Many key players in the global hospitality industry have fallen victim to cyber-attacks over recent years, including the Hilton, the Trump Hotels and the Mandarin Oriental.
Why are these businesses such tasty targets?
We’re talking about hotels, restaurants and other retail outlets which process (and store) customer data all day, every day.
The emergence of this industry as a lucrative target and the increasing number of high-profile attacks over the last couple of years only demonstrate that these businesses are not pushing security and privacy high enough up their agenda. It is only a matter of time until customers of these establishments will demand answers on security breaches and why they cannot be trusted with customers’ personal details – it will be the burger or overnight stay that these customers might come to regret.
It will not be long before businesses are forced to take the protection of personal data more seriously. The ownership of such data lies with customers and employees (and not the business) so increased security measures are required to minimise the risk of compromising the privacy of personal data.
It is not just personal data at risk. Whatever a hotel or a restaurant can do with its systems, cyber attackers can do too: access bank accounts, turn on the ACs or crank up the heat, set all the fire alarms off, get the sprinklers going, you name it. If all hell is breaking loose in your business, you risk losing control of your employees and your customers.
And what about the legal and financial risks?
The UK will adopt the General Data Protection Regulation (GDPR) soon and businesses will have to be compliant by May 2018. The GDPR is intended to provide the general public with more confidence that personal information is being handled with care. This means that businesses will need to be more transparent, including disclosing any security breaches affecting personal data.
Once someone with time on their hands and the requisite skill sets gains access to your system, you will most certainly be at risk of reputational damage. You could also be looking at penalties of up to €20m or 4% of your worldwide turnover (whichever is higher), plus compensating individuals who are affected by breaches of your responsibilities . That’s potentially colossal.
The regulators will also have the power to intervene in the way you run your business and implement appropriate changes.
How to prepare?
There is no simple trick to preparing for the regulatory changes. Businesses must think of the preparations as a lifestyle change, like healthy living which involves a well-balanced diet and exercise rather than crash-dieting for a short period of time to achieve a quick, temporary result.
Security breaches can impact upon personal data at risk as well as operational matters. Safeguard your business with system security audits, annual health checks for your business, employee training and keep policies and business models relevant. A combination of such data health measures, and being able to learn from own and others’ past mistakes, will reduce risk of security breaches, ensure you are prepared for attacks and help keep you on the good side of the law and your customers.