Can your Hospitality company afford a $123 Million fine?

The heightened risk of overlooking information security.

Recently the United Kingdom Information Commissioner’s Office (ICO) passed down their intended penalty of $123M USD for Marriott Hotels, relating to the 2014 data breach. The announcement leverages GDPR regulations and follows the previous announcement of British Airways fine of $230M USD. 30 million and 500,000 Europeans personal information, respectively, were impacted.

Mistakenly, focusing only on compliance is much like rearranging the deckchairs on the Titanic. Compliance is not information security. Simply meeting GDPR, PCI, etc. does not prevent an information security breach.

Lukas Kuzmiak, insighti

The Marriott incident demonstrates that major corporations can be breached. Everyone is therefore at risk. 

Once upon a time, information security was a two party matter between targeted companies and the information thieves. With the entrance of data protection laws, industry watchdogs, global media exposure and onus placed upon business to demonstrate a duty of care for guest information, the hospitality industry has moved to a multiparty environment. The regulators are watching and organisations’ failure to secure information will result in significant financial penalties. There is nowhere to hide.

Under this new environment, hoteliers are faced with the heightened challenge of balancing investment across an information technology portfolio and the appropriate investments for information security. Of greater concern, is where major corporations have been unable to secure data, how does a smaller organisation with less resources match due diligence and investment?

At a recent hospitality industry CIO seminar, the Federal Bureau of Investigation identified the hospitality industry as a high-value target for information theft. Key drivers making the industry attractive include:

• the volume and detail of customer information, particularly Personally Identifiable Information (PII) 
• the nature of financial transactions and vulnerabilities in the process 
• the distributed nature of business units and technologies 
• the number of systems in the hospitality technology ecosystem creating greater risk 
• the high profile and sensitivity of guests and groups of guests frequenting and congregating at hospitality destinations 
• the available funding for information technology compared to higher capitalized industries

Between fines, loss of customer trust, and legal action, the organizational risk is simply too high to not invest in information security.

The regulators are watching and organisations’ failure to secure information will result in significant financial penalties. There is nowhere to hide.

While discussed frequently in industry, information security is rarely approached as a whole. Often, individual components are brought to light, with topical importance shining on the issue of the time. GDPR and PCI regulations being common examples.

“Mistakenly, focusing only on compliance is much like rearranging the deckchairs on the Titanic. Compliance is not information security. Simply meeting GDPR, PCI, etc. does not prevent an information security breach.” – Lukas Kuzmiak, insighti.

A comprehensive information security policy begins with sound operational processes supported by a robust foundation of IT infrastructure and environments. The end result is compliance.

Once hoteliers come to the realization that they need security beyond compliance, the question shifts. Where do they start? Where does their information security currently stand?

Hoteliers need to ask themselves;

1. Are you balancing technology and information security investments?
2. Do you have the in house expertise to successfully oversee information security?
3. Do you understand the scope of information security?
4. Are your operational processes structured to maintain data information security?
5. What vulnerabilities exist in your environment that you are not aware of?
6. Who can help me achieve a balanced approach to information security?

hiGuard.io is a forward-thinking approach to cybersecurity and privacy challenges for the hospitality industry. hiGuard.io provides information security beyond compliance, combining cybersecurity best practices with hotel technology operations & hospitality industry expertise.

About TRAVHOTECH – Knowledge | Experience | Execution | Realization –Utilizing 30 years of global current and practical experience. TRAVHOTECH is the next generation travel technology & hospitality technology consultancy for the modern travel and hospitality world. TRAVHOTECH provides consulting services globally to travel and hospitality operators and technology vendors.