JOHANNESBURG, 31 July 2018 – The hospitality industry is a prime target for cyber threats as hotels offer many opportunities for hackers and other cybercriminals. Hotels are targeted because they hold a host of personal and financial information on their guests, as well as other sensitive data, such as payment card information.
According to PwC’s Hotels Outlook report, 2018-2022, the hospitality industry has the second-highest number of cybersecurity breaches after the retail sector. Most of the industry’s prominent hotels have fallen victim to cyber breaches. These are some of the key cybersecurity and data privacy risks highlighted in the report.
Kris Budnik, Cyber Lead for PwC Africa, says: “Worldwide, hotels are in the spotlight due to recent high-profile security breaches. Companies’ trust, confidence and reputation are put at risk. In addition, the legal risks are significant. The last two years have been particularly worrisome for the hotel industry with a number of high profile breaches taking place and if we look at this trend it is not going to get better.”
PwC’s latest Privacy and Security Enforcement Tracker shows that regulators are coming down harder on businesses because of the breaches. This is shown by the significant increase in the number of financial penalties imposed on businesses that have failed to safeguard information in the last five years.
To compound matters further for companies that handle large amounts of customer information, government efforts to curb the threat of data breaches inevitably leads to more regulation. The legal and regulatory issues are just one aspect of the consequences of the poor implementation of cybersecurity and privacy. Businesses also need to think about trust, confidence and brand health as well as reputation.
The EU has adopted the General Data Protection Regulation (GDPR), which fundamentally changes our perceptions of how personal data should be handled in business. The GDPR will also have a global effect as businesses offering goods and services to EU residents fall within its broad territorial scope. South Africa’s Protection of Personal Information Act (POPI) is expected to come into force in the next year, giving companies a year to comply. In the interim, the Regulator is not taking a wait-and-see approach, but actively responding to privacy complaints and asking businesses to investigate and remediate.
Under the GDPR, regulators are able to impose fines on companies of up to 4% of group annual worldwide turnover and up to R10 million under POPIA per breach. Both pieces of legislation also enable individuals to pursue civil liability claims for the misuse or breach of personal information.
The litigation risk alone warrants the attention of the C-suite. It is essential that executives understand where to look for the biggest exposures and how to correct their approach to cyber and data security.
PwC’s 2018 Global State of Information Security Survey (GSISS), which surveyed 9500 executives in 122 countries, found that 59% of leaders say digitisation has increased information security spending. Simply put, these leaders anticipate cyber-attacks against their automation and use of artificial intelligence.
The same survey found that the top sources of security breaches at their organisations were current employees (30%), former employees (27%), and unknown hackers (23%). The main attacks reported by the executives surveyed were customer and employee records being compromised, as well as the loss of internal records.
The bittersweet irony of the increased attack surface for criminals and internal employees, who may be fraudsters, is that the gathering and processing of personal data can, and is, used by businesses to streamline and provide better experiences for their customers. What should be an exercise in improving customer trust and loyalty ultimately becomes an exercise in increased reputational and bottom-line risk.
Hotels need to take a holistic view of the value chain from how guests place bookings, check-in interaction with facilities, checkout, recommend and everything that happens in-between (such as records management, technology and surveillance) to identify key cybersecurity and privacy exposures and how these will be addressed.
Budnik explains further that in order to bring together the interests of economic advantage, risk management and legal compliance, organisations need to develop an appropriate vision for their desired end state. Only once that vision, which takes into account an entity’s special characteristics as well as the views of all stakeholders, can a strategy be developed that will put in place effective structures. “As awareness grows, we are rapidly approaching a tipping point when organisations realise they have no choice. They have to do much more to tackle the cybersecurity and privacy risks they face and live up to the expectations that society places in them.”