<- Back

Cybersecurity 101: Best Practices for Hotels

Chris Adams
August 11, 2023

There are so many different skills that go into successfully owning or managing a business in the hospitality industry. Customer service, innovation, marketing, and even event planning are all valuable tools in your toolbox. Unfortunately, cybersecurity and IT security are two areas that don't often make most people's top ten, but effective hotel cybersecurity is something that you can't afford to overlook. We have a handful of hotel cybersecurity best practices that we will cover that will take you from under protected to a much more secure footing in the least painful way possible.

Why Cybersecurity Is Essential

Ransomware - Personal files are encrypted

Most owners and managers stop thinking about computer systems right after they think of their reservation system or hotel wifi. Your more forward-thinking properties may have even contracted with hotel revenue management services to ensure they're getting the maximized value for their rooms across all bookings, but outside of maybe an employee or facilities management system, not many places are deploying much more than that.

Thinking that a lack of connected systems means that you don't have to worry about cybersecurity is a dangerous mistake. Even with just those few that we listed, there are a substantial number of risks that you are facing, and the average hotel actually has more than that.

In 2018, a Marriott property detected suspicious activity in their reservations database. The investigation identified two separate types of malware that were used by cyber attackers to gain access to the system and compromise guest data and other sensitive information. All told, the data breach resulted in the loss of guest information and identity details of over 300 million customers.

Marriott is far from the only hotel chain to be affected by a major data breach, and other attacks like ransomware attacks can be utterly devastating to property management systems and other operations. Aside from system downtime and the possible civil liability for losing guest information, you also have to consider the reputational damage of suffering a cyber attack and being seen as having lax security measures in place. In a world where the majority of people are using credit cards as their primary payment method, wise guests are going to think twice about staying at a place with a poor reputation for cybersecurity

DarkHotel Hacking

Unlike some of the more traditional cyber attacks that we just discussed, DarkHotel hacking directly targets high-level guests at hotels and is something that deserves its own segment. In these attacks, cybercriminals locate their target's travel plans and preemptively hack into their hotel's wifi network. They then lay in wait for the target to access the network and then compromise their device to exfiltrate sensitive information or take other action. This is especially concerning because those high-level guests like government officials, C-suite level executives, and celebrities can cause a major hit to your reputation if they end up victimized at your property.

Regulatory Standards


Another area that is sadly often overlooked in the hospitality industry is that of regulatory compliance. Many folks fail to realize that there are more than a few cybersecurity regulations that apply. Some of the major ones are the GDPR and PCI-DSS.

While many locales have implemented or are considering laws that require certain protections in place for businesses that handle citizens' sensitive information, all hotels process credit card information on some level even if they use a vendor to accomplish this on their behalf. That means that they must comply with the guidelines of the Payment Card Industry Data Security Standards (PCI-DSS). Payment card information is a prime target for hackers and a failure of your cybersecurity to meet those standards will add regulatory fines to the costs of recovering from any data breach.

Cybersecurity Mainstays

We've put together a list of some of the top hotel cybersecurity best practices to combat this rising trend of cybercrime and better secure your networks. While none of these suggestions is a magic pill to solve all of your worries, putting a fair number of them into place can go a long way toward making your company a much less desirable target.

Risk Assessments

Before settling on the specific security measures that you intend to put in place, you first have to analyze where you stand. Once you have evaluated your current risk profile, you can then figure out a plan to improve your stance. Risk assessments should also be a recurring part of your cybersecurity program to track improvements and guide your program moving forward.

Encrypt All Data

Regardless of any holes that your risk assessment may find, every enterprise should make a point of using encryption on all of their data and definitely on their sensitive information or guest data. Encryption goes a long way towards limiting the damage of a data breach when all the hackers get is a nonsensical jumble of characters.

Ensure Compliance With NIST SP 1800-27

NIST has laid out a set of standards for property management systems specifically as a response to the large number of attacks against hotel systems. It even provides a detailed layout for building out your system architecture in a more secure manner. Whether you do this yourself or hire a cybersecurity expert to handle it for you, meeting these standards can make your network truly formidable.

Purchase Quality Cybersecurity Software

Computers protected

Antivirus, anti-malware, firewalls, and access control and monitoring programs should all be on the table. Finding a software suite or at least programs that integrate well together can transition a fragmented approach into overlapping layers of security that can really improve your resiliency to a cyber attack or at least minimize the time that one goes undetected.

Consider Penetration Testing

All of these hotel cybersecurity best practices are useless if you don't test them in the real world. Surprise penetration testing by a reputable firm puts your network through a real attempt at a breach and gives you a detailed report on your performance at the end.

Invest In Cyber Insurance

When all else fails, good insurance can be the difference between a bump in the road and bankruptcy. Insurers may have their own cybersecurity requirements above and beyond what we've mentioned, but you have business insurance for a reason. Experiencing a cyber incident is more common than not, and protecting your business is your priority.

At Bridgetown, we provide premier hotel revenue management services. Our goal is to maximize your sales, ensure parity, and capitalize on all opportunities by using our vast experience and market knowledge to guide your approach. From strategic planning to sales manager support, we can provide virtually any assistance you need to exceed industry trends. Contact us today to see what our team can do for you.