Data Security in Hospitality and Travel: A CISO’s Playbook—Part 1

Published On: August 16, 2023Categories: Blog

In the dynamic worlds of travel, hospitality, and entertainment, securing customer data is more than a priority—it’s central to business continuity. With assets like credit card details and loyalty data constantly in the crosshairs, these industries remain hotbeds for cyber criminals.

Meet Stan Kreydin, a seasoned expert who has held notable roles as CISO for Travel + Leisure, Co. and Global Chief Technology Officer at Wyndham Worldwide. Now the Founder of Resogy, a fractional CISO, CTO and cybersecurity advisory service, Stan’s depth of experience offers a unique perspective into the data security challenges these industries face.

1touch.io recently sat down with Stan in a webinar titled “Protecting Customer Data in Hospitality, Travel & Entertainment.” There, he broke down the industry’s complex data security landscape, sharing hard-won lessons and strategies honed from his years in the trenches.

What follows is a consolidated Q&A from the webinar that distills Stan’s insights into a hands-on guide straight from the frontlines of data security. In this three-part blog series, Stan shares battle-tested strategies, serving as a go-to playbook for every CISO in the hospitality, travel, and entertainment sectors. Today, Stan tackles the industry’s complex threat landscape and lays out foundational strategies for robust data security.

The Changing Threat Landscape of Travel and Hospitality

What are the primary vulnerabilities in the hospitality industry, and how can they be mitigated?

Stan: The industry is based on a continuum of touchpoints with the customer throughout their journey. This journey—from inspiration to post-stay engagement—relies on a mix of solutions, often distributed between in-house and third-party managed services. In this vertical, resource constraints frequently lead to underinvestment in cybersecurity. This underinvestment often stems from the business’s nature: tight margins and diverse revenue models ranging from vacation rentals to hotels. As a result, we often see a highly fragmented platform, support, and data ecosystem—mostly in third-party hands.

5 Key Areas of Concern for the Travel and Hospitality Industry

Considering specific risks, let me highlight the five key areas of concern that the travel and hospitality industry should be particularly wary of:

 1. Ransomware: The dispersed nature of the industry means businesses often lack control over all endpoints, making them more vulnerable. In the face of potentially limited protective and detective investment capabilities, companies need to develop reactive and remediation measures. In this case, process matters as much as technology, as decisions will need to be made quickly and communications and actions taken, involving third parties as well.

2. Third-Party Vendors: The hospitality industry leans heavily on third-party vendors, sometimes for core business functions. The risk profile is amplified based on how these third parties are managed, or sometimes mismanaged, with security often being an afterthought and/or only being considered during the initial diligence/contract phase of an engagement.

3. Phishing & Social Engineering: These threats manifest in two ways—digitally, in the form of phishing emails/texts, and physically, where cybercriminals try to exploit human interactions. The hospitality industry is especially vulnerable to the latter, with criminals exploiting the customer service-heavy nature of the staff.

4. Wireless and Point-of-Sale Systems: Whether businesses depend on third parties or manage in-house, securing systems for guest services and credit card transactions is crucial. The travel and hospitality industry faces specific challenges here, with several public exploits targeting point-of-sale devices, mainly due to the volume of credit card transactions. Although these compromises might not be as rampant as a few years ago, the risk is ever-present, especially for organizations with limited security investments. Wi-Fi services also present challenges, due to the nature of growing IoT integration as well as third party-managed systems requiring access to key network segments in order to efficiently run multi-unit properties.

5. Human Risks: This is perhaps the most significant threat. I typically group these into three areas:

            Turnover: The transient nature of staffing in this sector poses significant risks. The rapid onboarding  and offboarding of employees necessitate stringent data management protocols and consistent security awareness training.

    • Turnover: The transient nature of staffing in this sector poses significant risks. The rapid onboarding  and offboarding of employees necessitate stringent data management protocols and consistent security awareness training.
    • Insider Threats: The potential for employees to be swayed into illicit activities, like data theft, is real, particularly given the value of the data they might have access to during the course of day-to-day activities.
    • Errors: Human errors, whether it’s sharing information with the wrong party, non-compliant data handling, or configuration mistakes, can lead to significant breaches and unintended consequences.

5 Actionable Tips to Combat Cyber Threats

Here are 5 actionable tips to combat these threats:

1. Endpoint Focus: Prioritize the strengthening of endpoint security to reduce risk and minimize the impact of ransomware and other categories of malware. Invest in contemporary platforms that have a small footprint and can be easily managed. Implement rapid response and recovery plans to address potential breaches and practice them.

2. Active Vendor Management: Develop a thorough vendor risk management process. Regularly review/audit third-party vendor security practices and ensure they meet or exceed industry standards. Recognize that vendor management is a continuum and not a single event punctuated by a contract signing or a service renewal.

