ONTARIO, CANADA—Cyber breaches are a huge security concern for the hotel industry—but they’re not the only security concern.
“The industry has seen its fair share of cybersecurity breaches over the last few years and while it is absolutely essential that hotels have their cybersecurity protections in place, they often forget about the more common threats—particularly around physical information security,” said Ann Nickolas, senior vice president of sales for Stericycle, the provider of Shred-it information security services.
Shred-it is a global information security service provided by Stericycle Inc.
Among the services available to hotels are document destruction, hard-drive destruction, media destruction (for example, hotel keys or USB keys), on-demand paper shredding and specialty shredding. Shred-it also works with hotels to help implement the company’s Workplace Privacy Policies, such as the Shred-it All policy, which encourages employees to prioritize information security at all times by making sure all documents are disposed of in a Shred-it container rather than the garbage or recycling bin.
One of the challenges hoteliers are facing today in terms of data security is the failure to identify information as confidential. For example, a booking confirmation may not be flagged internally as a confidential document that should be destroyed even though it does contain personal information.
“Another challenge is the strong focus on cybersecurity,” said Nickolas. “While it is of course important to ensure that online data surrounding hotels and their guests is protected, it’s just as essential to implement strategies that protect physical information as well.”
For Shred-it’s hotel clients, the aim is to help these businesses stay compliant with the latest laws around protecting consumer data and confidential information, such as FACTA or Payment Card Industry (PCI) Security Standards, noted Nickolas.
“With the numerous laws that protect customer identities, financial data and personal privacy, we help our customers recognize the risks when handling physical data and ensure that they have the proper disposal methods in place,” she said. “A great place to start is conducting a risk assessment to identify a hotel’s information security strengths and weaknesses. This process of reviewing current policies shines a light on any gaps in your information security system and allows hotels to update protocols and policies, thus mitigating risk.”
Consumers are more conscious than ever before about their personal data and information security, and it has become a major factor in the hotel booking process.
“A recent survey showed that 77% of Americans say data protection is important to them when deciding which hotel to book,” she said. “Since hotels collect and store customers’ financial data, there is a responsibility to follow the regulations in place when it comes to this personal information. It can be tough to keep track of these ever-changing regulations, including the European Union’s General Data Protection Regulation (GDPR), the Gramm-Leach Bliley Act, and the Sarbanes-Oxley Act, and partnering with Shred-it can help to ensure that their disposal practices are compliant across the board.”
Shred-it can also help hotels implement new policies and procedures that will better help their physical security. One example is a Clean Desk Policy, which outlines how employees should secure all information at their desks when they are not there, including locking up documents and computer screens. This eliminates the risk of stolen information or visual hacking at the front desk, for example, in a hotel.
Additionally, Shred-it will work with hotels to develop policies to limit employee access to certain areas that house confidential information, such as providing only managers access to storage rooms with customer files.
Did you know? There’s a disparity between resources spent on cybersecurity and physical security, opening the door for more issues.
“Nearly one-third of hotels (32%) admitted they have no known policy for storing and disposing of documents,” she said. “When you think about the type of information customers provide to hotels (including passport photocopies, driver’s licenses, credit card information, rewards numbers, etc.), as well as the growing number of documents that the hotel itself collects, it seems a bit unsettling that these policies are not in place. To put it simply, if a process is not in place to dispose of paper documents after a specific amount of time, those documents could sit in an unlocked cabinet for years, increasing the chances that they could fall into the hands of someone with nefarious intentions.”
A lack of employee training and negligence can further expose a hotel company’s data. Nickolas found 47% of business leaders noted human error by an employee had caused a data breach at their organization.
“Employees can be a hotel’s greatest security asset if they put the right training and policies in place,” she said. “A Clean Desk Policy and a best practices policy for storing documents, combined with a Shred-it All Policy can provide employees with the tools they need to be a security force in their workplace. Another aspect of employee negligence in hotels can be tied to the industry’s frequent employee turnover. According to the Bureau of Labor Statistics, there is a turnover rate of 73.8% in the hospitality industry, which can make it difficult for hotels to keep up with training all employees. Implementing a security training program into the on-boarding process for every employee—from management to housekeeping—is a good way to ensure the turnover doesn’t impact your hotel’s information security.”
Nikolas advises hoteliers to keep up with consumer expectations—and safeguard data—early on in the customer journey.
“While the first touchpoint for a consumer with a hotel is typically online, the first impression when a customer walks into the hotel is arguably more important as they likely have multiple sensitive documents, such as passports and credit cards, with them,” she said. “When the guests arrive at the hotel, there are actions you can take to keep up with consumer expectations for information security. Having employees be easily identifiable with a name tag and uniform allows guests to feel safe knowing the person helping them is really an employee. Providing lockable cabinets and safes in the hotel room is another move that shows the hotel is invested in protecting customer information. Business travelers, in particular, often travel with sensitive documents; therefore, providing a secure place for them to store and dispose of those documents throughout the premises, such as business centers and conference rooms, will make customers feel safer about their information.”