Understanding the challenges of mobile and contactless hotel services
by KORY DANIELS
Technology is changing the expectations and behaviors of travelers when they’re making their business and leisure decisions. As a result, the hotel industry is intensely focused on unlocking the technological benefits to compete for traveler attention. Digital experiences, contactless services, and eco-friendly practices are presenting new opportunities and risks for businesses to navigate. The era of mobile and contactless services has ushered in a new normal for hospitality organizations, offering guests seamless experiences with a simple tap of their smartphones.
Innovation is a blade that cuts two ways; new competitive advantages come with known – and unknown – threats to compliance and consumer trust. Of those threats, security implications have proven to be specifically challenging, especially with the rise of contactless services. Reports show 59 ransomware incidents occurred in hospitality in 2022, with 26% of all reported incidents among Trustwave hospitality clients attributed to credential access – specifically brute force attacks, which use trial and error until the bad actor gains access.
Hoteliers must address the following concerns to ensure the safety and security of both their and their guests’ data, such as personal information, travel preferences, identification documents, and payment details.
SEASONAL WORKFORCE TURNOVER
The human factor is the Achilles heel of any mature cyber program. The MGM Resorts and Caesar’s Entertainment cyberattacks underscore the vast majority of attacks in the hospitality industry focus on people-based methods such as phishing and email-borne malware. One of the most persistent challenges hoteliers face is seasonal workforce turnover, heightening the likelihood of gaps in a hotel’s security posture. As hotels hire and train new employees for peak seasons, maintaining consistent security protocols can become a daunting task. The use of mobile devices for guest services, check-ins, and access control introduces an additional layer of complexity to this constant flux.
Revisiting how the organization prioritizes security awareness and education needs to become a business conversation – not solely a cyber one. The question is where to start. In a perfect world, organizational governance already is raising these risks at the senior leadership level and supporting their cyber leader. Since the world isn’t perfect, security leaders must ensure this conversation is occurring at multiple layers of leadership – from the board to the chief experience officer team, all the way through a combination of HR, IT, and Legal. Regular security awareness sessions can help staff recognize potential threats and adhere to best practices in securing guest information.
While important, even with the best awareness and education programs in the world, there will still be unintentional – and more malicious – security incidents. Incident resilience requires understanding and readiness at multiple layers of the business. Incident response plans should be well-known and frequently tested. That plan should account for every team member, making sure administrative staff, executive management, and front desk staff know how to identify, report, and mitigate security concerns effectively. New and seasonal hires should be trained accordingly.
SCATTERED NETWORKS AND THE RISKS OF CENTRALIZED MANAGEMENT
The shift towards mobile and contactless services has led to the proliferation of devices and endpoints connected to hotel networks. From mobile check-in kiosks to smart room controls, each device is a potential entry point for cybercriminals. Cyber technology investment doesn’t alleviate the need for governance and oversight to help properties embrace a secure-by-design culture. The independent operating nature of each hotel can create scattered networks, though it’s an opportunity to think about how best to centralize management of all properties across a brand. A breach to one is a breach to all.
Implementing centralized network management solutions can appear to streamline security efforts by enabling IT teams to monitor and control all network-connected devices from a central dashboard. However, centralized management can make systems more likely to fall to a cyberattack as there is a single point of total failure if, and when, a network is breached. To maximize security but minimize these risks, hotels should employ a defense-in-depth approach with multiple layers of security capable of protecting against breaches and lateral movement across the network.
Hotels may choose to keep that process in-house or outsource for additional security skills, capacity, and sustainability. The people, processes, and technology of hotels and the corporate environment are becoming more intertwined, along with the important third-party vendors that bring technology into their networks. Continuous digital monitoring of confidentiality, integrity, and availability of traveler and corporate data can be very expensive to sustain if it’s difficult to determine which data brings valuable insight versus additional noise. The people and process skills required to navigate a rapidly evolving digital environment also are difficult to scale. Partnerships are becoming critically important to alleviate burnout and help hotels compete for talent locally, with a predictable digital resilience operating model that can continuously defend the business from known and unknown threats.
BALANCING ACCESSIBILITY AND SAFETY IN PHYSICAL SECURITY
Physical security is an increasing concern and a vector threat actors continue to exploit. Mobile keys, for instance, rely on Bluetooth or near-field communication (NFC) technology, which can be susceptible to unauthorized access if not properly protected.
The challenge lies in finding the right balance between accessibility and safety – 80% of guests want mobile technology used in hotels, making mobile a prime attack surface. Balancing the traveler experience with compliance, privacy, and threat risks is a continuous conversation in governance committees. Organizations may have policies, but ensuring adherence to policy can be the difference in property hygiene. Protecting mobile keys should require multi-factor authentication and encryption, but can we verify we have 100% compliance in achieving that across each hotel?
Physically speaking, hotels may choose to divide their property into access zones with varying levels of security. For example, guest rooms and public areas may have different access controls. Similarly, hotels should provide separate, secure Wi-Fi networks for guests and staff. Guests should have easy access to the internet without compromising the hotel’s internal network. Strong authentication, such as requiring a room number and/or unique access code, can prevent unauthorized users from joining the network.
THE WAY FORWARD: A HOLISTIC APPROACH
In the era of mobile and contactless services, security isn’t a one-size-fits-all solution. Instead, it demands a holistic approach encompassing training, technology, and vigilant monitoring. To avoid placing travelers’ brand loyalty or trust in question, hotel customer experience leadership teams must address their digital resilience posture.
By continuously educating staff, centralizing cyber governance supported by executive leadership, and prioritizing physical security measures, hotels can embrace the benefits of mobile and contactless services while safeguarding their guests’ privacy and data.
Kory Daniels is chief information security officer (CISO) at Trustwave. Prior to that, he served as the global director of cyber defense consulting.