Cyber Security for Hospitality


Eye on SecurityHave you considered shoring-up the information security program for your hospitality business? The advent of broadband, consistent electronic payments (18 hours per day), the maturation of mobile computing as digital assistants and Internet browsing devices, and the prevalence of Wi-Fi in public spaces, demands that hospitality operators expand their cyber security beyond PCI compliance and provide guests with a secure, branded, Wi-Fi experience (that can accept PCI-compliant electronic payments). The vendor market is saturated with competitors; which services match the security needs of your business? Consider how five pillars of information security can guide you to buy security layers that protect your operating endeavors. Governance, Risk Management & Compliance, Program Architecture and Implementation, Program Management, plans for Incident Response, Disaster Recovery, and Business Continuity (IR, DR, and BC). RiSe Solutions can educate you how to apply these five pillars to meet your specific security needs.

Hospitality Industry

Poolside Hotel(Hotel operations are profiled to make a point.) Hotels store customer information from credit card transactions that can be sold by cyber hackers. Industrial control systems for facilities can be hacked into from technician accounts (e.g. occurred for retailers), workers can be phished to deploy malware into hospitality networks, to control both reconnaissance and theft activities remotely. Nominally secure hotel Wi-Fi can be hacked by unknown hackers intending to steal customer information. Hotels maintain a rich database of personally identifiable and financial data on file (as do airlines and banks); POS terminals are exploitable for their e-transaction data. All the valuable information stored by hotel computer systems, the constant activity of POS systems, highly active phone systems (now VoIP), and network entry points to service industrial control systems (e.g. building systems) make hospitality operations a valuable target for cyberattacks. “Recent major breaches at Fortune 500 companies and household names across the retail, restaurant and hotel sectors demonstrate that anti-virus, anti-malware and firewalls alone are not enough to secure businesses from the ever-evolving threat landscape”(1).  Hotels can benefit from hiring a managed security service provider (MSSP) to defend their POS and computing activities from cyberattacks, and a wireless LAN (WLAN) appliance to provide a secure Wi-Fi experience for guests.

Vendor Selection

cropped-computer-networks.jpgFew MSSP’s serve small to mid-tier hospitality operators. Select others exist to serve mid-tier to large size operators. A finite number of vendors offer secure wireless LAN appliances that can “showroom” site services to guests on the mobile device and accept PCI-compliant e-transactions. The key criteria to match needs with vendor services are understanding how the five pillars of information security are prevalent in your daily operations.

One. Governance. This is the playbook for your information security management program. What policies and procedures will enable you to govern providing just-enough security to meet your operating needs?

Two. Risk Management & Compliance. How will risk and noncompliance impact hospitality operations (i.e. physical, technical, financial, managerial)? Maintain current knowledge of risk inherent in/from company assets by continually updating a risk log. Compliance refers to the risks faced from IT operations and e-transactions being non-compliant with laws and trade requirements (e.g. PCI-DSS). Scheduled audits will identify changes to risk and compliance requirements.

Three. Program Architecture and Implementation. What layers of security tools can provide just-enough security for your business? How will those layers be tested and placed into production? What procedures exist to update documentation from change management?

Four. Program Management. What metrics have been established to measure the performance of your information security program? Reviewing these metrics at scheduled intervals will inform you of gaps to close to reach planned goals.

Five.  Plans for IR, DR and BC. Incident Response, Disaster Recovery, Business Continuity. What policies and procedures have been written, tested and operationalized to respond to incidents, provide a skeletal IT infrastructure in the event of an unexpected outage, and what redundant assets have been developed and curated to maintain business continuity?

Hotel WiFISecure WLAN. What appliances have been installed within your WAN to offer a secure and branded Internet browsing experience for your guests? Does the appliance support PCI-compliant e-transactions? By deploying context-aware experiences that engage guests on their mobile devices and dynamic signage, you can build stronger customer relationships, implement new business models, and increase revenue opportunities (2).

check-list-iconWhen searching for a managed security service provider, outline the criteria of services needed from the vendor; take a pragmatic approach to vendor research and evaluation. All vendors should be evaluated under the same criteria to facilitate a like-kind comparison. Once you’ve created a short-list of vendors to pursue, ask more pointed questions and check references to verify sales claims. (Btw, social media can provide testimonials from past customers.) The chosen vendor will provide layers of security services to meet your needs, scalable as your needs change. The services purchased or subscribed to should provide the following for a low total cost of ownership (TCO):

  • align with the operating needs of your business;
  • just-enough-security to provide a safe computing and Internet browsing environment;
  • be compliant to process e-transactions;
  • be technically managable.

Closing Comments

In sum, the prevalence of broadband, cloud computing, e-commerce, and the exponential expansion of mobile computing by business travelers and mobile consumers is just cause for hospitality operators of all revenue sizes to invest in managed security services to monitor, defend and protect computing activities and e-transactions alike. Guests will expect (and subtly demand) a secure e-commerce and Wi-Fi experience, branded from the locations they visit or hotel in, whether the provider is a sole operator or member of a large chain.

Thank you for giving this topic your time, attention and consideration; I trust there are takeaways to use. If you’re interested in implementing an Information Security Management Program for your hospitality operation, please click Request a Consultation at the base of this page, fill out “ISMP – Hospitality” in the subject line, include the email signature of your COO or IT Director/Admin in the message body; I reply within 24hours to arrange an exploratory conference call. ###

  1. Hospitality Technology (2017).  Cybersecurity Tactics for a Hotel Industry that’s Under Siege, Hospitality Technology, 03/16/2017, Retrieved from cybersecurity-tactics-hotel-industry-thats-under-siege
  2. Cisco (No Date).  Cisco Guest Experiences, Cisco, Retrieved from

Information Security Cyber Security Hotels, Motels, Convention Halls, Catering Halls, Sports and Entertainment Arenas, Outpatient Medical Facilities, Extended-Stay Medical facilities

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s