LAKE FOREST, IL—Hotel data breaches are commonplace. As hotel companies increasingly become targeted, a focus on proper data security measures is vital. Hoteliers need to be asking an important question: How can we best protect hotel guests?
“The past few years have brought several data breaches with them, signaling that it’s time for hospitality organizations to take action to implement data security best practices and reevaluate the practices already in place,” said Mike Borromeo, VP of data protection at Stericycle, the provider of Shred-It information security solutions.
Fraud doesn’t only happen online, and it’s important to also consider the physical data risks within hospitality companies.
“From instituting more comprehensive employee training for everyone in a hotel—management to maintenance staff—to instituting clear and strict policies around disposing of sensitive physical documents and end-of-life devices, it’s a critical time for all hospitality companies to take a step back and look at how they’re protecting their data at every level,” said Borromeo.
So, why are hotel companies experiencing data security issues? According to Borromeo, the hospitality industry is particularly susceptible to data breaches given the sensitive information typically stored both online and in physical form at hotels.
“Personal guest information such as credit card data, addresses, passport and driver’s license copies are a gold mine for hackers and, therefore, make hospitality companies, specifically hotel brands, a prime target,” he said. “However, there is a disconnect about the critical nature of data security in the hospitality industry. In fact, according to our research, more than one-third (36%) of hospitality organizations don’t consider data breaches a big deal, and think they are blown out of proportion.”
Borromeo warned that the mindset that many companies overreact to data breaches can create a weak point for some hospitality companies.
“When there’s little concern for the repercussions associated with data breaches, it may lead to lack of action in protecting guest information,” he said. “This often also means that data protection policies such as how to store and dispose of sensitive information or how to recognize a phishing scam are not in place, and that employees are not properly trained on information security best practices, potentially leading to a breach. Proper employee training can also help prevent inadvertent errors, such as an employee accidentally clicking a fraudulent email link or leaving sensitive documents out in the open to potentially fall into the wrong hands.”
Shred-it works with hotel brands and hospitality companies to alleviate physical security risks through destruction of confidential and sensitive paper documents, digital hardware and end-of-life devices.
“We provide hotels services such as document, hard-drive and media. For example, hotel access cards and USB keys destruction and specialty shredding,” he said. “Additionally, Shred-it provides policy templates to help hospitality companies implement document storage and disposal procedures that comply with legislation. For example, our Clean Desk policy ensures that all employees’ desks are clean and free from paper and clutter. This means filing away or shredding sensitive documents to protect from unauthorized access internally and from outsiders.”
Borromeo offered the following ways to shore up weaknesses in the security of customer data:
Implement Basic Storage & Disposal Processes
Nearly one in five (19%) hospitality companies don’t have a policy for storing and disposing of confidential paper documents, and nearly one-third (31%) don’t have a policy for storing and disposing of confidential information on end-of-life electronic devices. On the most basic level, implementing these critical security measures is essential for hospitality companies to mitigate the risk of a potential data security issue and protect customer data—keeping in mind critical data comes in digital and physical form.
Employee Training
One in four (27%) hospitality businesses train their staff only once a year on the organization’s information-security procedures or policies, and another 14% of hospitality companies never train their employees or don’t have a policy in place for training. Creating advanced training programs to help employees understand the policies and procedures in place is important in protecting guest data. In fact, nearly half (47%) of C-suite employees say human error or accidental loss by an employee/insider was the cause of their last data breach. This is a pattern that could be easily mitigated with the right training. It starts by implementing training at every level and ensuring that the training is repeated on a regular basis, encompassing all areas of security.
Customers are aware of the data security risks in the hospitality industry and are taking these risks into consideration when booking a stay.
“Seventy-seven percent of Americans say data protection is important to them when deciding which hotel to book. Additionally, 23% of consumers would stop doing business with a company if they suffered a data breach,” he said. “These stats prove why hotels must take a proactive approach to information security to build trust and retain customers.”