How hospitality can protect both data and value

Perspective shift

When considering both the cost and the scope of cybersecurity measures, hospitality industry financial leaders must shift from viewing cybersecurity as a cost center to understanding it as a revenue protection and brand preservation effort, said Jeff Wilcox, a Grant Thornton Senior Manager in Cyber Risk, Risk Advisory. Doing so with confidence requires adopting and measuring key performance indicators that tie business outcomes to cybersecurity measures (e.g., phishing attempt reduction, vendor compliance rates). CFOs can then quantify brand trust impact by analyzing customer retention rates and loyalty program engagement before and after security incidents. 

Data management

As data becomes increasingly valuable in this industry, even high-profile companies can fall prey to ransomware attacks. Established chains in the lodging, restaurant and gaming space can be more attractive to attackers, but so are the technology services that serve both small and large clients across the industry. One recent example is the ransomware attack on a hotel management platform, which leaked the personal information of the guests of many major hotel companies which use that platform.

Not surprisingly, data privacy and the threat of ransomware were of topmost concern in our survey report. 

As organizations acquire new solutions and data, many adapt their cybersecurity processes along the way. This can lead to a disjointed cybersecurity strategy that sets the wrong priorities or even leaves unprotected gaps. By analyzing what you have, you can prioritize data in different categories for each level of data and the metadata that goes with it.

Organizations need to understand where data resides, what restrictions should apply and what the priorities are for the business. This is important for security, but also for programmatic efficiency. 

Asset management strategies

Effective asset management also can enable quicker cybersecurity incident analysis and response, while helping to reduce costs. Asset management tools provide insight into your number of users, assets and other accounts. Reducing unused accounts, assets and devices can reduce your software licensing costs and your attack surface.

The more live assets and accounts, the more targets that exist for a cybersecurity attack. Older systems or software can be especially dangerous, since new activity might go unnoticed.

Most organizations ultimately need to track a range of various assets and platforms, including various versions — and this diversity can be a good thing. It may seem logical to deploy the same device to everybody. But if you have only one operating system, and ransomware or other malware infects that, you may not be able to get into other SaaS-based tools at all. 

Managing a cyber incident: Communication management

Perhaps the most critical element during an active cyber incident is establishing pre-defined communication protocols that operate independently of compromised systems, said Wilcox. Effective coordination requires a tiered escalation model where front-line security teams can immediately isolate affected systems without waiting for executive approval, while simultaneously notifying operations leadership through secure, out-of-band channels.

Organizations that respond successfully maintain clear decision rights, ensuring the IT security team owns technical containment while operations leaders manage guest communication and business continuity decisions in parallel.

“To prevent a ‘don't tell’ culture, leadership must explicitly separate post-incident analysis from punitive measures,” Wilcox said.

Creating psychological safety requires board-level commitment to treating security incidents as organizational learning opportunities rather than individual failures. The hospitality sector particularly struggles with this balance because operational leaders often prioritize guest experience continuity over security protocols, inadvertently punishing teams who halt services during suspicious activity, Wilcox added.

Role-based employee management

Cybersecurity reports consistently show that preventing accidental employee actions is a key to better data safety. Cybersecurity depends on small decisions that employees make every day.

Since every employee plays a role in cybersecurity, it’s important to manage risk in those roles, which can include:

• End users: The vast majority of employees interact with sensitive information on a daily basis.
• Executives: Leaders are at a higher risk for phishing, since they are often considered prime targets.
• Developers/clinicians/sales/HR/Finance/Internal audit: These teams are outside of cybersecurity but have a special duty to protect sensitive information.
• IT staff: IT admins have privileged-access accounts that can potentially halt business operations.
• Cybersecurity teams: Apart from operations, these teams also include architecture, policy/governance, identity/access management, privacy, and third-party risk.

