By Larry and Adam Mogelonsky

The pandemic is top of mind, but throughout its entirety there have been a number of daunting reports of major cybersecurity breaches and malware attacks infecting leading multinational corporations. So, while you must do your diligence to continue to protect guests from COVID-19, cybersecurity is perhaps the next most likely disaster to strike your hotel if you aren’t careful.

Notably, the pandemic led numerous properties to expand their tech stacks in order to meet the shifting travel demands and safety regulations. In turn, this increased the number of potential points of vulnerability in the system. All told, this is a clear-cut matter of risk management in that a breach can besmirch a hotel brand’s reputation for many years to come.

But that’s what the IT department is here for, right? Yes and no. Your technology team is there to identify needs, maintain system integrities and remedy problems as they occur, but if the executive committee doesn’t have a firm grasp on some of the processes that enable these technologies to exist then there won’t be a viable strategic vision to guide these specialists. Cybersecurity, even down to the minutia of ensuring your own team never sees a full credit card, must be ingrained into upper management’s plans.

Because, when it comes to breaches, don’t say it won’t happen. It’s not an ‘if’ but a ‘when’. Beyond the more newsworthy, fast-acting malware, just think of all the unique IP addresses for every single node or repeater on premises and how a single vulnerability might be exploited to gain visibility on a wide range of sensitive data over a long period of time.

Indeed, there have already been a few successful cyberattacks that have resulted in major damages for leading hotel chains. Now, though, with our post-pandemic dependence on mobile apps and IoT-enabled devices for practically every significant point of interaction in the guest experience, the risk of a breach only becomes amplified as we continue to add to our tech stacks.

The end goal of a breach for a hacker, phisher or fraudster is money. They are looking for ways to cheat a property or individual from their possessions, or to impersonate someone as a means of unlawfully confiscating goods or cash. Certainly, the latest version of your PMS has layers of security to protect your guests’ identities housed within their data stores, but it still doesn’t hurt to reach out to them so that they can audit your systems and offer advice on mitigating any vulnerabilities.

Even better would be to hire an external consultant specializing in data security to perform a comprehensive audit of your entire tech stack. You never know what they may uncover. Particularly with so many new platforms and devices set up hastily during the early stages of Covid, perhaps there were some weaknesses that weren’t adequately addressed given the intense pressure we were all under to react on the spot.

Instead of a massive and systemic breach, however, the more common possibility comes from people falsifying credit card information. Although these may take place on a much smaller scale then, say, a man-in-a-middle attack where the hacker imitates a WiFi login portal then gains access and scrapes an entire guest database, they are still a nuisance to manage.

Foremost is mitigating the reputational damage. People who have had fraudulent charges put on their cards won’t exactly have the best impression of your hotel, regardless of your property’s culpability. Hence, you need systems and protocols in place to prevent fraud from occurring as well as deal with any fallout that may crop up on third-party review sites.

Next is chargebacks which are becoming all but unavoidable for what’s called ‘card not present’ transaction. For reference, these are in contrast to ‘Chip and PIN’ or ‘Chip and Signature’ transactions where there is some form of in-the-moment two factor authentication (2FA) to confirm that the person using the credit card is who they say they are. The problem with the chip-and-PIN or chip-and-signature methods is that they require some form of direct contact between the customer and an employee. At present, this isn’t contactless and comes with the risk of Covid spread. Hence, lodging merchant terminals (that’s us) are increasingly resorting to card-not-present payments where fraud and chargeback disputes are both significantly higher in likelihood.

Coming out of the last economic crisis just over a decade ago, there was a big push for all senior executives to learn the basics of revenue management, so much so that nowadays RM, yield management and dynamic pricing are everyday aspects of the life of a hotelier. Today the same knowledge adoption has just happened for all matters related to viral safety through the understanding of such terms as disinfection, sanitization, social distancing, electrostatic sprayers, PPE, cleanliness theater, occupancy buffers and fomite transmission.

The next normal of Q4 2021 (if you can even call it that with the delta variant potentially forcing us back into socially distancing circumstances) will necessitate the same degree of comprehension for cybersecurity in order to protect guests, staff and the hotel organization from damages and to effectively guide any new technology deployments. Take some time to mandate some instruction in this field so that every associate or manager knows what’s at stake.

This article may not be reproduced without the expressed permission of the author.
Editor’s note: To discuss business challenges or speaking engagements please contact Larry or Adam directly.