How hotel chains are tackling the cybersecurity challenge

Marriott International suffered quite a jab in media and from regulators because of its data breach. It's a lesson that hoteliers need to be careful with cybersecurity.
28 February 2020

Hotels house banks of sensitive data on their guests. Source: Shutterstock

With customers getting increasingly tech-savvy and looking for better deals, smarter platforms, and intelligent options when traveling, the hospitality industry is struggling to protect margins.

As a result, the industry is undergoing a period of consolidation. For reputed hotel chains with cash in the bank, this is the perfect opportunity to fuel their growth by buying properties from hoteliers looking to check out of the industry.

This is exactly how Marriott International became the world’s largest hotel chain — it acquired Starwood Hotels & Resorts Worldwide for US$13.6 billion.

However, at the time, due diligence failed to discover that Starwood had fallen victim to a data breach prior to the deal which exposed customer data of 500 million guests and subjected the hotel to penalties from regulatory authorities.

“As we near the end of the cyber forensics and data analytics work, we will continue to work hard to address our customers’ concerns and meet the standard of excellence our customers deserve and expect from Marriott,” said Marriott’s President and CEO Arne Sorenson.

The incident, of course, hasn’t dampened spirits at Marriott. Last last year, it announced the intention to acquire the Elegant Hotels Group in Barbados.

Given Marriott’s size and cash reserves, it was able to weather the hit it took in the stock market, compensate (loyal) customers, and cough up the fines levied on it. Others might not.

Of course, this incident — or the risk of cyberattacks and other cybersecurity threats — should not deter hotel chains from making the most of this consolidation period in the hospitality industry. They simply need to be more careful about cybersecurity.

Hallmark Hotels, for example, worked with Censornet to protect itself and its employees when it took part in the acquisition spree in the industry, to grow its footprint in the UK to 26 hotels — having started only in 2007.

“Following a series of acquisitions, I found myself with three completely separate IT infrastructures, with different email systems, and different applications,” said Hallmark Hotels Head of IT Julian Daniel.

“I was tasked with ensuring cohesion over the group’s systems and knew this had to apply to our security tools — to ensure we were universally protected across the group.”

Hallmark Hotels uses Microsoft Office 365 and wanted to bolster its email security. Email security is key for a chain of hotels because staff has to respond swiftly to emails from guests and vendors — and the need for speed might cause unintentional harm to the organization’s network, letting in hackers, malware, and other kinds of threat agents.

“The hotel industry is at risk of attacks, such as malware and ransomware, where criminals try to either steal data or exploit organizations for a pay-off. The majority of these threats come through over email, often in malicious links.

The vendor that Daniel chose to work with adopted a multi-layered approach to analyze more than 130 variables per email to identify and protect Hallmark Hotels from modern sophisticated email threats such as impersonation attacks and targeted phishing, which is commonplace in the hospitality industry and missed by less sophisticated email security software.

“While Microsoft has basic security functionality, we needed more sophisticated security tools to protect our employees […]”

According to Daniel, deploying email security is a good defense against cyberthreats in the hospitality space because it not only helps fend off attacks but also sensitizes staff to risks in cyberspace and provides them with basic awareness and education.

For those in the hospitality industry, looking to acquire properties or not, cybersecurity should be something to pay attention to — after all, the risks of not defending against cyberattacks could be catastrophic with regulators tightening the noose on those that fail.