Hotels tend to be valuable assets housed in prime real estate with carefully and often expensive fixtures and amenities. But there is nothing more valuable to a hotel than its guests – not only their comfort, but their security.
Today the world is a risky place, and risks are developing and morphing constantly. Hotel groups are faced with the challenge of trying to balance seamless operations and pleasing aesthetics with a comprehensive security programme that keeps its valued guests safe from ever evolving threats.
Since September 11, 2001, the world has been increasingly more aware of the vulnerabilities associated with terrorist activity. Further, the Mumbai hotel attacks in 2008 resulted in hotels around the globe becoming more focused on their obligation to improve their security systems and processes to manage the risk associated with terrorist attacks. They have responded by beefing up physical security in an effort to deter potential attacks and make guests feel safer during their stay. However, what has gone relatively unnoticed by most guests is that hotels have also responded to the significant and increasing risk of cyber terrorism that has emerged.
The Risk Shift from Terrorism to Cyber Terrorism
As an insurer, our Crisis Management team retained expert operational risk management advisers, the Salamanca Group. Julian Davies, Head of Consulting, Corporate Risk Services at the Salamanca Group says hotels struggle with gaining complete physical and situational awareness in complex political regions. A key challenge is balancing cost with proper security, building for future risks and maintaining high-quality local security. Unfortunately, as Mr. Davies points out, these challenges pertain not only to physical security but also data security, which has complexities that can be exponentially more difficult to contain.
As the internet has advanced so has the speed at which the world operates and hotels have become fully dependent on storing data online. Even the smallest hotels now have specialist software systems that allow guests to book their hotel reservations from a click of a button on their PC or mobile device, uploading all their personal data onto the hotel’s servers. The result is that hotel IT systems have become repositories for massive amounts of personal data, credit card information, and the identity details of millions of people around the world, making them prime targets for a cyber-attack.
Cyber-Attacks: What it means for Hotels
Cyber terrorism is a controversial term and its definitions vary. While the general understanding is that cyber terrorism is the use of the internet to stage terrorist attacks or a politically motivated use of computers and information technology to cause severe disruption or widespread fear, there are variations in qualification by motivation, targets, methods, and centrality of the computer(s) used in the act.
The hotel industry’s understanding of cyber risks is still fairly rudimentary, their protective measures and responses to cyber-attacks have not developed as quickly as the tactics used by cyber criminals. For example, at a typical hotel, consultants will establish two or three scenarios for each terrorist threat stream. However, for cyber-attacks, the Salamanca Group say a typical hotel could face 15 threat-based scenarios plus, highlighting the diverse nature of this evolving threat. Common attacks don’t only include politically motivated terrorists, but a wide range of groups including malicious residents, employees, criminals, internet terrorists, hackers, journalists, competitors and hacktivists, among others.
Many hotels would be surprised to know their computers aren’t the only source of exposure to a cyber-attack. What people don’t realise is that vulnerabilities are not just on the machines that hold your data, as any device on that same network can act as the portal for the threat including fax machines or personal laptops.
With this in mind, our cyber underwriter at XL Catlin, Lisa Hansford-Smith advises hotels to address cyber risk management through a cyclical approach, whereby the company constantly surveys what the risks are, how the legal sphere is changing, how data protection methods are evolving, and what new attacks are occurring. They can then feed that data back into their system, allowing them to adapt their policies and procedures as needed.
However, what is clear is that while the hotel industry is doing its best to adapt, it is not adapting quickly enough to deter perpetrators. According to a 2013 report from Trustwave Global Security, 78% of all data breaches occur in hotels, retails stores, bars and restaurants. Most recently in February 2014, during what could be the “”, a hotel franchise suffered attacks on their systems, leaving guests’ credit and debit card information exposed. Attackers were able to remotely install malware onto the individual cash registers and reception computers, making it increasingly difficult to quantify where the exposures were and the subsequent scope of insurance policies.
Effectively Battling Cyber Terrorism
With the risk of a cyber-attack added to the threat of physical terrorism, hotels now need to take a holistic approach to security in order to mitigate the risk of attacks and their potential impact.
Not dissimilar to a physical terrorist attack, a cyber-attack can cause irreversible damage to a hotel’s reputation and its brand. It’s crucial that hotel operators understand how they are protected and consult their underwriter to help managing risks associated with a potential attack. Mitigating risk means looking beyond the IT department and ensuring each department of the company is in sync and aware of the risks, exposures and processes.
Dan O’Connell, our terrorism underwriter says that hotel operators might not realize that their insurance coverage does not respond to some consequences of an attack. There is no guarantee of avoiding a terrorist attack or avoiding the damage it can cause, but a clear way for a hotel to distinguish itself from its competitors is to take a holistic approach in having a thorough and current understanding of the latest risks as they evolve. Salamanca regularly audit the potential risks and physical damage to understand the best mitigation features to provide the most robust risk management. Almost all hotels purchase terrorism coverage, but not all of them go to the extent of taking additional precautions to implement advanced security and attack response systems that address the evolved threats.
Hotels with independent managers running the franchise have the additional burden of managing a tight form of control across each of its various branches. To mitigate this risk, many hotels are beginning to turn to third party providers who securely store data across the chain.
In an increasingly competitive economic environment, there are few things more important to a business than its reputation. In the hotel and hospitality industry, customer relationships are crucial when maintaining a good reputation, so ensuring their safety and security is a vital part of the business. When a guest’s security is at risk, either in the physical world or online, all fingers will inevitably point to the hotel and its response systems. The bottom line is a hotel’s protective measures are only as good as the advisers who help them address the risks they face. So getting the right people on board is key to protection.
An edited version of this article was first published in Caterer magazine on January 16.Want to know more? You can reach Ian on: ian.france@xlcatlin.com