3. Phishing & Social Engineering Awareness: Regular training sessions to educate employees on identifying phishing threats and social engineering tactics can substantially reduce risk exposure. Match the training to the company culture, associate location, language, and role. Personalize it and measure its efficacy.

4. Securing Point-of-Sale and Wireless Systems: Whether managed in-house or through third parties, ensure these systems adhere to stringent security standards, with particular attention to PCI DSS compliance for transactional data. Pay close attention to how Wi-Fi is setup and operated, especially if by a third party, and ensure proper segmentation away from sensitive/critical segments.

5. Addressing Human Element Holistically: Create robust onboarding and offboarding protocols, develop mechanisms to detect and counter insider threats, and cultivate a proactive security culture where mistakes are promptly reported and remediated. Integrate failures into training and monitoring. Specific insider threat and behavior modeling platforms exist—choose them carefully, as there may be privacy implications depending on where you operate.

While this list isn’t exhaustive, it’s essential for businesses in the travel and hospitality sector to understand these focus areas and address them proactively. A holistic approach, combining technology, processes, and people-centric strategies, is imperative to mitigate these risks and protect both businesses and their customers.Foundational Strategies for Data Security in Hospitality and Travel

Given your expertise in building and refining organizational structures, what do you consider to be the foundational elements essential for the hospitality industry to defend against threats?

Stan: First, I cannot stress enough that everything begins with a solid foundation. Without that, every effort to secure data or privacy is like building on quicksand. This foundation doesn’t have to break the bank, but it must be robust and relevant to your specific industry. A one-size-fits-all approach simply won’t cut it. Whether it’s healthcare, retail, or banking, the approach must be tailored to the unique requirements, risks, and regulations of your sector.

Balancing capital and operating expenses is a constant struggle, especially when revenue is impacted and resource constraints increase. Too often, companies invest in new products and services that they underutilize, paying for 100% but using only 25-30%. The key is finding that equilibrium between buying, provisioning new products, and maintaining organizational sustainability—a balance that’s not only cost-effective but also strategic.

Collaboration across various functions of the organization is important. Tight integration with key areas where security and compliance naturally overlap fosters a more cohesive approach. The sourcing organization has a great natural synergy, crucial both for acquiring products and ensuring their sustainability. Legal partnerships, particularly concerning contracts and privacy, are paramount, as they ensure a company’s security and privacy guidelines align with third-party relationships. Often overlooked, a tight partnership between internal audit and operations can also be an untapped potential. Again, company culture tends to dictate tempo and degree of collaboration.

Finally, I can’t stress enough the importance of robust metrics and reporting. Without the right tracking, it’s nearly impossible to gauge where adjustments are needed or where resources should be applied. Metrics guide our way and enable us to respond with agility to emerging threats as well as opportunities.

5 Tips for a Robust Security Foundation

Here are actionable tips to lay a robust security foundation:

1. Establish a Robust Information Security Program: This should be a clear, communicated company and industry-relevant plan. It doesn’t have to be a complex undertaking but should provide a two to three-year roadmap detailing how to mature your operating environment and decrease your risk profile. You must tie it to a framework, otherwise, presenting to executive leadership and/or boards becomes difficult. Often, peer-based industry comparative narratives are a great way to demonstrate maturity and/or investment needs.

2. Balance Between New Product/Service Acquisitions and Organizational Sustainability (Shiny Object Syndrome): Companies often lean into investing in new products and services and tend to de-prioritize operational sustainability. The real challenge is ensuring that all acquisitions are fully utilized, and that the organization can support these new additions efficiently.

3. Forge Tight Integrations with Key Operational Points: The success of any security program, in part, depends on how well-aligned the internal audit, security, and other organizational teams are. In some organizations, these teams are interconnected, while in others, they operate separately. Regardless, achieving seamless alignment is crucial, ensuring everyone is on the same page and moving towards a common security goal.

4. Incorporate Relevant Metrics: It’s imperative to track the success or failures of your initiatives. Without the right metrics, it’s challenging to understand where adjustments are needed, where more resources should be channeled, or where operational risks lie. Keeping an eye on these metrics will give a clear picture of the organization’s risk posture and areas that need focus.

Protecting customer data is a complex task that requires a well-rounded approach. It’s about thinking and acting strategically, being aware of the nuances of your industry, and being relentless in your pursuit of security and integrity. That’s how we stay ahead of the evolving threat landscape

Closing Thoughts

The insights shared here aim to help you navigate this complex terrain with confidence. It’s not just about managing threats; it’s about leading the way to safeguard your business and maintaining the trust of your valued customers, partners, and associates.

Stay with us for Parts 2 and 3 of our series, where Stan shares expert guidance and real-world lessons on managing third-party risks, maturing vendor relationships, and building resilient frameworks.

For more data protection insights, catch the full webinar here.