy buffers and fomite transmission.
The next normal of this year and into 2022 will necessitate the same degree of comprehension for cybersecurity in order to protect guests, staff and the hotel organization from damages and to effectively guide any new technology deployments. Take some time to mandate some instruction in this field so that every associate or manager knows what’s at stake.