Employee cybersecurity training in hospitality will fail, Wilcox said, when it treats a front desk agent, a casino floor manager and a revenue analyst as interchangeable users facing identical cybersecurity threats. It’s important to understand the full scope of an employee’s access, because with access comes the potential for mistakes.

The “human firewall” cracks fastest where employees use workarounds at boundaries in systems to circumvent security friction, Wilcox said. Rather than mandating compliance, effective risk mitigation acknowledges this operational reality and works with department heads to redesign workflows that eliminate the need for security shortcuts while maintaining a quality guest experience.

Role-specific micro-learning programs can address typical scenarios employees encounter, such as:

• Teaching housekeeping staff to recognize USB drops in rooms
• Training restaurant managers on payment terminal tampering indicators
• Showing reservation agents how phishing attempts exploit booking confirmation workflows.

The most successful implementations, Wilcox said, embed security “champions” within operational teams who receive advanced training and serve as first-line resources, creating peer-based accountability that proves far more effective than top-down mandates.

Other insights

ARTICLE

What loyalty programs get wrong about consumer behavior -->

CASE STUDY

Identifying barriers to emerging strategy -->

NEWSLETTER

Treasury releases draft ‘no tax on tips’ occupations list -->

ARTICLE

GenAI to ROI: A trend private companies can’t ignore -->

WEBCAST

Securing trust in crypto: Navigating stablecoins, tokenized assets & AML -->

Securing operations

A security operations center (SOC) can consolidate the ongoing management of your cybersecurity strategy. A SOC can provide 24/7 monitoring of processes, overseeing cybersecurity priorities for data, assets and solutions. A SOC can further analyze centralized activity in a security information and event management (SIEM) tool, to assess risks and initiate actions.  In our survey report , the governance, risk and compliance tools and processes such as a SOC can mitigate technology risks.

SOC areas of interest should include:

• Data priorities: Your SOC will know where the “keys to the kingdom” data resides, along with other data priorities, to coordinate effective and efficient protection.
• Shadow IT: New solutions can appear in the organization, and your SOC can also help spot when these solutions, and their associated risks, arise.
• Solution design: Your SOC can help inform your organization’s solution architecture and engineering, helping to ensure alignment with the organization’s business goals and risk management.
• Event telemetry: As your SOC monitors your SIEM and other tools, it can assess and prioritize the events and alerts, taking action and identifying opportunities to automate actions in the future.

A periodic review of your technology stack can be another important element in cybersecurity. Continuous updates and assessments can help you take advantage of the full potential of your technologies to safeguard against the dynamic nature of cyber threats. 

Obtaining cybersecurity insurance

A growing number of organizations are also obtaining cybersecurity insurance. These insurance providers typically require cybersecurity audits, and a framework of cybersecurity standards, that can help enforce compliance across the organization. The standards can help identify issues that the organization might not have been monitoring, and compliance is usually tied to the cost of the insurance. So, better cybersecurity can be directly tied to cost savings.

One key to proper implementation is that whoever signs up for that insurance — the CFO or COO office — needs to communicate with the CIO, CISO, IT and cybersecurity teams about who has access, and the coverage details. It’s also important to note that policies might have preferred providers and might not cover work from other providers at the same level. It can even be important to call your cybersecurity insurance provider in the midst of an attack, as they can often help negotiate with the attackers. 

Automation complications

Some aspects of the hospitality industry are especially susceptible to attack — like the online gaming sector, where a cyberattack can entirely shut down the product. 

These attacks, and the growing complexity of cybersecurity for AI solutions, has pushed some organizations to consider automation.

For example, guest-facing automation implementation can create a security architecture where AI chatbots operate with excessive access privileges to back-end systems. Self-service kiosks located in unsupervised areas can become targets for device tampering, credential harvesting, or network infiltration through exposed ports, Wilcox said.

“Blind spots can emerge when hospitality operators focus intensely on the guest-facing experience during deployment while treating the security implications as IT’s problem to solve afterward,” Wilcox added.