Cybersecurity Checklist: Six Best Practices for Hotels


From travel cancellations to layoffs and furloughs for employees, the impact of quarantine orders and COVID-19 best practices included dramatic reductions in hotel and resort occupancy for properties of all sizes and types. Hotel owners and managers have a long list of preparations to complete as they prepare to welcome travelers to their properties again. Cybersecurity considerations should be an important part of those preparations.

Why Hotel Cybersecurity Matters

The hotel industry collects a lot of personal data when serving its customers. This data includes reservation and travel details, credit card and loyalty program numbers, guest preferences, and other identifying information. Hotels collect the data from an abundance of sources: Reservation systems, point-of-sale systems (e.g., restaurant and gift shop purchases, spas, and other amenities), and connected devices.

A hotel typically operates several systems that collect data directly or through third parties.
For example, a hotel may contract with a third party to operate a reservation system, with another party to handle credit card processing, and with a third set of parties—perhaps many—to provide onsite or remote maintenance services. Hotels may also have deployed connected or “smart” technologies to assist with operations like automated temperature controls, mini-bar consumption monitoring systems, keyless room check-in/check-out, and mobile phone ordering systems. Factors like this, along with higher turnover rates that are common across the industry, make hotels a rich target for hackers and others who may attempt to breach systems and data.

Practical Tips to Stay on Top of Data

No single “one-size-fits-all” checklist provides the perfect cybersecurity solution for every hotel, but the following best practices may be useful.

1Understand the technology and systems in use and what data is collected.

Point-of-sale terminals, connected devices, and reservation systems all connect to databases that collect information on operations. Understand how these devices and systems work, how and to what other systems they connect, what data is collected, and what vulnerabilities the device, system, or software may have. Inventory of these systems should be updated whenever there is a change—e.g., an addition of a new system or device, a software update, or a new vendor or provider.

2Manage vendors and third-party service providers.

The process of selecting and contracting with a vendor or service provider should include an assessment of their security practices. How does the vendor interact with the hotel’s systems? Who can access those systems, and how does that access connect to other systems across the operation? Does the vendor have solid compliance programs in place? Does it update and monitor its own cybersecurity? How does the vendor screen and train its employees? For instance, a sizeable breach in a retail establishment occurred due to an attacker accessing the point of sale systems of the retail company through vulnerabilities in the systems of one of its service providers, who was not servicing the POS system.

3Patch and update systems regularly.

One of the biggest information security breaches reported to date occurred due to failure to update a software program. This failure to update occurred even after several notices from the company’s software vendor of the vulnerability and the need to apply the provided patch.

4Train and re-train staff.

Frequent cybersecurity compliance training is a necessity—early and often. Many breaches have occurred simply because of an employee error or acceptance of a phishing email.

5Perform regular security and risk assessments.

The usual recommendation is to conduct a full security review and risk assessment at least annually. Many conduct their reviews quarterly and whenever a technology or vendor change occurs.

6Keep WiFi networks separate.

Hotels often provide complimentary WiFi to guests and visitors. It’s recommended that hotel guest and visitor WiFi be provided on separate networks than the hotel’s business or operations network, and that the operations network be appropriately secured.

Cybersecurity is an important focus for the hotel industry. Breaches of customer information have resulted in reputational damage as well as fines and investigations. Adoption of these and other cybersecurity practices are important steps to safer data management.


Subscribe to Lodging Daily News for updates.


Previous articleThis Week’s Comings and Goings
Next articleSTR: U.S. Hotel Occupancy Continues to Tick Up
Cheryl M. Burtzel is the office managing partner for Spencer Fane LLP in the firm’s Austin office. She is an experienced transactions attorney assisting clients on commercial and compliance matters involving privacy, cybersecurity, sales and distribution, government contracts, and procurement legal matters.