Know the Risks
Information security best practices to protect hotel guest data.
By Monu Kalsi
In the age of data breaches, protecting your guests’ information means protecting your hotel’s reputation and financial well-being. Taking precaution against the potential of hackers exploiting online vulnerabilities, many hotel and hospitality brands have smartly put an emphasis on the information security of their point-of-sale systems and online networks to prevent online breaches. Many brands however, tend to forget the potential data breach risks of physical paper documents that are printed, stored and circulated on a daily basis within a hotel.
While the impending General Data Protection Regulation (GDPR) compliance deadline has prompted global hospitality brands to evaluate information security processes, all organizations should consider reviewing and restructuring their information security policies to not only ensure industry regulation and compliance, but also to confirm they have processes in place to protect guest information and the brand’s reputation to safeguard confidential guest information.
Given that data breaches can have a significant impact on a brand’s reputation and financial well-being — a massive $3.6M according to the 2017 Ponemon Institute Cost of a Data Breach report – here are a few best practices for hospitality and hotel leaders to consider to when analyzing information security protocols.
Conduct Risk Assessments
To identify your hotel’s information security strengths and weaknesses, the first step an organization of any size should take is to conduct a risk assessment. Specifically, hotel leaders will want to determine the following:
- Is there an information security policy already in place?
- Does the policy equally give attention to cyber and physical information security?
- Does the policy advise how physical paper documents should be stored and disposed of?
- Does the policy address how hotel staff are to handle the online and physical data of guests?
While a full risk assessment will include a robust review of current policies, the above questions are a great starting point to reveal some of the greatest potentials for a breach within an organization.
Determine What Should be Restricted
When you restrict access to online files or physical paper documents, you limit the amount of opportunities an employee has to intentionally or unintentionally, cause harm to your brand. Hotel leaders should consider vetting employees and determining different levels of security clearance based on their performance and history with the company as well as their job responsibilities. For example, someone in the housekeeping department may not necessarily need access to guest stay information, like booking information that shares credit card details, unless it’s the manager.
Implement Employee Training
This is one best practice that often gets neglected due to various reasons (high employee turnover, lack of on-going resources to conduct training, deprioritization of training, etc.), but it’s one of the most critical components to reducing the likelihood of a breach – especially considering that up to 25 percent of information breaches are caused by employee error or negligence.
Hotel leaders can create a culture of security amongst staff (from front desk staff to maintenance crews, to housekeeping, to bar staff and more) by promoting ongoing information security training. Whether it’s instituting a clean desk policy for the front desk and managerial offices, or incorporating security training into new employee orientation, or teaching employees what type of guest information, if left improperly stored or disposed of, can lead to a breach, employee training and “best practice” policies create more informed and aware employees.
For hotel leaders looking to take training a step further, consider implementing a practice around what employees should do when hotel staff find confidential information left by guests in hotel rooms. From old boarding passes to credit card receipts, guests often leave sensitive information behind without knowing the security risks it poses.
Each hospitality and hotel organization has its own unique set of information security needs and challenges, but this short list of best practices provides a basic overview on how to evaluate current information security policies. Protecting the personal information of hotel guests is a must and taking proactive measures now will ensure your hotel is prepared to handle complex information security challenges when they arise.
Monu Kalsi is the vice president, marketing for Stericycle and oversees the Healthcare and Shred-it brands focusing on their marketing functions. Kalsi is responsible for developing, leading and implementing marketing and digital strategies across both organizations with a focus on customer acquisition and retention, sales support, brand enhancement and creative services. Prior to Stericycle, Kalsi was the head of digital for Zurich Insurance where he oversaw the company’s digital marketing and digital transformation for U.S. and Canada. He has two decades of diverse experience spanning marketing, digital, business, and technology while working with top global consultancies, leading agencies, and large corporate environments in automotive, health, insurance, consumer packaged goods, pharmaceuticals,financial services and energy verticals.