As digital technology rapidly evolves, particularly with the rise of artificial intelligence, cybersecurity has become a growing concern in the hospitality industry. Hannes Mulla, a seasoned IT expert and the founder of PRO IT and Hotelbuddy has over 15 years of experience collaborating with more than 50 hotels across Estonia and Latvia.
Drawing on his extensive expertise and daily work with the hotels we invited Hannes to identify crucial areas that hotels need to focus on to protect their operations and customer data against cyber threats.
1. The Importance of Software Updates
Hannes begins with the basics: software updates. "In the hospitality sector, regular updates are crucial not only for operating systems but also for all applications handling sensitive information, like Property Management Systems (PMS) and reservation platforms. These updates patch security vulnerabilities, thwart potential data breaches, and ensure compliance with data protection regulations such as GDPR," he explains.
2. Network Security and Segmentation
Network security holds crutial importance, as Hannes emphasizes the need for network segmentation to safeguard guest information and critical operational data. He advises, "Segmenting the hotel's network into secure zones can prevent a breach in one area from spreading across the entire infrastructure. Additionally, utilizing Virtual Private Networks (VPNs) for remote access ensures that connections are encrypted and protected from interception."'
3. Device Management and Data Encryption
With a variety of devices in use within hotels, securing each device is critical. "Consider what would happen if someone unauthorized accessed a phone or computer. Use encrypted hard drives and activate screen locks to protect data privacy. It's vital to avoid storing sensitive information on local devices and instead use secure, centralized storage solutions to minimize theft risks," he states.
4. Advanced Threat Protection
Hannes emphasizes the critical need for a reliable antivirus program. "Choose secure and trusted antivirus software capable of performing real-time scanning and swiftly addressing detected threats. It's essential to invest in reputable software and avoid the temptation to download "100% Free and Easy Antivirus & VPN - Download Now" from the internet. If it seems too good to be true, it likely is," he cautions.
5. User Training and Access Control
"In my experience, staff often pose the highest risk factor," says Hannes. Understanding that human error frequently leads to security breaches, I stress the importance of continuous cybersecurity training for hotel staff. Staff should be trained to recognize phishing attempts, manage strong passwords, and adhere to company data privacy policies. Implementing Multi-Factor Authentication (MFA) and ensuring that staff do not reuse passwords across different platforms are also key steps in safeguarding sensitive data.
"There has been a significant incident involving Booking.com: a seemingly innocuous email with an attached zip file, opened by a receptionist, led to the theft of all passwords saved in the browser bookmarks. The criminals then accessed the hotel’s Booking.com account, sending emails to guests requesting prepayments in the name of the hotel, while substituting their own bank details. To the guests, everything appeared legitimate, leading thousands to unknowingly 'prepay' for their stays. The financial repercussions for the affected hotels were severe, and the lost money was never recovered."
6. Data Backup and Recovery
Discussing data backup and recovery, Hannes recommends a stringent backup regimen. "Hotels must have a comprehensive backup strategy that includes regular schedules and stores backup copies both on-site and off-site. It's also crucial to regularly test the integrity and effectiveness of backups," he explains.
He cautions against assuming data is safe just because it's stored in the cloud, suggesting hotels demand clarity from PMS providers about data storage and retrieval processes. Hotels should critically assess claims that their "server is safe in the cloud." This does not automatically guarantee data security. While we've seen the impressive server rooms of major players like Amazon, Google, or Microsoft, the reality can be quite different in other cases.
The same caution applies to your IT personnel. Just because your hotel's IT guy has been with you for 20 years doesn't mean everything is under control. Conducting an external audit to verify the frequency, location, and methods of your backups can be one of the best investments you make. This ensures that all systems can be restored should anything compromise your PMS.
7. Planning for the Worst
Finally, Hannes stresses the importance of preparing for worst-case scenarios. "Disasters often result from multiple coinciding factors, such as a lack of regular backups, outdated software, and human error," he notes. We have assisted hotels that lost all their data in this manner and had to rely on Excel sheets for a month before a new Property Management System (PMS) could be established from scratch. All hotels need a detailed incident response and disaster recovery plan that includes steps for maintaining operational continuity and minimizing downtime.
By implementing these crucial cybersecurity practices, Hannes Mulla helps hotels build a resilient infrastructure to withstand and respond effectively to the complex cyber threats in today's high-tech landscape.
For those interested in a cybersecurity audit for their property, Hannes invites you to contact his team for a discovery call to get started on fortifying your defenses.
Comments