Safeguarding the Guest Experience from Hotel Cyberattacks
By Emily Loupee Area Senior Vice President - Real Estate & Hospitality, Gallagher & Co. | April 14, 2019
Co-authored by Matt Gullickson, National Resource, Arthur J. Gallagher Risk Management Services, Inc.
The hospitality industry is designed to cater to the guest, and technology has only pushed the concept of providing the ultimate guest service further. From robots that deliver luggage to rooms to concierge chatbots that are available 24/7, there is an ever-increasing number of touchpoints between hotel guests and technology. While these offerings are meant to make a guest's stay more convenient, they also leave the hotel vulnerable to cybercrime that could put their guests' safety and privacy in jeopardy.
In this article, we will explore how the rise of the Internet of Things (IoT) and artificial intelligence (AI) has been an increasing trend in the hotel industry, and how the shift towards smart devices in hotel rooms is expected to soon become the norm. And while guests appreciate the ease and luxury of these devices, hotels face serious cybersecurity risks if these products are not secure. It is a hotel's responsibility to take the necessary actions to protect its guests' privacy and personal data, and that starts with understanding smart devices. Doing the research on any IoT or AI products for the hotel, talking to IT and cybersecurity experts and making knowledgeable, thoughtful decisions will go a long way in preventing cyberattacks.
Unfortunately, it is no longer a matter of "if" an IT network or system will be cyberattacked, but a matter of "when." The hospitality industry is particularly attractive to hackers becauseof the many ways it uses technology to improve the guest experience. Hotels also collect a wealth of personal and private data on their guests, from credit card and passport information to allergies and number of people in a room.
What makes AI and IoT products so difficult to protect against hackers is that they are often seemingly benign products like smart lighting, drapes and thermostats, which do not seem to possess any inherent threat. However, once they are connected to Bluetooth or the Internet, they all become potential gateways for hackers. Hotels, and the broader hospitality industry, must weigh the risks versus rewards of incorporating AI and IoT devices into the guest experience. Perhaps avoiding convenience technology altogether is the answer. But that's not how the hospitality industry works. Just check out any list of 2019 trends for hotels and technology is often at the top spot. Guests expect hotels to take advantage of the latest technology, or the hotels risk being considered antiquated or passe.
Even bed-and-breakfasts and boutique hotels understand that while guests might not stay at their hotels for a high-tech experience, they must at least offer guests complimentary Wi-Fi. This is an example of how guest expectations have shaped what was once a bonus amenity and way to stand-out from competition, into a standard and expected requirement.
Today, major hotel chains are beta-testing high-tech concept rooms built entirely around the IoT. Smart technology is embedded into almost everything, including the mirror, art frames, showers and faucets. Technology that knows when you're out of bed and turns on lights to create a path to the bathroom or sensors that can tell how many people are in the room and adjust the oxygen in the room accordingly are just a sampling of the new technological benefits in hotels.
Of course, there are many instances when technology improves security. One Gallagher client, a major hotel chain, has been rolling out digital keys at various locations. While a digital key does not exactly fall into the AI or IoT categories, it does represent the digitalization of a "traditional" item, the plastic hotel swipe key. The hotel believes digital keys will gain in popularity and even cites security as a benefit over the plastic swipe keys. For example, some magnetic key cards can be copied and read wirelessly. Physical theft is also a risk, as many guests keep their room numbers and keys together for convenience. A smartphone has a phone lock and the digital key app requires a separate login. From that perspective, the hotel doesn't view the digital key as an increased risk.
Nevertheless, tech security experts reportedly found ways to hack the digital keys. Using an antenna, they captured the transmission the phone app sends to the hardware lock to trigger the mechanism that unlocks door. Once they have that transmission it can be replayed later to unlock the door. Cyberattacks are increasingly sophisticated and will take advantage of any weakness. For example, there was a report of hackers who gained access to a casino's high-roller database by hacking the thermometer of a fish tank in the casino lobby. If something as innocuous as an unprotected aquarium thermometer can lead to a serious cybersecurity breach, how can hotels possibly protect themselves and their guests?
It begins with being knowledgeable. Cybersecurity experts advise that before making any AI or IoT upgrades, it is imperative to research the products' history and security capabilities. Understanding how AI or IoT products could be used as potential entryways for hackers is the first step toward preventing that threat.
Experts also advise taking inventory of all the AI and IoT products a hotel uses and put in place security measures for each of them. For example, it is highly recommended that AI and IoT devices are not on the same network as other critical systems, such as the reservation system. Putting in place a dedicated Wi-Fi channel or router for AI or IoT may not prevent a hacker from gaining access to those devices, but it will prevent those devices from being used as gateways.
In addition, while it may be tempting to cut costs when purchasing these devices, the least expensive options often have minimal or no security defenses. When hotels are planning to install AI or IoT devices, a significant security investment should be included in the budget.
Once the devices are selected, they should be tested prior to installation. Testing devices in an isolated environment will help hotels identify potential risks, areas of sensitivity and how the devices might interact with the hotels existing systems. Along with budgeting for costs, hotels should take into consideration the time it will take to properly install and test all devices before they go live.
Another area of investment for hotels is employee training on how to prevent cybersecurity breaches. Everything from how to avoid falling victim to an email phishing scam to mandatory password updates are critical to preventing cyberattacks. However, mistakes happen. For example, one Gallagher hotel client found themselves facing liabilities after an employee inadvertently sent a spreadsheet that included credit card numbers to a public-facing email listserv. While that was human error, there are also cases when employees purposefully steal private information. One such event occurred when a Gallagher hotel client learned that one of its employees was stealing guests' credit card information.
The scheme was uncovered when a guest notified hotel management that the employee behind the counter had asked for the person's zip code when running the credit card. The guest thought it was an odd and unnecessary request. Sure enough, when hotel management checked security footage it showed the employee taking photos of credit cards with a smart phone while chatting with the guests.
While this was not a cybercrime, it was still theft. It's also an example of why it's so important for hotels to have broad cyber insurance coverage that includes aspects such as privacy liability, which would cover malicious and negligent activities of employees. A hotel industry insurance professional can help hotels make informed decisions on the right policy for them.
It's also important to make sure cyber policies are regularly reviewed and updated. Technology evolves incredibly fast, and it can be a challenge to make sure current policies align with the latest tech offerings. It's no longer enough for cyber insurance to cover breaches that steal guests' personal information. Now, cyber insurance must be broad enough to cover exposures from chatbots, AI, IoT products and other smart devices.
With all the potential risks, it may seem like an obvious decision for hotels to invest in cybersecurity and cyber liability coverage. Hotels, however, often have at least three separate entities – an owner, a hotel management company and a hotel brand – that oversee different aspects of the hotel. With different parties to satisfy, it can become complicated discussing cybersecurity, which is not always easily understood. Take, for example, the viewpoint that the early adoption of AI is a differentiator for hotels and a way to stand out in a crowded market. Another viewpoint might be to wait and see if other early adopters experience any pitfalls from these AI products and learn from those mistakes.
Knowing it might be a challenge to come to a consensus on what a hotel's cybersecurity and cyber liability coverage looks like, it is important that those in the hotel industry take the time to understand exactly what they're providing their guests when it comes to AI and IoT devices. It all comes down to being knowledgeable about the products. With all this incredible technology and the exciting new ways to enhance a guest's experience, it is important not to lose sight of all the behind-the-scenes necessities –investing in cybersecurity, having cyber liability coverage in place, training employees – that makes using the technology as safe and secure as possible.
HotelExecutive retains the copyright to the articles published in the Hotel Business Review. Articles cannot be republished without prior written consent by HotelExecutive.