Customer-engagement efforts lend insights into potential guests but lead to high rates of data circulation and an increase in security vulnerabilities in the hotel industry.
As in most industries, cyber risk is increasing in the lodging industry as a function of the surge in electronic connectivity, high-speed global data transfer and the focus on increased customer engagement throughout the travel journey.
The quantity of data in circulation is doubling each year—kind of a new Moore’s Law—with estimates that there will be 50 billion connected devices in the world by 2020 (6.5 devices for every person on the planet, according to a study by DHL and Cisco). By 2025, 80 billion devices will be connected. This explosion of data and interconnectedness provides opportunities for hoteliers to engage customers and differentiate experiences throughout the travel journey. Unfortunately, this proliferation of data and devices also leaves hoteliers (and guests) vulnerable to cyber crime.
Let’s first look at the upside. The new customer-engagement model has implications for how, when and where hoteliers connect with guests to create moments of surprise and delight. As users spend more time connected to devices, hoteliers are developing new technology-enabled capabilities—such as self-service mobile check-in and room selection, electronic room keys, energy management, environment monitoring, gamification, proximity-based marketing and more seamless access to room and ancillary services. As hotels offer these digital experiences, it is creating further demand for mobile-enabled smart devices, which provide differentiation throughout the travel journey.
Cyber risk: Not preventable, but manageable
That’s the upside of increased connectivity. The downside is that new technologies—such as the Internet of Things, mobile and wearable devices, beacons, geo-fencing and so on—multiply the potential points of intrusion for cyber crime.
Since 2010, more than a dozen data security breaches have affected hotel companies, including seven in 2015 alone. “Hotel hacking” is becoming increasingly common, with many well-known chains affected. Victims have included Mandarin Oriental, Trump, Hilton, Rosen, Hard Rock, Omni, Kimpton, Wyndham, and Starwood, among others.
The weak points for on-property breaches, such as the property-management and point-of-sale systems, still present the highest risk. In 2015, 91% of data breach incidents affecting the accommodation industry focused on the POS system, according to Verizon’s 2016 data breach report. This is an industrywide problem fueled by hackers exploiting weaknesses in third-party POS systems.
New points of weakness are emerging, as hotel companies seek to engage customers with personal smart devices, augmented and virtual reality equipment, and ‘smart’ light bulbs and thermostats. Wi-Fi systems at eight of the world’s top 10 hotel chains have recently been exposed as vulnerable to cyber crime, according to a report from Wired.
Hotel companies should protect against these threats through a holistic, portfolio-driven, risk-management approach. The traditional approach to cyber security has been to erect barriers to entry—high walls with ‘moats and drawbridges’ that are lowered only for clearly identified ‘friends.’ The technology needed to deliver an innovative guest experience and journey makes this approach untenable, due to the dependency on multiple computers, devices and networks on- and off-premise. The ‘moats and drawbridges’ approach is further complicated by requirements to enable guests to gain access from devices that may not be able to meet the full ‘trust’ requirements of the network they are accessing.
Cyber risk cannot be eliminated, but it can be managed. Hoteliers must accept this truism and learn to manage cyber risk while keeping their borders open. This requires that hotel companies understand the different kinds of cyber threats and where they are most likely to strike. To manage this portfolio of risks, hotel companies must focus chiefly in two areas:
- Hoteliers must establish foundational cyber-risk management capabilities through threat assessment and modeling, vulnerability management, cyber analytics and incident response.
- They must also execute scenario modeling to size and assess risk profiles. Many operational risks, including cyber risks, are best evaluated using scenario analysis in conjunction with historical data. Risks include both those affecting the hotel company itself (e.g., reservation system outages) and the guest (e.g., identify theft). Response scenarios such as failover strategy, incident response and so on should be developed based on this risk assessment.
Cyber risk should be approached the same way as any other risk. Once a lodging company has comprehensively evaluated risk profiles, preparation for the most impactful scenarios can be made. This could include a range of options from technology to training and education to taking out insurance. Tellingly, 42% of hospitality and gaming institutions with annual revenues greater than $1 billion have increased their spending on cyber insurance, as well as their exposure limits. The premiums that insurance policies command can serve as a proxy for the cost of the cyber risk they are facing. Such premiums and the financial impact from reputational risk and potential loss of revenue should be considered when evaluating the profitability of a product or service.
In this digital age of personalized experiences and increased customer engagement, cyber risk is unfortunately the new normal. Hoteliers must find a way to manage the risk while still seizing these new opportunities.
Claus Herbolzheimer is a partner in the strategic IT and digital practices for Oliver Wyman based in Berlin. New York-based partner, Dan Kowalewski focuses on the hospitality and travel-related service sectors for Oliver Wyman. Ben Hoster, a Dallas-based engagement manager, also contributed to this article.
The opinions expressed in this column do not necessarily reflect the opinions of Hotel News Now or its parent company, STR and its affiliated companies. Columnists published on this site are given the freedom to express views that may be controversial, but our goal is to provoke thought and constructive discussion within our reader community. Please feel free to comment or contact an editor with any questions or concerns.