Your Weakest Link in Data Security? Your Employees
Why the people inside of your business are your biggest threat and how to train them to better protect your guest's data
By James Lefcakis President, LEFCON, LLC | November 01, 2020
No matter the industry, there are a few things that remain constant. Data is represented in 0's and 1's, and can be transmitted over a little wire into the back of the computer, or a cool fancy Wi-Fi connection on a network labeled "ADMIN ONLY" or "BACK OF HOUSE NETWORK". What we call our "secure network" is only a click away from being exposed by someone in a department within the hotel just trying to do their job. This could come from a housekeeping staff member shopping for vacuum bags or a senior sales associate confirming a group reservation via email.
It's never our associate's intent to be the threat, it's just a factor of our business. Let's use the home security analogy, you spend hundreds if not thousands of dollars on a security system for your home, cameras, alarms, apps, etc. When someone knocks on your front door, you tend to open it, and sometimes you let that person right in. That's how security is at risk in hospitality, we kindly open our doors to strangers in many different ways. We spend thousands of dollars on PII/PCI and data security and we may not know what it all means.
It's also easy to think of this issue from the heart of a hotelier. This is an industry of people who are pre-conditioned to help. If a client asks us to click on a link to help them plan an event, if a guest needs the front desk to click on a link to receive payment, or if an associate sees a note from a person they trust asking them to do something, all of these things are opportunities for a scam. But hospitality is not an industry that questions before they help, they just help. This is both what makes this industry so special and so at risk. But no one is immune, in 2019, 65 percent of organizations in the United States experienced a successful phishing attack. (ProofPoint 2020 )
It's easy to assume if you are one of the larger hospitality companies that you are receiving threats on a regular basis to your data security, but the further you dial into individual properties, specifically unaffiliated independents, the more at risk you become of your own associates not knowing how to handle a data threat. Scam artists know that line-level associates are often overlooked while corporate systems, finance and operational managers are trained to recognize larger dangers. The more people in your company, no matter how large or small, who are trained on compliance and Safety Awareness Training, the safer your data will be.
Compliance training for all associates can seem costly up front. Often times hotels will choose to only train a portion of their employees to save incremental dollars. But before you cut back on training associates, consider who interacts with data. It's not just the front desk and the sales team, your housekeeping staff needs to access the system to check in rooms, your director of finance has purchase records, your general manager's assistant sees guest information when they send a VIP gift. Also, does your hotel feature communal computers for employees?
If so, each person uses that computer with their personal email address, which exists outside of your secure firewall. No matter what systems you've put in place to protect your company email systems, those outside systems don't feature the same protection, so teaching employees to recognize when their own email looks dangerous is one of the best things you can do for your business.