How Mobile Apps and Cyber Security Affect Your Operation
By Marc Stephen Shuster Partner, Berger Singerman | January 08, 2017
Co-authored by Andrew Hinkes, Partner, Berger Singerman
Cyber threats have seized the spotlight in 2016. From enterprise data breaches costing millions, to the emergence of fraud and hacking as an on-demand service, to the politically-inspired interception and disclosure of the US Presidential campaign's emails and, some have alleged, the hack of the election itself, cybercrime emerged from the realm of cyberpunk fiction and established its place as a mainstream social, economic, and political force in 2016. The rise of hacking has been driven by three factors: the pervasive use of network driven technology, the use of aggregated electronic data by companies, and the fluid resale market for stolen personal, financial, and healthcare information.
As the hacks of Trump, Starwood, Hilton, Mandarin, and Hyatt clearly demonstrate, the hospitality industry is near the top of hacker's lists. Why? Hotels aggregate and share valuable data about their customers. Beyond payment information common to all e-commerce, hotels aggregate data about their guests that may include medical (guest food and environmental allergies, alcohol consumption, use of gym and spa facilities, requests for medical assistance), reputational (damage to rooms, grant of guest access to others), logistics (arrival and departure time, on-site transportation bookings) and information regarding third parties (through potentially access to guest social media and email systems accessed on guest devices through hotel wifi). For hotels that pride themselves on service, privacy, and discretion, the loss of consumer trust caused by a data breach or a hack of guest information can shatter the brand's reputation and impact the bottom line.
However, as long as consumers demand increasing convenience and access, hospitality retailers and service providers will continue to innovate. The recent trend in the hospitality industry is toward increasingly sophisticated mobile applications, leveraging the power of the ubiquitous mobile device. Unlike other data-centric business sectors, however, hospitality traditionally has not invested heavily in IT, which may result in continued reliance upon neglected and vulnerable systems. Efforts to secure user-facing devices (like computer kiosks, in-hotel wifi networks, and company web sites) are no longer sufficient, as data repositories are shared and accessed by vendors on a variety of access devices and platforms. Hackers have adapted and now focus their attacks on less secure, non-PC devices like routers, networked photocopiers, and IoT-enabled or automated utility devices, and then leverage that access to reach otherwise secured devices that store consumer data and financial information from within the network. Even well defended networks remain vulnerable to social networking, or the theft of access credentials from trusted partners, including vendors. Thus, cyber security, once viewed as a cost center for IT departments to manage, has emerged as a primary business imperative, critical to maintain customer trust and avoid regulatory criticism, and significant legal exposure.
Potentially compounding these risks is the emerging demand for mobile applications and streamlining of the guest experience through guest-directed automation. Increasingly, mobile applications are used by hotels as the keystone for the customer experience. Mobile app driven or kiosk mediated check-in and check-out are becoming commonplace. Some mobile applications allow smart devices (using Bluetooth or NFC communication protocols) to function as door keys, granting (and limiting) access to guest rooms or designated hotel amenities. Those mobile apps may also allow the guest to customize their hotel room environment (by controlling room temperature, lighting and, in some cases, pre-ordering bonus amenities). Hotels, eager to monetize these new platforms, have begun to exploit the marketing potential of these applications, suggesting local vendors and activities to guests based upon activity profile, demographic information, and geolocation data collected and provided by the application using location-specific beacons.
While mobile applications may enable an unprecedented guest experience and create efficiencies and cost savings for the hotel, these applications invite serious security concerns. Mobile application development varies significantly from that of traditional software; apps are intentionally easier to develop which has encouraged less experienced developers to quickly bring to market offerings which may not have been as extensively tested as traditional software. Some developers, perhaps lacking a security background, may rely on unsecured or untested code libraries, or simply lack appropriate experience and knowledge to create apps with security in mind. Although most major companies invest heavily in their consumer outreach, many well-known brands have published and widely distributed mobile applications with major security vulnerabilities.